Remove old version docs

website/content/api-docs/auth/jwt.mdx

@@ -34,7 +34,7 @@ set.
 - `oidc_discovery_ca_pem` `(string: <optional>)` - The contents of a CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used.
 - `oidc_client_id` `(string: <optional>)` - The OAuth Client ID from the provider for OIDC roles.
 - `oidc_client_secret` `(string: <optional>)` - The OAuth Client Secret from the provider for OIDC roles.
-- `oidc_response_mode` `(string: <optional>)` - The response mode to be used in the OAuth2 request. Allowed values are "query" and "form_post". Defaults to "query". If using Vault namespaces, and oidc_response_mode is "form_post", then "namespace_in_state" should be set to false.
+- `oidc_response_mode` `(string: <optional>)` - The response mode to be used in the OAuth2 request. Allowed values are "query" and "form_post". Defaults to "query".
 - `oidc_response_types` `(comma-separated string, or array of strings: <optional>)` - The response types to request. Allowed values are "code" and "id_token". Defaults to "code".
   Note: "id_token" may only be used if "oidc_response_mode" is set to "form_post".
 - `jwks_url` `(string: <optional>)` - JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".

website/content/api-docs/secret/databases/cassandra.mdx

@@ -207,12 +207,3 @@ list the plugin does not support that statement type.
   serialized JSON string array, or a base64-encoded serialized JSON string
   array. The `{{username}}` value will be substituted. If not provided, defaults to
   a reasonable default alter user statement.
-
-~> Prior to Vault 1.7.1 and 1.6.4 the default `root_rotation_statements` does not
-  allow for usernames with special characters in them due to missing quotes
-  around the username. To fix this issue in versions prior to Vault 1.7.1/1.6.4,
-  specify the following `root_rotation_statements`:
-
-  ```sql
-  ALTER USER '{{username}}' WITH PASSWORD '{{password}}';
-  ```

website/content/api-docs/secret/identity/mfa/duo.mdx

@@ -17,7 +17,7 @@ This endpoint defines an MFA method of type Duo.
 
 - `method_id` `(string: "")` - Optional UUID to specify if updating an existing method.
 
-- `method_name` `(string)` - The unique name identifier for this MFA method. Supported from Vault 1.13.0.
+- `method_name` `(string)` - The unique name identifier for this MFA method.
 
 - `username_format` `(string)` - A template string for mapping Identity names to MFA methods. Values to substitute should be placed in `{{}}`. For example, `"{{identity.entity.name}}"`. If blank, the Entity's Name field is used as-is.
 

website/content/api-docs/secret/identity/mfa/okta.mdx

@@ -17,7 +17,7 @@ This endpoint defines an MFA method of type Okta.
 
 - `method_id` `(string: "")` - Optional UUID to specify if updating an existing method.
 
-- `method_name` `(string)` - The unique name identifier for this MFA method. Supported from Vault 1.13.0.
+- `method_name` `(string)` - The unique name identifier for this MFA method.
 
 - `username_format` `(string)` - A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`. For example, `"{{identity.entity.name}}@example.com"`. If blank, the Entity's Name field is used as-is.
 

website/content/api-docs/secret/identity/mfa/pingid.mdx

@@ -17,7 +17,7 @@ This endpoint defines an MFA method of type PingID.
 
 - `method_id` `(string: "")` - Optional UUID to specify if updating an existing method.
 
-- `method_name` `(string)` - The unique name identifier for this MFA method. Supported from Vault 1.13.0.
+- `method_name` `(string)` - The unique name identifier for this MFA method.
 
 - `username_format` `(string)` - A template string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`. For example, `"{{identity.entity.name}}@example.com"`. If blank, the Entity's Name field is used as-is.
 

website/content/api-docs/secret/identity/mfa/totp.mdx

@@ -17,7 +17,7 @@ This endpoint defines an MFA method of type TOTP.
 
 - `method_id` `(string: "")` - Optional UUID to specify if updating an existing method.
 
-- `method_name` `(string)` - The unique name identifier for this MFA method. Supported from Vault 1.13.0.
+- `method_name` `(string)` - The unique name identifier for this MFA method.
 
 - `issuer` `(string: <required>)` - The name of the key's issuing organization.
 

website/content/api-docs/secret/pki.mdx

@@ -92,7 +92,7 @@ update your API calls accordingly.
 
 ## Notice about new Multi-Issuer functionality
 
-Vault since 1.11.0 allows a single PKI mount to have multiple Certificate
+OpenBao allows a single PKI mount to have multiple Certificate
 Authority (CA) certificates ("issuers") in a single mount, for the purpose
 of facilitating rotation. All issuers within a single mount are treated as a
 single Authority, meaning that:
@@ -109,14 +109,13 @@ to mix different types of CAs (roots and intermediates).
 
 ~> **Note**: Some functionality will not work if a default issuer is not
    configured. OpenBao automatically selects the default issuer from the
-   current issuing certificate on migration from an older OpenBao version
-   (Vault < 1.11.0).
+   current issuing certificate on migration from an older OpenBao version.
 
 ## ACME certificate issuance
 
-Starting with Vault 1.14, OpenBao supports the [ACME certificate lifecycle
-management protocol](https://datatracker.ietf.org/doc/html/rfc8555) for issuing
-and renewing leaf server certificates.
+OpenBao supports the [ACME certificate lifecycle management
+protocol](https://datatracker.ietf.org/doc/html/rfc8555) for issuing and
+renewing leaf server certificates.
 
 In order to use ACME, a [cluster path](#set-cluster-configuration) must be
 set and ACME must be [enabled in its configuration](#set-acme-configuration)
@@ -1519,9 +1518,9 @@ These are unauthenticated endpoints.
 | `GET`  | `/pki/ca_chain`      | `default` | PEM [\[1\]](#openbao-cli-with-der-pem-responses "OpenBao CLI With DER/PEM Responses") |
 | `GET`  | `/pki/cert/ca_chain` | `default` | JSON                                                                              |
 
-~> **Note**: As of Vault 1.11.0, these endpoints now return the full chain
-   (including the default issuer's certificate and all parent issuers known
-   to OpenBao) in these responses.
+~> **Note**: These endpoints return the full chain (including the default
+   issuer's certificate and all parent issuers known to OpenBao) in these
+   responses.
 
 #### Sample request
 
@@ -1562,7 +1561,7 @@ Endpoints with source `local` only include cluster-local revocations.
 
 These are unauthenticated endpoints.
 
-~> **Note**: As of Vault 1.11.0, these endpoints now serve a [version 2](https://datatracker.ietf.org/doc/html/rfc5280#section-5.1.2.1) CRL response.
+~> **Note**: These endpoints now serve a [version 2](https://datatracker.ietf.org/doc/html/rfc5280#section-5.1.2.1) CRL response.
 
 ~> Note: this endpoint accepts the `If-Modified-Since` header, to respond with
    304 Not Modified when the requested resource has not changed. This header
@@ -1718,10 +1717,10 @@ These are unauthenticated endpoints.
   - `crl` for the _default_ issuer's CRL
   - `ca_chain` for the _default_ issuer's CA trust chain.
 
-~> **Note**: As of Vault 1.11.0, these endpoints return the full chain
+~> **Note**: These endpoints return the full chain
    (including this certificate and all parent issuers known to OpenBao) in
    the `ca_chain` response, for both the `certificate` and newer `ca_chain`
-   fields. The root certificate is no longer elided.
+   fields.
 
 #### Sample request
 
@@ -1879,12 +1878,12 @@ be reused for this root.
 This generated root will sign its own CRL. Authority Access distribution points
 use the values set via `config/urls`.
 
-~> **Note**: As of Vault 1.11.0, the PKI Secrets Engine now supports multiple
-   issuers under a single mount. Use the management operations in this section
-   to [list](#list-issuers) and [modify issuers](#update-issuer) within this
-   mount. No issuers will be overridden by calling this operation. Deleting
-   individual keys and issuers should be preferred to calling `DELETE /pki/root`,
-   [which deletes everything](#delete-all-issuers-and-keys).
+~> **Note**: The PKI Secrets Engine supports multiple issuers under a single
+   mount. Use the management operations in this section to [list](#list-issuers)
+   and [modify issuers](#update-issuer) within this mount. No issuers will be
+   overridden by calling this operation. Deleting individual keys and issuers
+   should be preferred to calling `DELETE /pki/root`, [which deletes
+   everything](#delete-all-issuers-and-keys).
 
 | Method | Path                               |
 | :----- | :--------------------------------- |
@@ -2266,10 +2265,9 @@ issuer or key entry; duplicates (including with existing keys) will be ignored.
 The response will indicate what issuers and keys were created as part of this
 request (in the `imported_issuers` and `imported_keys`), along with a `mapping`
 field, indicating which keys belong to which issuers (including from already
-imported entries present in the same bundle). In Vault 1.14.0, the response
-also contains an `existing_issuers` and `existing_keys` fields, which specifies
-the issuer and key IDs of any entries in the bundle that already
-existed within this mount.
+imported entries present in the same bundle). The response also contains an
+`existing_issuers` and `existing_keys` fields, which specifies the issuer and
+key IDs of any entries in the bundle that already existed within this mount.
 
 | Method | Path                           | Allows private keys | Request Parameter |
 | :----- | :----------------------------- | :------------------ | :---------------- |
@@ -2409,10 +2407,9 @@ do so, import a new issuer and a new `issuer_id` will be assigned.
 ~> **Note** `POST`ing to this endpoint causes OpenBao to overwrite the previous
    contents of the issuer, using the provided request data (and any defaults
    for elided parameters). It does not update only the provided fields.<br /><br />
-   Since Vault 1.11.0, OpenBao supports the PATCH operation to this endpoint,
-   using the [JSON patch format](https://datatracker.ietf.org/doc/html/rfc6902)
-   supported by KVv2, allowing update of specific fields. Note that
-   `openbao write` uses `POST`.
+   OpenBao supports the PATCH operation to this endpoint, using the [JSON patch
+   format](https://datatracker.ietf.org/doc/html/rfc6902) supported by KVv2,
+   allowing update of specific fields. Note that `bao write` uses `POST`.
 
 #### Parameters
 
@@ -2872,10 +2869,9 @@ request is denied.
    OpenBao to overwrite the contents of the role, using the provided request
    data (and any defaults for elided parameters). It does not update only
    the provided fields.<br /><br />
-   Since Vault 1.11.0, OpenBao supports the PATCH operation to this endpoint,
-   using the [JSON patch format](https://datatracker.ietf.org/doc/html/rfc6902)
-   supported by KVv2, allowing update of specific fields. Note that
-   `openbao write` uses `POST`.
+   OpenBao supports the PATCH operation to this endpoint, using the [JSON patch
+   format](https://datatracker.ietf.org/doc/html/rfc6902) supported by KVv2,
+   allowing update of specific fields. Note that `bao write` uses `POST`.
 
 #### Parameters
 
@@ -3735,13 +3731,13 @@ and **must** be called on every cluster.
    to delete their issuer and is instead necessary to **remove** the mount
    completely.
 
-~> **Note**: As of Vault 1.12, it is suggested to switch to enabling the CRL's
-   `auto_rebuild` functionality to avoid having to manually hit the Rotate
-   endpoint when the CRL expires. This ensures a valid CRL is always
-   maintained, at the expense of potentially not being up-to-date. If a
-   revocation occurs that must be immediately propagated, this endpoint can
-   be used to regenerate the CRL, though distribution must still occur outside
-   of OpenBao (either manually or via AIA where supported).
+~> **Note**: It is suggested to switch to enabling the CRL's `auto_rebuild`
+   functionality to avoid having to manually hit the Rotate endpoint when the
+   CRL expires. This ensures a valid CRL is always maintained, at the expense of
+   potentially not being up-to-date. If a revocation occurs that must be
+   immediately propagated, this endpoint can be used to regenerate the CRL,
+   though distribution must still occur outside of OpenBao (either manually or
+   via AIA where supported).
 
 | Method | Path              |
 | :----- | :---------------- |
@@ -3981,9 +3977,8 @@ expiration time.
    discarded, potentially causing a performance penalty on each request.
    During regular CA operations, it is not necessary to run this operation.
    <br /><br />
-   It is suggested to run this tidy when removing or importing new issuers and
-   on the first upgrade to a post-1.11 Vault version, but otherwise not to run
-   it during automatic tidy operations.
+   It is suggested to run this tidy when removing or importing new issuers but
+   otherwise not to run it during automatic tidy operations.
 
 - `tidy_expired_issuers` `(bool: false)` - Set to true to automatically remove
   expired issuers after the `issuer_safety_buffer` duration has elapsed. We
@@ -3994,12 +3989,11 @@ expiration time.
    past the `issuer_safety_buffer` specified.
 
 - `tidy_move_legacy_ca_bundle` `(bool: false)` - Set to true to backup any
-  legacy CA/issuers bundle (from Vault versions earlier than 1.11) to
-  `config/ca_bundle.bak`. This can be restored with `sys/raw` back to
-  `config/ca_bundle` if necessary, but won't impact mount startup (as
-  mounts will attempt to read the latter and do a migration of CA issuers
-  if present). Migration will only occur after `issuer_safety_buffer` has
-  passed since the last successful migration.
+  legacy CA/issuers bundle to `config/ca_bundle.bak`. This can be restored with
+  `sys/raw` back to `config/ca_bundle` if necessary, but won't impact mount
+  startup (as mounts will attempt to read the latter and do a migration of CA
+  issuers if present). Migration will only occur after `issuer_safety_buffer`
+  has passed since the last successful migration.
 
 - `safety_buffer` `(string: "")` - Specifies a duration using [duration format strings](/vault/docs/concepts/duration-format)
   used as a safety buffer to ensure certificates are not expunged prematurely; as an example, this can keep
@@ -4287,5 +4281,5 @@ See [PKI Cluster Scalability](/vault/docs/secrets/pki/considerations#cluster-sca
 ## OpenBao CLI with DER/PEM responses
 
 The OpenBao CLI can only display JSON responses. For APIs that return non-JSON formatted
-data such as DER and PEM formats, `openbao read` will fail without the `-format=raw`
-option added in Vault 1.13 or another client such as `curl` must be used.
+data such as DER and PEM formats, `bao read` will fail without the `-format=raw`
+option or another client such as `curl` must be used.

website/content/api-docs/secret/ssh.mdx

@@ -801,7 +801,7 @@ parameters of the issued certificate can be further customized in this API call.
 
 ~> **Note**: The issued credentials are returned but _not_ stored by OpenBao.
    If you do not save them from the response, issue new credentials by using
-   this request again. This endpoint is available with Vault version 1.12+.
+   this request again.
 
 | Method | Path               |
 | :----- | :----------------  |
@@ -890,10 +890,7 @@ from this engine.
    remove these keys from systems with authorized hosts entries created by
    OpenBao. That must be done manually by an operator, potentially before the
    removal of these host keys if they are necessary to access these
-   systems.<br /><br />
-   For a more effective cleanup process, it is suggest to stay on Vault 1.12,
-   manually revoke all dynamic key leases, wait for this to finish, and then
-   upgrade to Vault 1.13+.
+   systems.
 
 | Method   | Path                     |
 | :------- | :----------------------- |

website/content/api-docs/secret/transit.mdx

@@ -712,6 +712,11 @@ will be returned.
   encryption. If not set, uses the latest version. Must be greater than or
   equal to the key's `min_encryption_version`, if set.
 
+- `nonce` `(string: "")` – Specifies the **base64 encoded** nonce value. The
+  value must be exactly 96 bits (12 bytes) long and the user must ensure that
+  for any given context (and thus, any given encryption key) this nonce value is
+  **never reused**.
+
 - `reference` `(string: "")` -
   A user-supplied string that will be present in the `reference` field on the
   corresponding `batch_results` item in the response, to assist in understanding
@@ -827,6 +832,8 @@ This endpoint decrypts the provided ciphertext using the named key.
 - `context` `(string: "")` – Specifies the **base64 encoded** context for key
   derivation. This is required if key derivation is enabled.
 
+- `nonce` `(string: "")` – Specifies a base64 encoded nonce value used during
+  encryption. 
 - `reference` `(string: "")` -
   A user-supplied string that will be present in the `reference` field on the
   corresponding `batch_results` item in the response, to assist in understanding
@@ -912,6 +919,9 @@ functionality to untrusted users or scripts.
   operation. If not set, uses the latest version. Must be greater than or equal
   to the key's `min_encryption_version`, if set.
 
+- `nonce` `(string: "")` – Specifies a base64 encoded nonce value used during
+  encryption. 
+
 - `reference` `(string: "")` -
   A user-supplied string that will be present in the `reference` field on the
   corresponding `batch_results` item in the response, to assist in understanding
@@ -991,6 +1001,11 @@ then made available to trusted users.
 - `context` `(string: "")` – Specifies the key derivation context, provided as a
   base64-encoded string. This must be provided if derivation is enabled.
 
+- `nonce` `(string: "")` – Specifies a nonce value, provided as base64 encoded.
+  The value must be exactly 96 bits (12 bytes) long and the user must ensure
+  that for any given context (and thus, any given encryption key) this nonce
+  value is **never reused**.
+
 - `bits` `(int: 256)` – Specifies the number of bits in the desired key. Can be
   128, 256, or 512.
 

website/content/api-docs/system/auth.mdx

@@ -329,7 +329,7 @@ can be achieved without `sudo` via `sys/mounts/auth/[auth-path]/tune`._
   to use, e.g. "v1.0.0". Changes will not take effect until the mount is reloaded.
 
 - `user_lockout_config` `(map<string|string>: nil)` – Specifies the user lockout configuration
-  for the mount. User lockout feature was added in Vault 1.13. These are the possible values:
+  for the mount. These are the possible values:
 
   - `lockout_threshold` `(string: "")` - Specifies the number of failed login attempts after
     which the user is locked out, specified as a string like "15".

website/content/api-docs/system/inspect/index.mdx

@@ -13,7 +13,7 @@ This endpoint is off by default. See the
 [OpenBao configuration documentation](/vault/docs/configuration) to
 enable. Once the endpoint is turned on, it can be accessed with a root token or sudo privileges.
 
-~> **NOTE**: These endpoints are only available in Vault version 1.13+. Backwards compatibility is not guaranteed. These endpoints are subject to change or may disappear without notice.
+~> **NOTE**: These endpoints are subject to change or may disappear without notice.
 
 
 ## Supported inspection paths