prepare release of v1.2.0

test against Vault 1.15.4
model: add "build_date" to SealResponse (#73 )
2023-12-11 17:44:00 +01:00 · 2023-12-11 17:41:31 +01:00 · 2023-12-03 15:11:10 +01:00 · 2023-12-03 15:09:45 +01:00 · 2023-12-03 15:09:12 +01:00 · 2023-12-03 14:44:15 +01:00
222 changed files with 10365 additions and 4443 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -0,0 +1,50 @@
+kind: pipeline
+name: default
+
+steps:
+  - name: compile
+    image: maven:3-eclipse-temurin-21
+    commands:
+      - mvn -B clean compile
+    when:
+      branch:
+        - main
+        - develop
+        - feature/*
+        - fix/*
+        - release/*
+  - name: unit-tests
+    image: maven:3-eclipse-temurin-21
+    commands:
+      - mvn -B test
+    when:
+      branch:
+        - develop
+        - feature/*
+        - fix/*
+  - name: setup-vault
+    image: alpine:latest
+    environment:
+      VAULT_VERSION: 1.15.4
+    commands:
+      - wget -q -O vault_$${VAULT_VERSION}_linux_amd64.zip https://releases.hashicorp.com/vault/$${VAULT_VERSION}/vault_$${VAULT_VERSION}_linux_amd64.zip
+      - wget -q -O - https://releases.hashicorp.com/vault/$${VAULT_VERSION}/vault_$${VAULT_VERSION}_SHA256SUMS | grep linux_amd64 | sha256sum -c
+      - unzip vault_$${VAULT_VERSION}_linux_amd64.zip
+      - rm vault_$${VAULT_VERSION}_linux_amd64.zip
+      - mkdir -p .bin
+      - mv vault .bin/
+    when:
+      branch:
+        - main
+        - release/*
+  - name: unit-integration-tests
+    image: maven:3-eclipse-temurin-21
+    environment:
+      VAULT_VERSION: 1.15.4
+    commands:
+      - export PATH=.bin:$${PATH}
+      - mvn -B -P integration-test verify
+    when:
+      branch:
+        - main
+        - release/*
--- a/.editorconfig
+++ b/.editorconfig
@ -0,0 +1,14 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+indent_size = 4
+indent_style = space
+insert_final_newline = true
+max_line_length = 120
+tab_width = 4
+trim_trailing_whitespace = true
+
+[{*.yaml,*.yml}]
+indent_size = 2
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -0,0 +1,50 @@
+name: CI
+on: [ push, pull_request ]
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        jdk: [ 11, 17, 21 ]
+        vault: [ '1.2.0', '1.11.12', '1.15.4' ]
+        include:
+          - jdk: 21
+            vault: '1.11.12'
+            analysis: true
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: Set up Java
+        uses: actions/setup-java@v3
+        with:
+          java-version: ${{ matrix.jdk }}
+          distribution: 'temurin'
+      - name: Compile
+        run: mvn -B clean compile
+      - name: Set up Vault
+        if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/')
+        run: |
+          wget -q "https://releases.hashicorp.com/vault/${{ matrix.vault }}/vault_${{ matrix.vault }}_linux_amd64.zip"
+          wget -q -O - "https://releases.hashicorp.com/vault/${{ matrix.vault }}/vault_${{ matrix.vault }}_SHA256SUMS" | grep linux_amd64 | sha256sum -c
+          unzip "vault_${{ matrix.vault }}_linux_amd64.zip"
+          rm "vault_${{ matrix.vault }}_linux_amd64.zip"
+          sudo mv vault /usr/bin/vault
+      - name: Test (Unit & Integration)
+        if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/')
+        env:
+          VAULT_VERSION: ${{ matrix.vault }}
+        run: mvn -B -P coverage -P integration-test verify
+      - name: Test (Unit)
+        if: github.ref != 'refs/heads/main' && !startsWith(github.ref, 'refs/heads/release/')
+        run: mvn -B -P coverage verify
+      - name: Analysis
+        if: matrix.analysis
+        run: >
+          mvn -B sonar:sonar
+          -Dsonar.host.url=https://sonarcloud.io
+          -Dsonar.organization=stklcode-github
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
--- a/.gitignore
+++ b/.gitignore
@ -1,5 +1,16 @@
-/target/
-/*.iml
-/.idea/
-/*.project
-*~
+target/
+pom.xml.tag
+pom.xml.releaseBackup
+pom.xml.versionsBackup
+pom.xml.next
+release.properties
+dependency-reduced-pom.xml
+buildNumber.properties
+.mvn/timing.properties
+
+.idea
+*.iml
+
+.bin
+
+*~
--- a/.travis.yml
+++ b/.travis.yml
@ -1,29 +0,0 @@
-branches:
-  only:
-    - master
-language: java
-jdk:
-  - oraclejdk8
-dist: trusty
-install: true
-addons:
-  sonarcloud:
-    organization: "stklcode-github"
-    token:
-      secure: "sM9OfX5jW764pn9cb2LSXArnXucKMws+eGeg5NnZxHRcGYt4hpBKLSregBSsBNzUoWVj0zNzPCpnh+UQvgxQzUerOqwEdjTBpy3SNPaxSn7UpoSg+Wz3aUmL9ugmx01b51/wMG4UCHEwTZt2tpgTPVtw8K6uSO78e0dSICCBHDnRcdQwOjMEQHIJJ/qHVRwuy/MzLCAP3W1JPZlsphZg9QsFyhB4hW97dE90joZezfocQIv2xI/r6k+BLz0pY6MxYCul0RiDumaiaej0CPvEJI/uSu//BAQjUdHw+mQgnKUYIbrn2ONOviwNfwdr94JyoZEN2B6zASUmNLjPf4AbIojDeyS+CrpQpm17EVm/Qk/Ds+Xra4PPPIcsZhiWzV0KoDUz9xLfXuRJ526VT5tDPiaeI7oETf0+8l+JIS1b399FyqHi7smzjpvC6GuKflQrbuHK4MuKzDh7WTHiqokGG4SS0wOQIaaHB3dfdwwQzPh6IM24e8CETxh3DjMeqUTU4DWmv5po55jZ934TtxVQvVN78bTG9O0zS9u+JmRY04OZ+OaXuFam6MfMUFQi0EPZzdGul/oWSibGUu3bNfVEBp60CnJwYNM/dKG6U7pJthLHvSwiQFOdKzHZ+l1jZJ4gPaXaIGqpwqVGr28ntqA/El1rytPixr2driE6bYMt5jw="
-env:
-  - PATH=$PATH:.
-before_script:
-  - wget https://releases.hashicorp.com/vault/0.9.5/vault_0.9.5_linux_amd64.zip
-  - wget -q -O - https://releases.hashicorp.com/vault/0.9.5/vault_0.9.5_SHA256SUMS | grep linux_amd64 | sha256sum -c
-  - unzip vault_0.9.5_linux_amd64.zip
-  - rm vault_0.9.5_linux_amd64.zip
-cache:
-  directories:
-    - '$HOME/.m2/repository'
-    - '$HOME/.sonar/cache'
-script:
-  - mvn clean org.jacoco:jacoco-maven-plugin:prepare-agent package sonar:sonar
-notifications:
-  slack:
-    secure: "YyE5GePOLkCVTtCy8j507BRmQrtrWhtvmUt4kY0Z2/ptf0LzfuDEJQ4ZbCxO5ri5IDJrrvyPAedjft818+bMzdFfxvi1oviIL+LZNhyev8gfeIBF/U2pvSLGKCRX4g4aZ6NKN3Untjdm8lmiVTltOyZ59JizQVwXzAl3LiOpnJugyBqbhOx4EIqBzwW3gaYAofMqY2LczW5W/M+99HJCst8Mb8H06GstCPEHCizAq7VRaUS68PstlxQMV0Q6bsSYMLFbLWmhuXs96WHqOrT+nNsl07ikr3N8c4HafhFutt2Jyc1+8gXO417+eSvVM0iBpHGwTmfGFfCqx/4Pf62DTJuvh8dR4fLgLDiqEeDrBEcRRDOs9cvXVOO22NN1HuBBJY8VRiFcwNAvuVMXCtnC+1RJRAZB2zubsANiFe+ygk/ywj37cVXY+NpqlBwcSph6jPHo2hD6cIl2rTWn1EnZH519Rh38xTSv6MRzAO9kWNVrAlX+UtvYS8Sk7Owrc0tET9Lc4zj6aI5tsA1wYbN3Jk6EbMhsF6K/XF2npt2qg09pxkj8wmxoUoR6/rGuSv55aSxTdLDmH+en4ahEm3uc4h1lYoVCk0yrZoTAas3zS4WpBCKnl+mweuKNxaejyy0Wv6NR9ZCTaS3yFgibNOjvDpxZxTAPdNBL7hn+k4LwgN4="
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,67 +1,381 @@
-## 0.7.1 [2018-03-17]
-* [improvement] Added automatic module name for JPMS compatibility
-* [dependencies] Minor dependency updates
-* [test] Tested against Vault 0.9.5
+## 1.2.0 (2023-12-11)
+
+### Deprecations
+* `get...TimeString()` methods on various model classes are now deprecated
+
+### Improvements
+* Parse timestamps as `ZonedDateTime` instead of `String` representation
+* Remove redundant `java.base` requirement from _module-info.java_ (#69)
+* Close Java HTTP Client when running on Java 21 or later (#70)
+* Add MFA requirements tu `AuthResponse` (#71)
+* Extend `AuthMethod` data model (#72)
+
+### Dependencies
+* Updated Jackson to 2.16.0
+
+
+## 1.1.5 (2023-08-19)
+
+### Fix
+* Fixed JSON type conversion in `SecretResponse#get(String, Class)` (#67)
+
+### Test
+* Tested against Vault 1.2 to 1.15
+
+
+## 1.1.4 (2023-06-15)
+
+### Fix
+* Use `[+-]XX:XX` notation for timezone in date/time parsing
+
+### Improvements
+* Use explicit UTF-8 encoding for parsing responses
+
+### Dependencies
+* Updated Jackson to 2.15.2
+
+### Test
+* Tested against Vault 1.2.0 to 1.13.3
+
+
+## 1.1.3 (2023-01-31)
+
+### Deprecations
+* AppID components (deprecated since 0.4) are marked for removal with the next major release
+
+### Dependencies
+* Updated Jackson to 2.14.2
+
+### Improvements
+* Minor internal refactoring
+
+### Test
+* Tested against Vault 1.2.0 to 1.12.2
+
+
+## 1.1.2 (2022-10-26)
+
+### Dependencies
+* Updated Jackson to 2.13.4.2
+
+### Test
+* Tested against Vault 1.2.0 to 1.12.0
+* Disable AppID tests for Vault 1.12 and above (auth method removed)
+* Tested with Java 19
+
+
+## 1.1.1 (2022-08-29)
+
+### Dependencies
+* Updated Jackson to 2.13.3
+
+### Test
+* Tested against Vault 1.11.2
+* Tested with Java 18
+
+
+## 1.1.0 (2022-04-24)
+
+### Fix
+* Use `replication_performance_mode`  instead of `replication_perf_mode` in health response.
+
+### Improvements
+* Add `migration`, `recovery_seal` and `storage_type` fields to `SealReponse` model
+* Add support for `wrap_info` in data response models
+* Dependency updates
+* Model and response classes implement `Serializable` (#57)
+* Split `SercretResponse`  into `PlainSecretResponse` and `MetaSecretResponse` subclasses (common API unchanged)
+* Add missing fields to `AuthMethod` model
+* Add support for (dis)allowed policy glob patterns in `TokenRole`
+* Add request ID to data response models
+
+### Test
+* Tested against Vault 1.10.1
+
+
+## 1.0.1 (2021-11-21)
+
+### Fix
+* Make `HTTPVaultConnectorBuilder#withPort(Integer)` null-safe (#56)
+* Make system-lambda dependency test-only (#58)
+
+### Test
+* Tested against Vault 1.9.0
+
+## 1.0.0 (2021-10-02)
+
+### Breaking
+* Requires Java 11 or later
+* Builder invocation has changed, use `HTTPVaultConnector.builder()....build()`
+
+### Removal
+* Remove deprecated `VaultConnectorFactory` in favor of `VaultConnectorBuilder` with identical API
+* Remove deprecated `AppRoleBuilder` and `TokenBuilder` in favor of `AppRole.Builder` and `Token.Builder`
+* Remove deprecated `Period`, `Policy` and `Policies` methods from `AppRole` in favor of `Token`-prefixed versions
+* Remove deprecated `SecretResponse#getValue()` method, use `get("value")` instead
+* Remove deprecated convenience methods for interaction with "secret" mount
+
+### Improvements
+* Use pre-sized map objects for fixed-size payloads
+* Remove Apache HTTP Client dependency in favor of Java 11 HTTP
+* Introduce Java module descriptor
+
+### Test
+* Tested against Vault 1.8.3
+
+
+## 0.9.5 (2021-07-28)
+
+### Deprecations
+* Deprecate ` {read,write,delete}Secret()` convenience methods. Use `{read,write,delete}("secret/...")` instead (#52)
+* Deprecated builder invocation `VaultConnectorBuilder.http()` in favor of `HTTPVaultConnector.builder()` (#51)
+* Deprecated `de.stklcode.jvault.connector.builder.HTTPVaultConnectorBuilder` in favor of `de.stklcode.jvault.connector.HTTPVaultConnectorBuilder` (only package changed) (#51)
+
+Old builders will be removed in 1.0
+
+### Improvements
+* Minor dependency updates
+
+### Test
+* Tested against Vault 1.8.0
+
+## 0.9.4 (2021-06-06)
+
+### Deprecations
+* `AppRole.Builder#wit0hTokenPeriod()` is deprecated in favor of `#withTokenPeriod()` (#49)
+
+### Improvements
+* Minor dependency updates
+
+### Test
+* Tested against Vault 1.7.2
+
+## 0.9.3 (2021-04-02)
+
+### Improvements
+* Use pre-sized map objects for fixed-size payloads
+* Minor dependency updates
+* Unit test adjustments for JDK 16 build environments
+
+### Test
+* Tested against Vault 1.7.0
+
+## 0.9.2 (2021-01-24)
+
+### Fixes
+* Only initialize custom trust managers, if CA certificate is actually provided (#43)
+
+### Improvements
+* Minor dependency updates
+
+## 0.9.1 (2021-01-03)
+
+### Improvements
+* Dependency updates
+
+### Test
+* Tested against Vault 1.6.1
+
+## 0.9.0 (2020-04-29)
+
+### Fixes
+* Correctly parse Map field for token metadata (#34)
+* Correctly map token policies on token lookup (#35)
+
+### Features
+* Support for token types (#26)
+* Support for token role handling (#27) (#37)
+
+### Improvements
+* Added `entity_id`, `token_policies`, `token_type` and `orphan` flags to auth response
+* Added `entity_id`, `expire_time`, `explicit_max_ttl`, `issue_time`, `renewable` and `type` flags to token data
+* Added `explicit_max_ttl`, `period` and `entity_alias` flags to _Token_ model (#41)
+* Added `enable_local_secret_ids`, `token_bound_cidrs`, `token_explicit_max_ttl`, `token_no_default_policy`,
+  `token_num_uses`, `token_period` and `token_type` flags to _AppRole_ model
+* Minor dependency updates
+
+### Deprecations
+* `AppRole#getPolicies()` and `#setPolicies()` are deprecated in favor of `#getTokenPolicies()` and `#setTokenPolicies()`
+* `AppRole#getPeriod()` is deprecated in favor of `#getTokenPeriod()`
+* `AppRoleBuilder` and `TokenBuilder` in favor of `AppRole.Builder` and `Token.Builder`
+* All-arg constructors of `AppRole` and `Token` in favor of `.builder()....build()` introduced in 0.8
+
+### Removals
+* Deprecated methods `AppRole#getBoundCidrList()`, `#setBoundCidrList()` and `getBoundCidrListString()` have been removed.
+
+### Test
+* Tested against Vault 1.4.0
+
+
+## 0.8.2 (2019-10-20)
+
+### Fixes
+* Fixed token lookup (#31)
+
+### Improvements
+* Updated dependencies
+
+## 0.8.1 (2019-08-16)
+### Fixes
+* Removed compile dependency to JUnit library (#30)
+
+### Improvements
+* Updated dependencies
+
+### Test
+* Tested against Vault 1.2.2
+
+## 0.8.0 (2019-03-24)
+### Breaking
+* Moved Maven artifact to `de.stklcode.jvault:jvault-connector` (#28)
+* Removed support for `HTTPVaultConnectorFactory#withSslContext()` in favor of `#withTrustedCA()` due to
+
+### Features
+* Support for KV version 2 secret engine (#16)
+* Ability to pass custom mount point to KV v2 read/write methods (#25)
+
+### Improvements
+* refactoring of the internal SSL handling (#17)
+* `VaultConnector` extends `java.io.Serializable` (#19)
+* Added missing flags to `SealResponse` (#20)
+* Added replication flags to `HealthResponse` (#21)
+* Enforce TLS 1.2 by default with option to override (#22)
+* Build environment and tests now compatible with Java 10
+* Updated dependencies to fix vulnerabilities (i.e. CVE-2018-7489)
+* New static method `Token.builder()` to get token builder instance
+* New static method `AppRole.builder()` to get AppRole builder instance
+
+### Deprecation
+* `VaultConnectorFactory` is deprecated in favor of `VaultConnectorBuilder` with identical API (#18)
+* `AppRoleBuilder#withBoundCidrList(List)` is deprecated in favor of `AppRoleBuilder#withSecretIdBoundCidrs(List)` (#24)
+
+
+## 0.7.1 (2018-03-17)
+### Improvements
+* Added automatic module name for JPMS compatibility
+* Minor dependency updates
+
+### Test
+* Tested against Vault 0.9.5
+
+
+## 0.7.0 (2017-10-03)
+### Features
+* Retrieval of health status via `getHealth()` (#15)
+
+### Improvements
+* `seal()`, `unseal()` are now `void` and throw Exception on error (#12)
+* Adaptation to Vault 0.8 endpoints for `renew` and `revoke`, **breaking** 0.7 compatibility (#11)
+
+### Removed
+* Removed deprecated `listAppRoleSecretss()` (use `listAppRoleSecrets()`) (#14)
+
+### Test
+* Tested against Vault 0.8.3

-## 0.7.0 [2017-10-03]
-* [feature] Retrieval of health status via `getHealth()` (#15)
-* [improvement] `seal()`, `unseal()` are now `void` and throw Exception on error (#12)
-* [compatibility] Adaptation to Vault 0.8 endpoints for `renew` and `revoke`, **breaking** 0.7 compatibility (#11)
-* [deletion] Removed deprecated `listAppRoleSecretss()` (use `listAppRoleSecrets()`) (#14)
-* [test] Tested against Vault 0.8.3

 ## 0.6.2 [2017-08-19]
-* [fix] Prevent potential NPE on SecretResponse getter
-* [fix] Removed stack traces on PUT request and response deserialization (#13)
-* [improvement] Fields of InvalidResposneException made final
-* [deprecation] `listAppRoleSecretss()` in favor of `listAppRoleSecrets()` (#14)
-* [test] Tested against Vault 0.8.1, increased coverage
+### Fixes
+* Prevent potential NPE on SecretResponse getter
+* Removed stack traces on PUT request and response deserialization (#13)

-## 0.6.1 [2017-08-02]
-* [fix] `TokenModel.getPassword()` returned username instead of password
-* [fix]  `TokenModel.getUsername()` and `getPassword()` could produce NPE in multithreaded environments
-* [fix] `TokenData.getCreatinTtl()` renamed to `getCreationTtl()` (typo fix)
-* [test] Tested against Vault 0.7.3
+### Improvements
+* Fields of InvalidResposneException made final

-## 0.6.0 [2017-05-12]
-* [feature] Initialization from environment variables using `fromEnv()` in factory (#8)
-* [feature] Automatic authentication with `buildAndAuth()`
-* [feature] Custom timeout and number of retries (#9)
-* [feature] Connector implements `AutoCloseable`
-* [fix] `SecretResponse` does not throw NPE on `get(key)` and `getData()` 
-* [test] Tested against Vault 0.7.2
+### Deprecation
+* `listAppRoleSecretss()` in favor of `listAppRoleSecrets()` (#14)
+
+### Test
+* Tested against Vault 0.8.1, increased coverage
+
+
+## 0.6.1 (2017-08-02)
+### Fixes
+* `TokenModel.getPassword()` returned username instead of password
+* `TokenModel.getUsername()` and `getPassword()` could produce NPE in multithreaded environments
+* `TokenData.getCreatinTtl()` renamed to `getCreationTtl()` (typo fix)
+
+### Test
+* Tested against Vault 0.7.3
+
+
+## 0.6.0 (2017-05-12)
+### Features
+* Initialization from environment variables using `fromEnv()` in factory (#8)
+* Automatic authentication with `buildAndAuth()`
+* Custom timeout and number of retries (#9)
+* Connector implements `AutoCloseable`
+
+### Fixes
+* `SecretResponse` does not throw NPE on `get(key)` and `getData()`
+
+### Test
+* Tested against Vault 0.7.2
+
+
+## 0.5.0 (2017-03-18)
+### Features
+* Convenience methods for DB credentials (#7)
+
+### Fixes
+* Minor bugfix in TokenBuilder
+
+### Deprecation
+* `SecretResponse.getValue()` deprecated
+
+### Test
+* Tested against Vault 0.7.0

-## 0.5.0 [2017-03-18]
-* [feature] Convenience methods for DB credentials (#7)
-* [fix] Minor bugfix in TokenBuilder
-* [deprecation] `SecretResponse.getValue()` deprecated
-* [test] Tested against Vault 0.7.0

 ## 0.4.1 [2016-12-24]
-* [fix] Factory Null-tolerant for trusted certificate (#6)
-* [test] StackTraces tested for secret leaks
-* [test] Tested against Vault 0.6.4
+### Fixes
+* Factory Null-tolerant for trusted certificate (#6)

-## 0.4.0 [2016-11-06]
-* [feature] Option to provide a trusted CA certificate (#2)
-* [feature] Deletion, revocation and renewal of secrets (#3)
-* [feature] Token creation (#4)
-* [feature] AppRole auth backend supported (#5)
-* [improvement] Support for complex secrets
-* [deprecation] App-ID backend marked as deprecated
+### Test
+* StackTraces tested for secret leaks
+* Tested against Vault 0.6.4

-## 0.3.0 [2016-10-07]
-* [feature] Retrieval of JSON objects (#1)
-* [test] Tested against Vault 0.6.2

-## 0.2.0 [2016-09-01]
+## 0.4.0 (2016-11-06)
+### Features
+* Option to provide a trusted CA certificate (#2)
+* Deletion, revocation and renewal of secrets (#3)
+* Token creation (#4)
+* AppRole auth backend supported (#5)
+
+### Improvements
+* Support for complex secrets
+
+### Deprecation
+* App-ID backend marked as deprecated
+
+
+## 0.3.0 (2016-10-07)
+### Features
+* Retrieval of JSON objects (#1)
+
+### Test
+* Tested against Vault 0.6.2
+
+
+## 0.2.0 (2016-09-01)
+### Improvements
 * Dependecies updated and CommonsIO removed
-* [fix] Fixed auth backend detection for Vault 0.6.1
-* [test] Tested against Vault 0.6.1

-## 0.1.1 [2016-06-20]
-* [fix] Check for "permission denied" without status code 400 instead of 403
-* [test] Tested against Vault 0.6.0
+### Fixes
+* Fixed auth backend detection for Vault 0.6.1

-## 0.1.0 [2016-03-29]
+### Test
+* Tested against Vault 0.6.1
+
+
+## 0.1.1 (2016-06-20)
+### Fixes
+* Check for "permission denied" without status code 400 instead of 403
+
+### Test
+* Tested against Vault 0.6.0
+
+
+## 0.1.0 (2016-03-29)
 * First release
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -0,0 +1,112 @@
+# How to contribute
+
+As for all great Open Source projects, contributions in form of bug reports and code are welcome and important to keep the project alive.
+
+In general, this project follows the [GitHub Flow](https://guides.github.com/introduction/flow/).
+Fork the project, commit your changes to your branch, open a pull request and it will probably be merged.
+However, to ensure maintainability and quality of the code, there are some guidelines you might be more or less familiar with.
+For that purpose, this document describes the important points.
+
+## Opening an Issue
+
+If you experience any issues with the library or the code, don't hesitate to file an issue.
+
+### Bug Reports
+
+Think you found a bug?
+Please clearly state what happens and describe your environment to help tracking down the issue.
+
+* Which version of the connector are you running?
+* Which version of Java (architecture and OS if relevant)?
+* Which version of Vault?
+
+### Feature Requests
+
+Missing a feature or like to have certain functionality enhanced?
+No problem, please open an issue and describe what and why you think this change is required.
+
+## Pull Requests
+
+If you want to contribute your code to solve an issue or implement a desired feature yourself, you might open a pull request.
+If the changes introduce new functionality or affect major parts of existing code, please consider opening an issue for discussion first.
+
+Extending or adapting JUnit test cases would be nice (no hard criterion though).
+
+The `main` branch also be target for most pull requests.
+However, if it features new functionality you might want to target the `develop` branch instead (see next section for details on branches).
+
+### Branches
+
+The `main` branch represents the current, more or less stable state of development.
+Please ensure your initial code is up to date with it at the time you start development.
+
+In addition, this project features a `develop` branch, which holds bleeding edge developments, not necessarily considered stable or even compatible.
+Do not expect this code to run smoothly, but you might have a look into the history to see if some work on an issue has already been started there.
+
+For fixes and features, there might be additional branches, likely prefixed by `fix/` or `feature/` followed by an issue number (if applicable) and/or a title.
+Feel free to adapt this naming scheme to your forks.
+
+### Merge Requirements
+
+To be merged into the main branch, your code has to pass the automated continuous integration tests, to ensure compatibility.
+In addition, your code has to be approved by a project member.
+
+#### What if my code fails the tests?
+
+Don't worry, you can submit your PR anyway.
+The reviewing process might help you to solve remaining issues.
+
+### Commit messages
+
+Please use speaking titles and messages for your commits, to ensure a transparent history.
+If your patch fixes an issue, reference the ID in the first line.
+If you feel like you have to _briefly_ explain your changes, do it (for long explanations and discussion, consider opening an issue or describe in the PR).
+
+**Example commit:**
+```text
+Fix nasty bug from #1337
+
+This example commit fixes the issue that some people write non-speaking commit messages like 'done magic'.
+A short description is helpful sometimes.
+```
+
+You might sign your work, although that's no must.
+
+### When will it be merged?
+
+Short answer: When it makes sense.
+
+Bugfixes should be merged in time - assuming they pass the above criteria.
+New features might be assigned to a certain milestone and as a result of this be scheduled according to the planned release cycle.
+
+## Compatibility
+
+To ensure usability for a wide range of users, please take note on the software requirements stated in the `README`.
+This includes especially Java versions and a minimum version of _Vault_.
+
+If you are unsure if your code matches these versions, the test will probably tell you.
+
+In case you think, your change is more important than maintaining backwards compatibility, please start a discussion to see,
+if we might increase the minimum version or find a workaround for legacy systems.
+
+## Build Environment
+
+All you need to start off - besides your favorite IDE and a JDK of course - is [Maven](https://maven.apache.org/).
+
+## Unit Tests
+
+The code is tested by JUnit tests.
+For standalone testing against mocked APIs the _Maven_ profile `offline-test` should be used.
+Otherwise, there is a test suite that requires an actual _Vault_ binary in the executable path to start a real server instance. 
+
+## Continuous Integration
+
+Automated tests are run using [GitHub Actions](https://github.com/features/actions) for every commit including pull requests.
+Tests usually run against the minimal supported version, all supported LTS versions and the latest version of Java.
+
+There is an automated code quality analysis pushing results to [SonarCloud](https://sonarcloud.io/dashboard?id=de.stklcode.jvault%3Ajvault-connector).
+
+## Still Open Questions?
+
+If anything is still left unanswered and you're unsure if you got it right, don't hesitate to contact a team member.
+In any case you might submit your request/issue anyway, we won't refuse good code only for formal reasons.
--- a/README.md
+++ b/README.md
@ -1,27 +1,27 @@
-# Java Vault Connector 
+# Java Vault Connector

-[![Build Status](https://travis-ci.org/stklcode/jvaultconnector.svg?branch=master)](https://travis-ci.org/stklcode/jvaultconnector)
-[![Quality Gate](https://sonarcloud.io/api/badges/gate?key=de.stklcode.jvault%3Aconnector)](https://sonarcloud.io/dashboard?id=de.stklcode.jvault%3Aconnector)
-[![License](https://img.shields.io/badge/license-Apache%202.0-blue.svg)](https://github.com/stklcode/jvaultconnector/blob/master/LICENSE.txt) 
-[![Maven Central](https://img.shields.io/maven-central/v/de.stklcode.jvault/connector.svg)](https://search.maven.org/#search%7Cga%7C1%7Cg%3A%22de.stklcode.jvault%22%20AND%20a%3A%22connector%22)
+[![CI Status](https://github.com/stklcode/jvaultconnector/actions/workflows/ci.yml/badge.svg)](https://github.com/stklcode/jvaultconnector/actions/workflows/ci.yml)
+[![Quality Gate](https://sonarcloud.io/api/project_badges/measure?project=de.stklcode.jvault%3Ajvault-connector&metric=alert_status)](https://sonarcloud.io/dashboard?id=de.stklcode.jvault%3Ajvault-connector)
+[![License](https://img.shields.io/badge/license-Apache%202.0-blue.svg)](https://github.com/stklcode/jvaultconnector/blob/main/LICENSE.txt)
+[![Maven Central](https://img.shields.io/maven-central/v/de.stklcode.jvault/jvault-connector.svg)](https://search.maven.org/#search%7Cga%7C1%7Cg%3A%22de.stklcode.jvault%22%20AND%20a%3A%22jvault-connector%22)

-![Logo](https://raw.githubusercontent.com/stklcode/jvaultconnector/master/assets/logo.png)
+![Logo](https://raw.githubusercontent.com/stklcode/jvaultconnector/main/assets/logo.png)

 Java Vault Connector is a connector library for [Vault](https://www.vaultproject.io) by [Hashicorp](https://www.hashicorp.com) written in Java. The connector allows simple usage of Vault's secret store in own applications.

 ## Features:

 * HTTP(S) backend connector
-    *  Ability to provide or enforce custom CA certificate
+    * Ability to provide or enforce custom CA certificate
    * Optional initialization from environment variables
 * Authorization methods
    * Token
    * Username/Password
-    * AppID (register and authenticate) [_deprecated_]
    * AppRole (register and authenticate)
+    * AppID (register and authenticate) [_deprecated_]
 * Tokens
-    * Creation and lookup of tokens
-    * TokenBuilder for speaking creation of complex configuraitons
+    * Creation and lookup of tokens and token roles
+    * TokenBuilder for speaking creation of complex configurations
 * Secrets
    * Read secrets
    * Write secrets
@ -30,16 +30,17 @@ Java Vault Connector is a connector library for [Vault](https://www.vaultproject
    * Renew/revoke leases
    * Raw secret content or JSON decoding
    * SQL secret handling
+    * KV v1 and v2 support
 * Connector Factory with builder pattern
-* Tested against Vault 0.9.5
+* Tested against Vault 1.2 to 1.15


 ## Maven Artifact
 ```xml
 <dependency>
    <groupId>de.stklcode.jvault</groupId>
-    <artifactId>connector</artifactId>
-    <version>0.7.1</version>
+    <artifactId>jvault-connector</artifactId>
+    <version>1.2.0</version>
 </dependency>
 ```

@ -49,21 +50,19 @@ Java Vault Connector is a connector library for [Vault](https://www.vaultproject

 ```java
 // Instantiate using builder pattern style factory (TLS enabled by default)
-VaultConnector vault = VaultConnectorFactory.httpFactory()
+VaultConnector vault = HTTPVaultConnector.builder()
 .withHost("127.0.0.1")
 .withPort(8200)
 .withTLS()
 .build();

 // Instantiate with custom SSL context
-VaultConnector vault = VaultConnectorFactory.httpFactory()
- .withHost("example.com")
- .withPort(8200)
+VaultConnector vault = HTTPVaultConnector.builder("https://example.com:8200/v1/")
 .withTrustedCA(Paths.get("/path/to/CA.pem"))
 .build();

-// Initialization from environment variables 
-VaultConnector vault = VaultConnectorFactory.httpFactory()
+// Initialization from environment variables
+VaultConnector vault = HTTPVaultConnector.builder()
 .fromEnv()
 .build();
 ```
@ -71,44 +70,45 @@ VaultConnector vault = VaultConnectorFactory.httpFactory()
 ### Authentication

 ```java
-// Authenticate with token
+// Authenticate with token.
 vault.authToken("01234567-89ab-cdef-0123-456789abcdef");

-// Authenticate with username and password
+// Authenticate with username and password.
 vault.authUserPass("username", "p4ssw0rd");

-// Authenticate with AppID (secret - 2nd argument - is optional)
-vault.authAppId("01234567-89ab-cdef-0123-456789abcdef", "fedcba98-7654-3210-fedc-ba9876543210");
+// Authenticate with AppRole (secret - 2nd argument - is optional).
+vault.authAppRole("01234567-89ab-cdef-0123-456789abcdef", "fedcba98-7654-3210-fedc-ba9876543210");
 ```

 ### Secret read & write

 ```java
 // Retrieve secret (prefix "secret/" assumed, use read() to read arbitrary paths)
-String secret = vault.readSecret("some/secret/key").getValue();
+String secret = vault.read("secret/some/key").get("value", String.class);

-// Complex secret
-Map<String, Object> secretData = vault.readSecret("another/secret/key").getData();
+// Complex secret.
+Map<String, Object> secretData = vault.read("secret/another/key").getData();

-// Write simple secret
-vault.writeSecret("new/secret/key", "secret value");
+// Write simple secret.
+vault.write("secret/new/key", "secret value");

-// Write complex data to arbitraty path
-Map<String, Object> map = [...]
-vault.write("any/path/to/write", map);
+// Write complex data.
+Map<String, Object> map = ...;
+vault.write("path/to/write", map);

-// Delete secret
-vault.delete("any/path/to/write");
+// Delete secret.
+vault.delete("path/to/delete");
 ```

 ### Token and role creation

 ```java
 // Create token using TokenBuilder
-Token token = new TokenBuilder().withId("token id")
-                                .withDisplayName("new test token")
-                                .withPolicies("pol1", "pol2")
-                                .build();
+Token token = Token.builder()
+                   .withId("token id")
+                   .withDisplayName("new test token")
+                   .withPolicies("pol1", "pol2")
+                   .build();
 vault.createToken(token);

 // Create AppRole credentials
@ -118,15 +118,10 @@ AppRoleSecretResponse secret = vault.createAppRoleSecret("testrole");

 ## Links

-[Project Page](http://jvault.stklcode.de)
+[Project Page](https://jvault.stklcode.de)

-[JavaDoc API](http://jvault.stklcode.de/apidocs/)
-
-## Planned features
-
-* Creation and modification of policies
-* Implement more authentication methods
+[JavaDoc API](https://jvault.stklcode.de/apidocs/)

 ## License

-The project is licensed under [Apache License 2.0](http://www.apache.org/licenses/LICENSE-2.0).
+The project is licensed under [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0).
--- a/assets/logo.png
+++ b/assets/logo.png
--- a/assets/logo.svg
+++ b/assets/logo.svg
@ -2,11 +2,11 @@
 <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
 <svg xmlns="http://www.w3.org/2000/svg" width="128" height="128">
    <path d="M4,12 l60,104 l60,-104 z" stroke="none" fill="#000000" />
-    <circle cx="78" cy="24" r="6" stroke="none" fill="#00a9c7" />
-    <circle cx="78" cy="38" r="6" stroke="none" fill="#00a9c7" />
-    <circle cx="78" cy="52" r="6" stroke="none" fill="#00a9c7" />
-    <circle cx="78" cy="66" r="6" stroke="none" fill="#00a9c7" />
-    <circle cx="72" cy="78" r="6" stroke="none" fill="#00a9c7" />
-    <circle cx="58" cy="78" r="6" stroke="none" fill="#00a9c7" />
-    <circle cx="52" cy="66" r="6" stroke="none" fill="#00a9c7" />
-</svg>
+    <rect x="74" y="20" width="8" height="8" stroke="none" fill="#00abe0" />
+    <rect x="74" y="34" width="8" height="8" stroke="none" fill="#00abe0" />
+    <rect x="74" y="48" width="8" height="8" stroke="none" fill="#00abe0" />
+    <rect x="74" y="62" width="8" height="8" stroke="none" fill="#00abe0" />
+    <rect x="68" y="74" width="8" height="8" stroke="none" fill="#00abe0" />
+    <rect x="54" y="74" width="8" height="8" stroke="none" fill="#00abe0" />
+    <rect x="48" y="62" width="8" height="8" stroke="none" fill="#00abe0" />
+</svg>
--- a/pom.xml
+++ b/pom.xml
@ -3,55 +3,146 @@
    <modelVersion>4.0.0</modelVersion>

    <groupId>de.stklcode.jvault</groupId>
-    <artifactId>connector</artifactId>
-    <version>0.7.1</version>
+    <artifactId>jvault-connector</artifactId>
+    <version>1.2.0</version>

    <packaging>jar</packaging>

    <name>jVaultConnector</name>
    <description>Connector artifact for Hashicorp's Vault secret management</description>
    <url>https://jvault.stklcode.de</url>
+    <inceptionYear>2016</inceptionYear>

    <licenses>
        <license>
            <name>Apache License 2.0</name>
-            <url>http://www.apache.org/licenses/LICENSE-2.0.html</url>
+            <url>https://www.apache.org/licenses/LICENSE-2.0.html</url>
            <distribution>repo</distribution>
        </license>
    </licenses>

+    <developers>
+        <developer>
+            <name>Stefan Kalscheuer</name>
+            <email>stefan@stklcode.de</email>
+            <timezone>Europe/Berlin</timezone>
+        </developer>
+    </developers>
+
+    <scm>
+        <connection>scm:git:git://github.com/stklcode/jvaultconnector.git</connection>
+        <developerConnection>scm:git:git@github.com:stklcode/jvaultconnector.git</developerConnection>
+        <url>https://github.com/stklcode/jvaultconnector</url>
+    </scm>
+
+    <issueManagement>
+        <system>GitHub Issues</system>
+        <url>https://github.com/stklcode/jvaultconnector/issues</url>
+    </issueManagement>
+
    <properties>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <argLine></argLine>
    </properties>

+    <dependencies>
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-databind</artifactId>
+            <version>2.16.0</version>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.datatype</groupId>
+            <artifactId>jackson-datatype-jsr310</artifactId>
+            <version>2.16.0</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter</artifactId>
+            <version>5.10.1</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-core</artifactId>
+            <version>5.8.0</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>com.github.stefanbirkner</groupId>
+            <artifactId>system-lambda</artifactId>
+            <version>1.2.1</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.wiremock</groupId>
+            <artifactId>wiremock</artifactId>
+            <version>3.3.1</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>commons-io</groupId>
+            <artifactId>commons-io</artifactId>
+            <version>2.15.1</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>nl.jqno.equalsverifier</groupId>
+            <artifactId>equalsverifier</artifactId>
+            <version>3.15.4</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.awaitility</groupId>
+            <artifactId>awaitility</artifactId>
+            <version>4.2.0</version>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+
    <build>
-        <plugins>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-compiler-plugin</artifactId>
-                <version>3.7.0</version>
-                <configuration>
-                    <source>1.8</source>
-                    <target>1.8</target>
-                </configuration>
-            </plugin>
-        </plugins>
        <pluginManagement>
            <plugins>
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
-                    <artifactId>maven-clean-plugin</artifactId>
-                    <version>3.0.0</version>
+                    <artifactId>maven-compiler-plugin</artifactId>
+                    <version>3.11.0</version>
+                    <configuration>
+                        <source>11</source>
+                        <target>11</target>
+                    </configuration>
                </plugin>
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
-                    <artifactId>maven-resources-plugin</artifactId>
-                    <version>3.0.2</version>
+                    <artifactId>maven-clean-plugin</artifactId>
+                    <version>3.3.2</version>
+                </plugin>
+                <plugin>
+                    <groupId>org.apache.maven.plugins</groupId>
+                    <artifactId>maven-deploy-plugin</artifactId>
+                    <version>3.1.1</version>
+                </plugin>
+                <plugin>
+                    <groupId>org.apache.maven.plugins</groupId>
+                    <artifactId>maven-failsafe-plugin</artifactId>
+                    <version>3.2.2</version>
+                    <configuration>
+                        <argLine>
+                            @{argLine}
+                            --add-opens de.stklcode.jvault.connector/de.stklcode.jvault.connector.test=com.fasterxml.jackson.databind
+                        </argLine>
+                    </configuration>
+                </plugin>
+                <plugin>
+                    <groupId>org.apache.maven.plugins</groupId>
+                    <artifactId>maven-install-plugin</artifactId>
+                    <version>3.1.1</version>
                </plugin>
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-jar-plugin</artifactId>
-                    <version>3.0.2</version>
+                    <version>3.3.0</version>
                    <configuration>
                        <archive>
                            <manifestEntries>
@ -62,87 +153,218 @@
                </plugin>
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
-                    <artifactId>maven-install-plugin</artifactId>
-                    <version>2.5.2</version>
+                    <artifactId>maven-resources-plugin</artifactId>
+                    <version>3.3.1</version>
+                </plugin>
+                <plugin>
+                    <groupId>org.apache.maven.plugins</groupId>
+                    <artifactId>maven-source-plugin</artifactId>
+                    <version>3.3.0</version>
                </plugin>
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-surefire-plugin</artifactId>
-                    <version>2.19.1</version>
-                    <dependencies>
-                        <dependency>
-                            <groupId>org.junit.platform</groupId>
-                            <artifactId>junit-platform-surefire-provider</artifactId>
-                            <version>1.1.0</version>
-                        </dependency>
-                    </dependencies>
+                    <version>3.2.2</version>
+                    <configuration>
+                        <argLine>
+                            @{argLine}
+                            --add-opens java.base/java.util=ALL-UNNAMED
+                            --add-opens de.stklcode.jvault.connector/de.stklcode.jvault.connector=ALL-UNNAMED
+                            --add-opens de.stklcode.jvault.connector/de.stklcode.jvault.connector.exception=ALL-UNNAMED
+                            --add-opens de.stklcode.jvault.connector/de.stklcode.jvault.connector.model=ALL-UNNAMED
+                            --add-opens de.stklcode.jvault.connector/de.stklcode.jvault.connector.model.response=ALL-UNNAMED
+                            --add-opens de.stklcode.jvault.connector/de.stklcode.jvault.connector.model.response.embedded=ALL-UNNAMED
+                            --add-opens de.stklcode.jvault.connector/de.stklcode.jvault.connector.test=com.fasterxml.jackson.databind
+                            --add-opens de.stklcode.jvault.connector/de.stklcode.jvault.connector.test=com.fasterxml.jackson.datatype.jsr310
+                        </argLine>
+                    </configuration>
+                </plugin>
+                <plugin>
+                    <groupId>org.jacoco</groupId>
+                    <artifactId>jacoco-maven-plugin</artifactId>
+                    <version>0.8.11</version>
+                </plugin>
+                <plugin>
+                    <groupId>org.sonarsource.scanner.maven</groupId>
+                    <artifactId>sonar-maven-plugin</artifactId>
+                    <version>3.10.0.2594</version>
                </plugin>
            </plugins>
        </pluginManagement>
    </build>

-    <dependencies>
-        <dependency>
-            <groupId>org.apache.httpcomponents</groupId>
-            <artifactId>httpcore</artifactId>
-            <version>4.4.9</version>
-        </dependency>
-        <dependency>
-            <groupId>org.apache.httpcomponents</groupId>
-            <artifactId>httpclient</artifactId>
-            <version>4.5.5</version>
-        </dependency>
-        <dependency>
-            <groupId>com.fasterxml.jackson.core</groupId>
-            <artifactId>jackson-core</artifactId>
-            <version>2.9.4</version>
-        </dependency>
-        <dependency>
-            <groupId>com.fasterxml.jackson.core</groupId>
-            <artifactId>jackson-databind</artifactId>
-            <version>2.9.4</version>
-        </dependency>
+    <profiles>
+        <profile>
+            <id>sources</id>
+            <activation>
+                <activeByDefault>false</activeByDefault>
+            </activation>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>maven-source-plugin</artifactId>
+                        <executions>
+                            <execution>
+                                <id>attach-sources</id>
+                                <goals>
+                                    <goal>jar-no-fork</goal>
+                                </goals>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>

-        <dependency>
-            <groupId>org.junit.jupiter</groupId>
-            <artifactId>junit-jupiter-engine</artifactId>
-            <version>5.1.0</version>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.junit.jupiter</groupId>
-            <artifactId>junit-jupiter-migrationsupport</artifactId>
-            <version>5.1.0</version>
-        </dependency>
-        <dependency>
-            <groupId>org.hamcrest</groupId>
-            <artifactId>hamcrest-junit</artifactId>
-            <version>2.0.0.0</version>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>com.github.stefanbirkner</groupId>
-            <artifactId>system-rules</artifactId>
-            <version>1.17.1</version>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.mockito</groupId>
-            <artifactId>mockito-core</artifactId>
-            <version>2.15.0</version>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.mockito</groupId>
-            <artifactId>mockito-inline</artifactId>
-            <version>2.15.0</version>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>commons-io</groupId>
-            <artifactId>commons-io</artifactId>
-            <version>2.6</version>
-            <scope>test</scope>
-        </dependency>
-    </dependencies>
+        <profile>
+            <id>javadoc</id>
+            <activation>
+                <activeByDefault>false</activeByDefault>
+            </activation>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>maven-javadoc-plugin</artifactId>
+                        <version>3.6.2</version>
+                        <configuration>
+                            <source>11</source>
+                        </configuration>
+                        <executions>
+                            <execution>
+                                <id>attach-javadocs</id>
+                                <goals>
+                                    <goal>jar</goal>
+                                </goals>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
+
+        <profile>
+            <id>sign</id>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>maven-gpg-plugin</artifactId>
+                        <version>3.1.0</version>
+                        <executions>
+                            <execution>
+                                <id>sign-artifacts</id>
+                                <phase>verify</phase>
+                                <goals>
+                                    <goal>sign</goal>
+                                </goals>
+                                <configuration>
+                                    <keyname>${gpg.keyname}</keyname>
+                                </configuration>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
+
+        <profile>
+            <id>coverage</id>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.jacoco</groupId>
+                        <artifactId>jacoco-maven-plugin</artifactId>
+                        <executions>
+                            <execution>
+                                <id>default-prepare-agent</id>
+                                <goals>
+                                    <goal>prepare-agent</goal>
+                                </goals>
+                            </execution>
+                            <execution>
+                                <id>default-report</id>
+                                <goals>
+                                    <goal>report</goal>
+                                </goals>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
+
+        <profile>
+            <id>integration-test</id>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>maven-failsafe-plugin</artifactId>
+                        <executions>
+                            <execution>
+                                <goals>
+                                    <goal>integration-test</goal>
+                                    <goal>verify</goal>
+                                </goals>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
+
+        <profile>
+            <id>dependency-check</id>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.owasp</groupId>
+                        <artifactId>dependency-check-maven</artifactId>
+                        <version>9.0.4</version>
+                        <configuration>
+                            <nvdApiKey>${env.NVD_API_KEY}</nvdApiKey>
+                            <nvdDatafeedUrl>${env.NVD_DATAFEED_URL}</nvdDatafeedUrl>
+                        </configuration>
+                        <executions>
+                            <execution>
+                                <goals>
+                                    <goal>check</goal>
+                                </goals>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
+
+        <profile>
+            <id>sonatype</id>
+            <distributionManagement>
+                <repository>
+                    <id>ossrh</id>
+                    <url>https://oss.sonatype.org/service/local/staging/deploy/maven2/</url>
+                </repository>
+                <snapshotRepository>
+                    <id>ossrh</id>
+                    <url>https://oss.sonatype.org/content/repositories/snapshots</url>
+                </snapshotRepository>
+            </distributionManagement>
+        </profile>
+
+        <profile>
+            <id>local</id>
+            <distributionManagement>
+                <repository>
+                    <id>stklcode</id>
+                    <url>${dist.repo.local}</url>
+                </repository>
+                <snapshotRepository>
+                    <id>stklcode</id>
+                    <url>${dist.repo.local.snapshot}</url>
+                </snapshotRepository>
+            </distributionManagement>
+        </profile>
+    </profiles>
 </project>
--- a/src/main/java/de/stklcode/jvault/connector/HTTPVaultConnector.java
+++ b/src/main/java/de/stklcode/jvault/connector/HTTPVaultConnector.java
--- a/src/main/java/de/stklcode/jvault/connector/factory/HTTPVaultConnectorFactory.java
+++ b/src/main/java/de/stklcode/jvault/connector/factory/HTTPVaultConnectorFactory.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2018 Stefan Kalscheuer
+ * Copyright 2016-2023 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -14,35 +14,33 @@
 * limitations under the License.
 */

-package de.stklcode.jvault.connector.factory;
+package de.stklcode.jvault.connector;

-import de.stklcode.jvault.connector.HTTPVaultConnector;
 import de.stklcode.jvault.connector.exception.ConnectionException;
 import de.stklcode.jvault.connector.exception.TlsException;
 import de.stklcode.jvault.connector.exception.VaultConnectorException;

-import javax.net.ssl.SSLContext;
-import javax.net.ssl.TrustManager;
-import javax.net.ssl.TrustManagerFactory;
 import java.io.IOException;
-import java.io.InputStream;
 import java.net.MalformedURLException;
+import java.net.URI;
+import java.net.URISyntaxException;
 import java.net.URL;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
-import java.security.*;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
+import java.util.Objects;

 /**
- * Vault Connector Factory implementation for HTTP Vault connectors.
+ * Vault Connector Builder implementation for HTTP Vault connectors.
 *
 * @author Stefan Kalscheuer
- * @since 0.1
+ * @since 0.8.0
+ * @since 0.9.5 Package {@link de.stklcode.jvault.connector}
 */
-public final class HTTPVaultConnectorFactory extends VaultConnectorFactory {
+public final class HTTPVaultConnectorBuilder {
    private static final String ENV_VAULT_ADDR = "VAULT_ADDR";
    private static final String ENV_VAULT_CACERT = "VAULT_CACERT";
    private static final String ENV_VAULT_TOKEN = "VAULT_TOKEN";
@ -51,14 +49,16 @@ public final class HTTPVaultConnectorFactory extends VaultConnectorFactory {
    public static final String DEFAULT_HOST = "127.0.0.1";
    public static final Integer DEFAULT_PORT = 8200;
    public static final boolean DEFAULT_TLS = true;
+    public static final String DEFAULT_TLS_VERSION = "TLSv1.2";
    public static final String DEFAULT_PREFIX = "/v1/";
    public static final int DEFAULT_NUMBER_OF_RETRIES = 0;

    private String host;
    private Integer port;
    private boolean tls;
+    private String tlsVersion;
    private String prefix;
-    private SSLContext sslContext;
+    private X509Certificate trustedCA;
    private int numberOfRetries;
    private Integer timeout;
    private String token;
@ -67,53 +67,149 @@ public final class HTTPVaultConnectorFactory extends VaultConnectorFactory {
     * Default empty constructor.
     * Initializes factory with default values.
     */
-    public HTTPVaultConnectorFactory() {
+    HTTPVaultConnectorBuilder() {
        host = DEFAULT_HOST;
        port = DEFAULT_PORT;
        tls = DEFAULT_TLS;
+        tlsVersion = DEFAULT_TLS_VERSION;
        prefix = DEFAULT_PREFIX;
        numberOfRetries = DEFAULT_NUMBER_OF_RETRIES;
    }

+    /**
+     * Set base URL, e.g. "protocol://host:port/prefix".
+     *
+     * @param baseURL Base URL
+     * @return self
+     * @throws URISyntaxException Invalid URI syntax.
+     * @since 1.0
+     */
+    public HTTPVaultConnectorBuilder withBaseURL(final String baseURL) throws URISyntaxException {
+        return withBaseURL(new URI(baseURL));
+    }
+
+    /**
+     * Set base URL, e.g. "protocol://host:port/prefix".
+     *
+     * @param baseURL Base URL
+     * @return self
+     * @since 1.0
+     */
+    public HTTPVaultConnectorBuilder withBaseURL(final URI baseURL) {
+        return withTLS(!("http".equalsIgnoreCase(Objects.requireNonNullElse(baseURL.getScheme(), ""))))
+                .withHost(baseURL.getHost())
+                .withPort(baseURL.getPort())
+                .withPrefix(baseURL.getPath());
+    }
+
    /**
     * Set hostname (default: 127.0.0.1).
     *
     * @param host Hostname or IP address
     * @return self
     */
-    public HTTPVaultConnectorFactory withHost(final String host) {
+    public HTTPVaultConnectorBuilder withHost(final String host) {
        this.host = host;
        return this;
    }

+    /**
+     * Get hostname.
+     *
+     * @return Hostname or IP address
+     */
+    String getHost() {
+        return this.host;
+    }
+
    /**
     * Set port (default: 8200).
+     * A value of {@code null} or {@code -1} indicates that no port is specified, i.e. the protocol default is used.
+     * Otherwise, a valid port number between 1 and 65535 is expected.
     *
     * @param port Vault TCP port
     * @return self
     */
-    public HTTPVaultConnectorFactory withPort(final Integer port) {
-        this.port = port;
+    public HTTPVaultConnectorBuilder withPort(final Integer port) {
+        if (port == null || port < 0) {
+            this.port = null;
+        } else if (port < 1 || port > 65535) {
+            throw new IllegalArgumentException("Port number " + port + " out of range");
+        } else {
+            this.port = port;
+        }
        return this;
    }

+    /**
+     * Set port..
+     *
+     * @return Vault TCP port
+     */
+    Integer getPort() {
+        return this.port;
+    }
+
    /**
     * Set TLS usage (default: TRUE).
     *
     * @param useTLS use TLS or not
     * @return self
     */
-    public HTTPVaultConnectorFactory withTLS(final boolean useTLS) {
+    public HTTPVaultConnectorBuilder withTLS(final boolean useTLS) {
        this.tls = useTLS;
        return this;
    }

+    /**
+     * Get TLS usage flag.
+     *
+     * @return use TLS or not
+     */
+    boolean isWithTLS() {
+        return this.tls;
+    }
+
+    /**
+     * Get TLS version.
+     *
+     * @return TLS version.
+     */
+    String getTlsVersion() {
+        return this.tlsVersion;
+    }
+
+    /**
+     * Set TLS usage (default: TRUE).
+     *
+     * @param useTLS  Use TLS or not.
+     * @param version Supported TLS version ({@code TLSv1.2}, {@code TLSv1.1}, {@code TLSv1.0}, {@code TLS}).
+     * @return self
+     * @since 0.8 Added version parameter (#22).
+     */
+    public HTTPVaultConnectorBuilder withTLS(final boolean useTLS, final String version) {
+        this.tls = useTLS;
+        this.tlsVersion = version;
+        return this;
+    }
+
+    /**
+     * Convenience Method for TLS usage (enabled by default).
+     *
+     * @param version Supported TLS version ({@code TLSv1.2}, {@code TLSv1.1}, {@code TLSv1.0}, {@code TLS}).
+     * @return self
+     * @since 0.8 Added version parameter (#22).
+     */
+    public HTTPVaultConnectorBuilder withTLS(final String version) {
+        return withTLS(true, version);
+    }
+
    /**
     * Convenience Method for TLS usage (enabled by default).
     *
     * @return self
     */
-    public HTTPVaultConnectorFactory withTLS() {
+    public HTTPVaultConnectorBuilder withTLS() {
        return withTLS(true);
    }

@ -122,48 +218,68 @@ public final class HTTPVaultConnectorFactory extends VaultConnectorFactory {
     *
     * @return self
     */
-    public HTTPVaultConnectorFactory withoutTLS() {
+    public HTTPVaultConnectorBuilder withoutTLS() {
        return withTLS(false);
    }

    /**
     * Set API prefix. Default is "/v1/" and changes should not be necessary for current state of development.
     *
-     * @param prefix Vault API prefix (default: "/v1/"
+     * @param prefix Vault API prefix (default: "/v1/")
     * @return self
     */
-    public HTTPVaultConnectorFactory withPrefix(final String prefix) {
+    public HTTPVaultConnectorBuilder withPrefix(final String prefix) {
        this.prefix = prefix;
        return this;
    }

    /**
-     * Add a trusted CA certifiate for HTTPS connections.
+     * Get API prefix.
+     *
+     * @return Vault API prefix.
+     */
+    String getPrefix() {
+        return this.prefix;
+    }
+
+    /**
+     * Add a trusted CA certificate for HTTPS connections.
     *
     * @param cert path to certificate file
     * @return self
     * @throws VaultConnectorException on error
     * @since 0.4.0
     */
-    public HTTPVaultConnectorFactory withTrustedCA(final Path cert) throws VaultConnectorException {
-        if (cert != null)
-            return withSslContext(createSslContext(cert));
+    public HTTPVaultConnectorBuilder withTrustedCA(final Path cert) throws VaultConnectorException {
+        if (cert != null) {
+            return withTrustedCA(certificateFromFile(cert));
+        } else {
+            this.trustedCA = null;
+        }
        return this;
    }

    /**
-     * Add a custom SSL context.
-     * Overwrites certificates set by {@link #withTrustedCA}.
+     * Add a trusted CA certificate for HTTPS connections.
     *
-     * @param sslContext the SSL context
+     * @param cert path to certificate file
     * @return self
-     * @since 0.4.0
+     * @since 0.8.0
     */
-    public HTTPVaultConnectorFactory withSslContext(final SSLContext sslContext) {
-        this.sslContext = sslContext;
+    public HTTPVaultConnectorBuilder withTrustedCA(final X509Certificate cert) {
+        this.trustedCA = cert;
        return this;
    }

+    /**
+     * Get the trusted CA certificate for HTTPS connections.
+     *
+     * @return path to certificate file, if specified.
+     */
+    X509Certificate getTrustedCA() {
+        return this.trustedCA;
+    }
+
    /**
     * Set token for automatic authentication, using {@link #buildAndAuth()}.
     *
@ -171,7 +287,7 @@ public final class HTTPVaultConnectorFactory extends VaultConnectorFactory {
     * @return self
     * @since 0.6.0
     */
-    public HTTPVaultConnectorFactory withToken(final String token) {
+    public HTTPVaultConnectorBuilder withToken(final String token) {
        this.token = token;
        return this;
    }
@ -183,11 +299,11 @@ public final class HTTPVaultConnectorFactory extends VaultConnectorFactory {
     * @throws VaultConnectorException if Vault address from environment variables is malformed
     * @since 0.6.0
     */
-    public HTTPVaultConnectorFactory fromEnv() throws VaultConnectorException {
+    public HTTPVaultConnectorBuilder fromEnv() throws VaultConnectorException {
        /* Parse URL from environment variable */
        if (System.getenv(ENV_VAULT_ADDR) != null && !System.getenv(ENV_VAULT_ADDR).trim().isEmpty()) {
            try {
-                URL url = new URL(System.getenv(ENV_VAULT_ADDR));
+                var url = new URL(System.getenv(ENV_VAULT_ADDR));
                this.host = url.getHost();
                this.port = url.getPort();
                this.tls = url.getProtocol().equals("https");
@ -222,11 +338,20 @@ public final class HTTPVaultConnectorFactory extends VaultConnectorFactory {
     * @return self
     * @since 0.6.0
     */
-    public HTTPVaultConnectorFactory withNumberOfRetries(final int numberOfRetries) {
+    public HTTPVaultConnectorBuilder withNumberOfRetries(final int numberOfRetries) {
        this.numberOfRetries = numberOfRetries;
        return this;
    }

+    /**
+     * Get the number of retries to attempt on 5xx errors.
+     *
+     * @return The number of retries to attempt on 5xx errors (default: 0)
+     */
+    int getNumberOfRetries() {
+        return this.numberOfRetries;
+    }
+
    /**
     * Define a custom timeout for the HTTP connection.
     *
@ -234,66 +359,45 @@ public final class HTTPVaultConnectorFactory extends VaultConnectorFactory {
     * @return self
     * @since 0.6.0
     */
-    public HTTPVaultConnectorFactory withTimeout(final int milliseconds) {
+    public HTTPVaultConnectorBuilder withTimeout(final int milliseconds) {
        this.timeout = milliseconds;
        return this;
    }

-    @Override
-    public HTTPVaultConnector build() {
-        return new HTTPVaultConnector(host, tls, port, prefix, sslContext, numberOfRetries, timeout);
+    /**
+     * Get custom timeout for the HTTP connection.
+     *
+     * @return Timeout value in milliseconds.
+     */
+    Integer getTimeout() {
+        return this.timeout;
    }

-    @Override
+    /**
+     * Build command, produces connector after initialization.
+     *
+     * @return Vault Connector instance.
+     */
+    public HTTPVaultConnector build() {
+        return new HTTPVaultConnector(this);
+    }
+
+    /**
+     * Build connector and authenticate with token set in factory or from environment.
+     *
+     * @return Authenticated Vault connector instance.
+     * @throws VaultConnectorException if authentication failed
+     * @since 0.6.0
+     */
    public HTTPVaultConnector buildAndAuth() throws VaultConnectorException {
-        if (token == null)
+        if (token == null) {
            throw new ConnectionException("No vault token provided, unable to authenticate.");
-        HTTPVaultConnector con = new HTTPVaultConnector(host, tls, port, prefix, sslContext, numberOfRetries, timeout);
+        }
+        HTTPVaultConnector con = build();
        con.authToken(token);
        return con;
    }

-    /**
-     * Create SSL Context trusting only provided certificate.
-     *
-     * @param trustedCert Path to trusted CA certificate
-     * @return SSL context
-     * @throws TlsException on errors
-     * @since 0.4.0
-     */
-    private SSLContext createSslContext(final Path trustedCert) throws TlsException {
-        try {
-            SSLContext context = SSLContext.getInstance("TLS");
-            context.init(null, createTrustManager(trustedCert), new SecureRandom());
-            return context;
-        } catch (NoSuchAlgorithmException | KeyManagementException e) {
-            throw new TlsException("Unable to intialize SSLContext", e);
-        }
-    }
-
-    /**
-     * Create a custom TrustManager for given CA certificate file.
-     *
-     * @param trustedCert Path to trusted CA certificate
-     * @return TrustManger
-     * @throws TlsException on error
-     * @since 0.4.0
-     */
-    private TrustManager[] createTrustManager(final Path trustedCert) throws TlsException {
-        try {
-            /* Create Keystore with trusted certificate */
-            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
-            keyStore.load(null, null);
-            keyStore.setCertificateEntry("trustedCert", certificateFromFile(trustedCert));
-            /* Initialize TrustManager */
-            TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
-            tmf.init(keyStore);
-            return tmf.getTrustManagers();
-        } catch (KeyStoreException | NoSuchAlgorithmException | CertificateException | IOException e) {
-            throw new TlsException("Unable to initialize TrustManager", e);
-        }
-    }
-
    /**
     * Read given certificate file to X.509 certificate.
     *
@ -303,7 +407,7 @@ public final class HTTPVaultConnectorFactory extends VaultConnectorFactory {
     * @since 0.4.0
     */
    private X509Certificate certificateFromFile(final Path certFile) throws TlsException {
-        try (InputStream is = Files.newInputStream(certFile)) {
+        try (var is = Files.newInputStream(certFile)) {
            return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(is);
        } catch (IOException | CertificateException e) {
            throw new TlsException("Unable to read certificate.", e);
--- a/src/main/java/de/stklcode/jvault/connector/VaultConnector.java
+++ b/src/main/java/de/stklcode/jvault/connector/VaultConnector.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2018 Stefan Kalscheuer
+ * Copyright 2016-2023 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -16,13 +16,13 @@

 package de.stklcode.jvault.connector;

-import de.stklcode.jvault.connector.exception.InvalidRequestException;
 import de.stklcode.jvault.connector.exception.VaultConnectorException;
 import de.stklcode.jvault.connector.model.*;
 import de.stklcode.jvault.connector.model.response.*;

+import java.io.Serializable;
 import java.util.ArrayList;
-import java.util.HashMap;
+import java.util.Collections;
 import java.util.List;
 import java.util.Map;

@ -33,11 +33,7 @@ import java.util.Map;
 * @author Stefan Kalscheuer
 * @since 0.1
 */
-public interface VaultConnector extends AutoCloseable {
-    /**
-     * Default sub-path for Vault secrets.
-     */
-    String PATH_SECRET = "secret";
+public interface VaultConnector extends AutoCloseable, Serializable {

    /**
     * Reset authorization information.
@ -90,7 +86,7 @@ public interface VaultConnector extends AutoCloseable {
    HealthResponse getHealth() throws VaultConnectorException;

    /**
-     * Get all availale authentication backends.
+     * Get all available authentication backends.
     *
     * @return List of backends
     * @throws VaultConnectorException on error
@ -123,9 +119,10 @@ public interface VaultConnector extends AutoCloseable {
     * @param userID The User ID
     * @return The {@link AuthResponse}
     * @throws VaultConnectorException on error
-     * @deprecated As of Vault 0.6.1 App-ID is superseded by AppRole. Consider using {@link #authAppRole} instead.
+     * @deprecated As of Vault 0.6.1 App-ID is superseded by AppRole. App-ID was removed in Vault 1.12.
+     * Consider using {@link #authAppRole} instead.
     */
-    @Deprecated
+    @Deprecated(since = "0.4", forRemoval = true)
    AuthResponse authAppId(final String appID, final String userID) throws VaultConnectorException;

    /**
@ -159,9 +156,10 @@ public interface VaultConnector extends AutoCloseable {
     * @param displayName Arbitrary name to display
     * @return {@code true} on success
     * @throws VaultConnectorException on error
-     * @deprecated As of Vault 0.6.1 App-ID is superseded by AppRole. Consider using {@link #createAppRole} instead.
+     * @deprecated As of Vault 0.6.1 App-ID is superseded by AppRole. App-ID was removed in Vault 1.12.
+     * Consider using {@link #createAppRole} instead.
     */
-    @Deprecated
+    @Deprecated(since = "0.4", forRemoval = true)
    boolean registerAppId(final String appID, final String policy, final String displayName)
            throws VaultConnectorException;

@ -225,14 +223,14 @@ public interface VaultConnector extends AutoCloseable {
     */
    default boolean createAppRole(final String roleName, final List<String> policies, final String roleID)
            throws VaultConnectorException {
-        return createAppRole(new AppRoleBuilder(roleName).withPolicies(policies).withId(roleID).build());
+        return createAppRole(AppRole.builder(roleName).withTokenPolicies(policies).withId(roleID).build());
    }

    /**
     * Delete AppRole role from Vault.
     *
-     * @param roleName The role anme
-     * @return {@code true} on succevss
+     * @param roleName The role name
+     * @return {@code true} on success
     * @throws VaultConnectorException on error
     */
    boolean deleteAppRole(final String roleName) throws VaultConnectorException;
@ -353,10 +351,10 @@ public interface VaultConnector extends AutoCloseable {
     * @param userID The User-ID
     * @return {@code true} on success
     * @throws VaultConnectorException on error
-     * @deprecated As of Vault 0.6.1 App-ID is superseded by AppRole.
-     *             Consider using {@link #createAppRoleSecret} instead.
+     * @deprecated As of Vault 0.6.1 App-ID is superseded by AppRole. App-ID was removed in Vault 1.12.
+     * Consider using {@link #createAppRoleSecret} instead.
     */
-    @Deprecated
+    @Deprecated(since = "0.4", forRemoval = true)
    boolean registerUserId(final String appID, final String userID) throws VaultConnectorException;

    /**
@ -368,9 +366,9 @@ public interface VaultConnector extends AutoCloseable {
     * @param userID      The User-ID
     * @return {@code true} on success
     * @throws VaultConnectorException on error
-     * @deprecated As of Vault 0.6.1 App-ID is superseded by AppRole.
+     * @deprecated As of Vault 0.6.1 App-ID is superseded by AppRole. App-ID was removed in Vault 1.12.
     */
-    @Deprecated
+    @Deprecated(since = "0.4", forRemoval = true)
    default boolean registerAppUserId(final String appID,
                                      final String policy,
                                      final String displayName,
@ -396,17 +394,107 @@ public interface VaultConnector extends AutoCloseable {
    SecretResponse read(final String key) throws VaultConnectorException;

    /**
-     * Retrieve secret from Vault.
-     * Prefix "secret/" is automatically added to key.
+     * Retrieve the latest secret data for specific version from Vault.
+     * <br>
+     * Path {@code <mount>/data/<key>} is read here.
+     * Only available for KV v2 secrets.
     *
-     * @param key Secret identifier
+     * @param mount Secret store mount point (without leading or trailing slash).
+     * @param key   Secret identifier
     * @return Secret response
     * @throws VaultConnectorException on error
+     * @since 0.8
     */
-    default SecretResponse readSecret(final String key) throws VaultConnectorException {
-        return read(PATH_SECRET + "/" + key);
+    default SecretResponse readSecretData(final String mount, final String key) throws VaultConnectorException {
+        return readSecretVersion(mount, key, null);
    }

+    /**
+     * Write secret to Vault.
+     * <br>
+     * Path {@code <mount>/data/<key>} is written here.
+     * Only available for KV v2 secrets.
+     *
+     * @param mount Secret store mount point (without leading or trailing slash).
+     * @param key   Secret identifier
+     * @param data  Secret content. Value must be be JSON serializable.
+     * @return Metadata for the created/updated secret.
+     * @throws VaultConnectorException on error
+     * @since 0.8
+     */
+    default SecretVersionResponse writeSecretData(final String mount,
+                                                  final String key,
+                                                  final Map<String, Object> data) throws VaultConnectorException {
+        return writeSecretData(mount, key, data, null);
+    }
+
+    /**
+     * Write secret to Vault.
+     * <br>
+     * Path {@code <mount>/data/<key>} is written here.
+     * Only available for KV v2 secrets.
+     *
+     * @param mount Secret store mount point (without leading or trailing slash).
+     * @param key   Secret identifier
+     * @param data  Secret content. Value must be be JSON serializable.
+     * @param cas   Use Check-And-Set operation, i.e. only allow writing if current version matches this value.
+     * @return Metadata for the created/updated secret.
+     * @throws VaultConnectorException on error
+     * @since 0.8
+     */
+    SecretVersionResponse writeSecretData(final String mount,
+                                          final String key,
+                                          final Map<String, Object> data,
+                                          final Integer cas) throws VaultConnectorException;
+
+    /**
+     * Retrieve secret data from Vault.
+     * <br>
+     * Path {@code <mount>/data/<key>} is read here.
+     * Only available for KV v2 secrets.
+     *
+     * @param mount   Secret store mount point (without leading or trailing slash).
+     * @param key     Secret identifier
+     * @param version Version to read. If {@code null} or zero, the latest version will be returned.
+     * @return Secret response.
+     * @throws VaultConnectorException on error
+     * @since 0.8
+     */
+    SecretResponse readSecretVersion(final String mount, final String key, final Integer version)
+            throws VaultConnectorException;
+
+    /**
+     * Retrieve secret metadata from Vault.
+     * <br>
+     * Path {@code <mount>/metadata/<key>} is read here.
+     * Only available for KV v2 secrets.
+     *
+     * @param mount Secret store mount point (without leading or trailing slash).
+     * @param key   Secret identifier
+     * @return Metadata response
+     * @throws VaultConnectorException on error
+     * @since 0.8
+     */
+    MetadataResponse readSecretMetadata(final String mount, final String key) throws VaultConnectorException;
+
+    /**
+     * Update secret metadata.
+     * <br>
+     * Path {@code <mount>/metadata/<key>} is written here.
+     * Only available for KV v2 secrets.
+     *
+     * @param mount       Secret store mount point (without leading or trailing slash).
+     * @param key         Secret identifier
+     * @param maxVersions Maximum number of versions (fallback to backend default if {@code null})
+     * @param casRequired Specify if Check-And-Set is required for this secret.
+     * @throws VaultConnectorException on error
+     * @since 0.8
+     */
+    void updateSecretMetadata(final String mount,
+                              final String key,
+                              final Integer maxVersions,
+                              final boolean casRequired) throws VaultConnectorException;
+
    /**
     * List available nodes from Vault.
     *
@ -417,18 +505,6 @@ public interface VaultConnector extends AutoCloseable {
     */
    List<String> list(final String path) throws VaultConnectorException;

-    /**
-     * List available secrets from Vault.
-     * Prefix "secret/" is automatically added to path.
-     *
-     * @param path Root path to search
-     * @return List of secret keys
-     * @throws VaultConnectorException on error
-     */
-    default List<String> listSecrets(final String path) throws VaultConnectorException {
-        return list(PATH_SECRET + "/" + path);
-    }
-
    /**
     * Write simple value to Vault.
     *
@ -438,9 +514,7 @@ public interface VaultConnector extends AutoCloseable {
     * @since 0.5.0
     */
    default void write(final String key, final String value) throws VaultConnectorException {
-        Map<String, Object> param = new HashMap<>();
-        param.put("value", value);
-        write(key, param);
+        write(key, Collections.singletonMap("value", value));
    }

    /**
@ -451,37 +525,21 @@ public interface VaultConnector extends AutoCloseable {
     * @throws VaultConnectorException on error
     * @since 0.5.0
     */
-    void write(final String key, final Map<String, Object> data) throws VaultConnectorException;
-
-    /**
-     * Write secret to Vault.
-     * Prefix "secret/" is automatically added to path.
-     *
-     * @param key   Secret path
-     * @param value Secret value
-     * @throws VaultConnectorException on error
-     */
-    default void writeSecret(final String key, final String value) throws VaultConnectorException {
-        Map<String, Object> param = new HashMap<>();
-        param.put("value", value);
-        writeSecret(key, param);
+    default void write(final String key, final Map<String, Object> data) throws VaultConnectorException {
+        write(key, data, null);
    }

    /**
-     * Write secret to Vault.
-     * Prefix "secret/" is automatically added to path.
+     * Write value to Vault.
     *
-     * @param key  Secret path
-     * @param data Secret content. Value must be be JSON serializable.
+     * @param key     Secret path
+     * @param data    Secret content. Value must be be JSON serializable.
+     * @param options Secret options (optional).
     * @throws VaultConnectorException on error
-     * @since 0.5.0
+     * @since 0.8 {@code options} parameter added
     */
-    default void writeSecret(final String key, final Map<String, Object> data) throws VaultConnectorException {
-        if (key == null || key.isEmpty()) {
-            throw new InvalidRequestException("Secret path must not be empty.");
-        }
-        write(PATH_SECRET + "/" + key, data);
-    }
+    void write(final String key, final Map<String, Object> data, final Map<String, Object> options)
+            throws VaultConnectorException;

    /**
     * Delete key from Vault.
@ -493,15 +551,69 @@ public interface VaultConnector extends AutoCloseable {
    void delete(final String key) throws VaultConnectorException;

    /**
-     * Delete secret from Vault.
-     * Prefix "secret/" is automatically added to path.
+     * Delete latest version of a secret from Vault.
+     * <br>
+     * Only available for KV v2 stores.
     *
-     * @param key Secret path
+     * @param mount Secret store mount point (without leading or trailing slash).
+     * @param key   Secret path.
     * @throws VaultConnectorException on error
+     * @since 0.8
     */
-    default void deleteSecret(final String key) throws VaultConnectorException {
-        delete(PATH_SECRET + "/" + key);
-    }
+    void deleteLatestSecretVersion(final String mount, final String key) throws VaultConnectorException;
+
+    /**
+     * Delete latest version of a secret from Vault.
+     * <br>
+     * Prefix {@code secret/} is automatically added to path.
+     * Only available for KV v2 stores.
+     *
+     * @param mount Secret store mount point (without leading or trailing slash).
+     * @param key   Secret path.
+     * @throws VaultConnectorException on error
+     * @since 0.8
+     */
+    void deleteAllSecretVersions(final String mount, final String key) throws VaultConnectorException;
+
+    /**
+     * Delete secret versions from Vault.
+     * <br>
+     * Only available for KV v2 stores.
+     *
+     * @param mount    Secret store mount point (without leading or trailing slash).
+     * @param key      Secret path.
+     * @param versions Versions of the secret to delete.
+     * @throws VaultConnectorException on error
+     * @since 0.8
+     */
+    void deleteSecretVersions(final String mount, final String key, final int... versions)
+            throws VaultConnectorException;
+
+    /**
+     * Undelete (restore) secret versions from Vault.
+     * Only available for KV v2 stores.
+     *
+     * @param mount    Secret store mount point (without leading or trailing slash).
+     * @param key      Secret path.
+     * @param versions Versions of the secret to undelete.
+     * @throws VaultConnectorException on error
+     * @since 0.8
+     */
+    void undeleteSecretVersions(final String mount, final String key, final int... versions)
+            throws VaultConnectorException;
+
+    /**
+     * Destroy secret versions from Vault.
+     * Only available for KV v2 stores.
+     *
+     * @param mount    Secret store mount point (without leading or trailing slash).
+     * @param key      Secret path.
+     * @param versions Versions of the secret to destroy.
+     * @throws VaultConnectorException on error
+     * @since 0.8
+     */
+    void destroySecretVersions(final String mount, final String key, final int... versions)
+            throws VaultConnectorException;

    /**
     * Revoke given lease immediately.
@ -570,10 +682,62 @@ public interface VaultConnector extends AutoCloseable {
     */
    TokenResponse lookupToken(final String token) throws VaultConnectorException;

+    /**
+     * Create a new or update an existing token role.
+     *
+     * @param role the role entity (name must be set)
+     * @return {@code true} on success
+     * @throws VaultConnectorException on error
+     * @since 0.9
+     */
+    default boolean createOrUpdateTokenRole(final TokenRole role) throws VaultConnectorException {
+        return createOrUpdateTokenRole(role.getName(), role);
+    }
+
+    /**
+     * Create a new or update an existing token role.
+     *
+     * @param name the role name (overrides name possibly set in role entity)
+     * @param role the role entity
+     * @return {@code true} on success
+     * @throws VaultConnectorException on error
+     * @since 0.9
+     */
+    boolean createOrUpdateTokenRole(final String name, final TokenRole role) throws VaultConnectorException;
+
+    /**
+     * Lookup token information.
+     *
+     * @param name the role name
+     * @return the result response
+     * @throws VaultConnectorException on error
+     * @since 0.9
+     */
+    TokenRoleResponse readTokenRole(final String name) throws VaultConnectorException;
+
+    /**
+     * List available token roles from Vault.
+     *
+     * @return List of token roles
+     * @throws VaultConnectorException on error
+     * @since 0.9
+     */
+    List<String> listTokenRoles() throws VaultConnectorException;
+
+    /**
+     * Delete a token role.
+     *
+     * @param name the role name to delete
+     * @return {@code true} on success
+     * @throws VaultConnectorException on error
+     * @since 0.9
+     */
+    boolean deleteTokenRole(final String name) throws VaultConnectorException;
+
    /**
     * Read credentials for MySQL backend at default mount point.
     *
-     * @param role  the role name
+     * @param role the role name
     * @return the credentials response
     * @throws VaultConnectorException on error
     * @since 0.5.0
@ -585,7 +749,7 @@ public interface VaultConnector extends AutoCloseable {
    /**
     * Read credentials for PostgreSQL backend at default mount point.
     *
-     * @param role  the role name
+     * @param role the role name
     * @return the credentials response
     * @throws VaultConnectorException on error
     * @since 0.5.0
@ -597,7 +761,7 @@ public interface VaultConnector extends AutoCloseable {
    /**
     * Read credentials for MSSQL backend at default mount point.
     *
-     * @param role  the role name
+     * @param role the role name
     * @return the credentials response
     * @throws VaultConnectorException on error
     * @since 0.5.0
@ -609,7 +773,7 @@ public interface VaultConnector extends AutoCloseable {
    /**
     * Read credentials for MSSQL backend at default mount point.
     *
-     * @param role  the role name
+     * @param role the role name
     * @return the credentials response
     * @throws VaultConnectorException on error
     * @since 0.5.0
--- a/src/main/java/de/stklcode/jvault/connector/exception/AuthorizationRequiredException.java
+++ b/src/main/java/de/stklcode/jvault/connector/exception/AuthorizationRequiredException.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2018 Stefan Kalscheuer
+ * Copyright 2016-2023 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -19,8 +19,8 @@ package de.stklcode.jvault.connector.exception;
 /**
 * Exception thrown trying to do a request without any authorization handles.
 *
- * @author  Stefan Kalscheuer
- * @since   0.1
+ * @author Stefan Kalscheuer
+ * @since 0.1
 */
 public class AuthorizationRequiredException extends VaultConnectorException {
 }
--- a/src/main/java/de/stklcode/jvault/connector/exception/ConnectionException.java
+++ b/src/main/java/de/stklcode/jvault/connector/exception/ConnectionException.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2018 Stefan Kalscheuer
+ * Copyright 2016-2023 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/exception/InvalidRequestException.java
+++ b/src/main/java/de/stklcode/jvault/connector/exception/InvalidRequestException.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2018 Stefan Kalscheuer
+ * Copyright 2016-2023 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -19,8 +19,8 @@ package de.stklcode.jvault.connector.exception;
 /**
 * Exception thrown when trying to send malformed request.
 *
- * @author  Stefan Kalscheuer
- * @since   0.1
+ * @author Stefan Kalscheuer
+ * @since 0.1
 */
 public class InvalidRequestException extends VaultConnectorException {
    /**
--- a/src/main/java/de/stklcode/jvault/connector/exception/InvalidResponseException.java
+++ b/src/main/java/de/stklcode/jvault/connector/exception/InvalidResponseException.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2018 Stefan Kalscheuer
+ * Copyright 2016-2023 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -136,30 +136,6 @@ public final class InvalidResponseException extends VaultConnectorException {
        this.response = response;
    }

-    /**
-     * Specify the HTTP status code. Can be retrieved by {@link #getStatusCode()} later.
-     *
-     * @param statusCode The status code
-     * @return self
-     * @deprecated as of 0.6.2, use constructor with status code argument instead
-     */
-    @Deprecated
-    public InvalidResponseException withStatusCode(final Integer statusCode) {
-        return new InvalidResponseException(getMessage(), statusCode, getResponse(), getCause());
-    }
-
-    /**
-     * Specify the response string. Can be retrieved by {@link #getResponse()} later.
-     *
-     * @param response Response text
-     * @return self
-     * @deprecated use constructor with response argument instead
-     */
-    @Deprecated
-    public InvalidResponseException withResponse(final String response) {
-        return new InvalidResponseException(getMessage(), getStatusCode(), response, getCause());
-    }
-
    /**
     * Retrieve the HTTP status code.
     *
--- a/src/main/java/de/stklcode/jvault/connector/exception/PermissionDeniedException.java
+++ b/src/main/java/de/stklcode/jvault/connector/exception/PermissionDeniedException.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2018 Stefan Kalscheuer
+ * Copyright 2016-2023 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -19,8 +19,8 @@ package de.stklcode.jvault.connector.exception;
 /**
 * Exception thrown when trying to access a path the current user/token does not have permission to access.
 *
- * @author  Stefan Kalscheuer
- * @since   0.1
+ * @author Stefan Kalscheuer
+ * @since 0.1
 */
 public class PermissionDeniedException extends VaultConnectorException {
    /**
--- a/src/main/java/de/stklcode/jvault/connector/exception/TlsException.java
+++ b/src/main/java/de/stklcode/jvault/connector/exception/TlsException.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2018 Stefan Kalscheuer
+ * Copyright 2016-2023 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -19,8 +19,8 @@ package de.stklcode.jvault.connector.exception;
 /**
 * Exception thrown on errors with TLS connection.
 *
- * @author  Stefan Kalscheuer
- * @since   0.4.0
+ * @author Stefan Kalscheuer
+ * @since 0.4.0
 */
 public class TlsException extends VaultConnectorException {
    /**
--- a/src/main/java/de/stklcode/jvault/connector/exception/VaultConnectorException.java
+++ b/src/main/java/de/stklcode/jvault/connector/exception/VaultConnectorException.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2018 Stefan Kalscheuer
+ * Copyright 2016-2023 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -19,14 +19,14 @@ package de.stklcode.jvault.connector.exception;
 /**
 * Abstract Exception class for Vault Connector internal exceptions.
 *
- * @author  Stefan Kalscheuer
- * @since   0.1
+ * @author Stefan Kalscheuer
+ * @since 0.1
 */
 public abstract class VaultConnectorException extends Exception {
    /**
     * Constructs a new empty exception.
     */
-    public VaultConnectorException() {
+    protected VaultConnectorException() {
    }

    /**
@ -34,7 +34,7 @@ public abstract class VaultConnectorException extends Exception {
     *
     * @param message the detail message
     */
-    public VaultConnectorException(final String message) {
+    protected VaultConnectorException(final String message) {
        super(message);
    }

@ -43,7 +43,7 @@ public abstract class VaultConnectorException extends Exception {
     *
     * @param cause the cause
     */
-    public VaultConnectorException(final Throwable cause) {
+    protected VaultConnectorException(final Throwable cause) {
        super(cause);
    }

@ -53,7 +53,7 @@ public abstract class VaultConnectorException extends Exception {
     * @param message the detail message
     * @param cause   the cause
     */
-    public VaultConnectorException(final String message, final Throwable cause) {
+    protected VaultConnectorException(final String message, final Throwable cause) {
        super(message, cause);
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/exception/package-info.java
+++ b/src/main/java/de/stklcode/jvault/connector/exception/package-info.java
@ -0,0 +1,20 @@
+/*
+ * Copyright 2016-2023 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * Some custom exceptions for error handling.
+ */
+package de.stklcode.jvault.connector.exception;
--- a/src/main/java/de/stklcode/jvault/connector/factory/VaultConnectorFactory.java
+++ b/src/main/java/de/stklcode/jvault/connector/factory/VaultConnectorFactory.java
@ -1,54 +0,0 @@
-/*
- * Copyright 2016-2018 Stefan Kalscheuer
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package de.stklcode.jvault.connector.factory;
-
-import de.stklcode.jvault.connector.VaultConnector;
-import de.stklcode.jvault.connector.exception.VaultConnectorException;
-
-/**
- * Abstract Vault Connector Factory interface.
- * Provides builder pattern style factory for Vault connectors.
- *
- * @author Stefan Kalscheuer
- * @since 0.1
- */
-public abstract class VaultConnectorFactory {
-    /**
-     * Get Factory implementation for HTTP Vault Connector.
-     *
-     * @return HTTP Connector Factory
-     */
-    public static HTTPVaultConnectorFactory httpFactory() {
-        return new HTTPVaultConnectorFactory();
-    }
-
-    /**
-     * Build command, produces connector after initialization.
-     *
-     * @return Vault Connector instance.
-     */
-    public abstract VaultConnector build();
-
-    /**
-     * Build connector and authenticate with token set in factory or from environment.
-     *
-     * @return Authenticated Vault connector instance.
-     * @throws VaultConnectorException if authentication failed
-     * @since 0.6.0
-     */
-    public abstract VaultConnector buildAndAuth() throws VaultConnectorException;
-}
--- a/src/main/java/de/stklcode/jvault/connector/internal/Error.java
+++ b/src/main/java/de/stklcode/jvault/connector/internal/Error.java
@ -0,0 +1,39 @@
+/*
+ * Copyright 2016-2023 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.internal;
+
+/**
+ * Utility class to bundle common error messages.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.8 Extracted from static inner class.
+ */
+final class Error {
+    static final String READ_RESPONSE = "Unable to read response";
+    static final String PARSE_RESPONSE = "Unable to parse response";
+    static final String UNEXPECTED_RESPONSE = "Received response where none was expected";
+    static final String URI_FORMAT = "Invalid URI format";
+    static final String RESPONSE_CODE = "Invalid response code";
+    static final String INIT_SSL_CONTEXT = "Unable to initialize SSLContext";
+    static final String CONNECTION = "Unable to connect to Vault server";
+
+    /**
+     * Constructor hidden, this class should not be instantiated.
+     */
+    private Error() {
+    }
+}
--- a/src/main/java/de/stklcode/jvault/connector/internal/RequestHelper.java
+++ b/src/main/java/de/stklcode/jvault/connector/internal/RequestHelper.java
@ -0,0 +1,448 @@
+package de.stklcode.jvault.connector.internal;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.DeserializationFeature;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.SerializationFeature;
+import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
+import de.stklcode.jvault.connector.exception.*;
+import de.stklcode.jvault.connector.model.response.ErrorResponse;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManagerFactory;
+import java.io.*;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.net.URLEncoder;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.http.HttpResponse;
+import java.security.KeyManagementException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.time.Duration;
+import java.util.Map;
+import java.util.concurrent.CompletionException;
+import java.util.stream.Collectors;
+
+import static java.nio.charset.StandardCharsets.UTF_8;
+
+/**
+ * Helper class to bundle Vault HTTP requests.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.8 Extracted methods from {@link de.stklcode.jvault.connector.HTTPVaultConnector}.
+ */
+public final class RequestHelper implements Serializable {
+    private static final String HEADER_VAULT_TOKEN = "X-Vault-Token";
+
+    private final String baseURL;                   // Base URL of Vault.
+    private final Integer timeout;                  // Timeout in milliseconds.
+    private final int retries;                      // Number of retries on 5xx errors.
+    private final String tlsVersion;                // TLS version (#22).
+    private final X509Certificate trustedCaCert;    // Trusted CA certificate.
+    private final ObjectMapper jsonMapper;
+
+    /**
+     * Constructor of the request helper.
+     *
+     * @param baseURL       The URL
+     * @param retries       Number of retries on 5xx errors
+     * @param timeout       Timeout for HTTP requests (milliseconds)
+     * @param tlsVersion    TLS Version.
+     * @param trustedCaCert Trusted CA certificate
+     */
+    public RequestHelper(final String baseURL,
+                         final int retries,
+                         final Integer timeout,
+                         final String tlsVersion,
+                         final X509Certificate trustedCaCert) {
+        this.baseURL = baseURL + (baseURL.endsWith("/") ? "" : "/");
+        this.retries = retries;
+        this.timeout = timeout;
+        this.tlsVersion = tlsVersion;
+        this.trustedCaCert = trustedCaCert;
+        this.jsonMapper = new ObjectMapper()
+                .registerModule(new JavaTimeModule())
+                .enable(SerializationFeature.WRITE_DATES_AS_TIMESTAMPS)
+                .disable(DeserializationFeature.ADJUST_DATES_TO_CONTEXT_TIME_ZONE);
+    }
+
+    /**
+     * Execute HTTP request using POST method.
+     *
+     * @param path    URL path (relative to base).
+     * @param payload Map of payload values (will be converted to JSON).
+     * @param token   Vault token (may be {@code null}).
+     * @return HTTP response
+     * @throws VaultConnectorException on connection error
+     * @since 0.8 Added {@code token} parameter.
+     */
+    public String post(final String path, final Object payload, final String token) throws VaultConnectorException {
+        // Initialize POST.
+        var req = HttpRequest.newBuilder(URI.create(baseURL + path));
+
+        // Generate JSON from payload.
+        try {
+            req.POST(HttpRequest.BodyPublishers.ofString(jsonMapper.writeValueAsString(payload), UTF_8));
+        } catch (JsonProcessingException e) {
+            throw new InvalidRequestException(Error.PARSE_RESPONSE, e);
+        }
+
+        req.setHeader("Content-Type", "application/json; charset=utf-8");
+
+        // Set X-Vault-Token header.
+        if (token != null) {
+            req.setHeader(HEADER_VAULT_TOKEN, token);
+        }
+
+        return request(req, retries);
+    }
+
+    /**
+     * Execute HTTP request using POST method and parse JSON result.
+     *
+     * @param path    URL path (relative to base).
+     * @param payload Map of payload values (will be converted to JSON).
+     * @param token   Vault token (may be {@code null}).
+     * @param target  Target class.
+     * @param <T>     Target type.
+     * @return HTTP response
+     * @throws VaultConnectorException on connection error
+     * @since 0.8
+     */
+    public <T> T post(final String path, final Object payload, final String token, final Class<T> target)
+            throws VaultConnectorException {
+        try {
+            String response = post(path, payload, token);
+            return jsonMapper.readValue(response, target);
+        } catch (IOException e) {
+            throw new InvalidResponseException(Error.PARSE_RESPONSE, e);
+        }
+    }
+
+    /**
+     * Execute HTTP request using POST method and expect empty (204) response.
+     *
+     * @param path    URL path (relative to base).
+     * @param payload Map of payload values (will be converted to JSON).
+     * @param token   Vault token (may be {@code null}).
+     * @throws VaultConnectorException on connection error
+     * @since 0.8
+     */
+    public void postWithoutResponse(final String path, final Object payload, final String token)
+            throws VaultConnectorException {
+        if (!post(path, payload, token).isEmpty()) {
+            throw new InvalidResponseException(Error.UNEXPECTED_RESPONSE);
+        }
+    }
+
+    /**
+     * Execute HTTP request using PUT method.
+     *
+     * @param path    URL path (relative to base).
+     * @param payload Map of payload values (will be converted to JSON).
+     * @param token   Vault token (may be {@code null}).
+     * @return HTTP response
+     * @throws VaultConnectorException on connection error
+     * @since 0.8 Added {@code token} parameter.
+     */
+    public String put(final String path, final Map<String, String> payload, final String token)
+            throws VaultConnectorException {
+        // Initialize PUT.
+        var req = HttpRequest.newBuilder(URI.create(baseURL + path));
+
+        // Generate JSON from payload.
+        try {
+            req.PUT(HttpRequest.BodyPublishers.ofString(jsonMapper.writeValueAsString(payload), UTF_8));
+        } catch (JsonProcessingException e) {
+            throw new InvalidRequestException("Payload serialization failed", e);
+        }
+
+        req.setHeader("Content-Type", "application/json; charset=utf-8");
+
+        // Set X-Vault-Token header.
+        if (token != null) {
+            req.setHeader(HEADER_VAULT_TOKEN, token);
+        }
+
+        return request(req, retries);
+    }
+
+    /**
+     * Execute HTTP request using PUT method and parse JSON result.
+     *
+     * @param path    URL path (relative to base).
+     * @param payload Map of payload values (will be converted to JSON).
+     * @param token   Vault token (may be {@code null}).
+     * @param target  Target class.
+     * @param <T>     Target type.
+     * @return HTTP response
+     * @throws VaultConnectorException on connection error
+     * @since 0.8
+     */
+    public <T> T put(final String path, final Map<String, String> payload, final String token, final Class<T> target)
+            throws VaultConnectorException {
+        try {
+            String response = put(path, payload, token);
+            return jsonMapper.readValue(response, target);
+        } catch (IOException e) {
+            throw new InvalidResponseException(Error.PARSE_RESPONSE, e);
+        }
+    }
+
+    /**
+     * Execute HTTP request using PUT method and expect empty (204) response.
+     *
+     * @param path    URL path (relative to base).
+     * @param payload Map of payload values (will be converted to JSON).
+     * @param token   Vault token (may be {@code null}).
+     * @throws VaultConnectorException on connection error
+     * @since 0.8
+     */
+    public void putWithoutResponse(final String path, final Map<String, String> payload, final String token)
+            throws VaultConnectorException {
+        if (!put(path, payload, token).isEmpty()) {
+            throw new InvalidResponseException(Error.UNEXPECTED_RESPONSE);
+        }
+    }
+
+    /**
+     * Execute HTTP request using DELETE method.
+     *
+     * @param path  URL path (relative to base).
+     * @param token Vault token (may be {@code null}).
+     * @return HTTP response
+     * @throws VaultConnectorException on connection error
+     * @since 0.8 Added {@code token} parameter.
+     */
+    public String delete(final String path, final String token) throws VaultConnectorException {
+        // Initialize DELETE.
+        HttpRequest.Builder req = HttpRequest.newBuilder(URI.create(baseURL + path)).DELETE();
+
+        // Set X-Vault-Token header.
+        if (token != null) {
+            req.setHeader(HEADER_VAULT_TOKEN, token);
+        }
+
+        return request(req, retries);
+    }
+
+    /**
+     * Execute HTTP request using DELETE method and expect empty (204) response.
+     *
+     * @param path  URL path (relative to base).
+     * @param token Vault token (may be {@code null}).
+     * @throws VaultConnectorException on connection error
+     * @since 0.8
+     */
+    public void deleteWithoutResponse(final String path, final String token) throws VaultConnectorException {
+        if (!delete(path, token).isEmpty()) {
+            throw new InvalidResponseException(Error.UNEXPECTED_RESPONSE);
+        }
+    }
+
+    /**
+     * Execute HTTP request using GET method.
+     *
+     * @param path    URL path (relative to base).
+     * @param payload Map of payload values (will be converted to JSON).
+     * @param token   Vault token (may be {@code null}).
+     * @return HTTP response
+     * @throws VaultConnectorException on connection error
+     * @since 0.8 Added {@code token} parameter.
+     */
+    public String get(final String path, final Map<String, String> payload, final String token)
+            throws VaultConnectorException {
+        // Add parameters to URI.
+        var uriBuilder = new StringBuilder(baseURL + path);
+
+        if (!payload.isEmpty()) {
+            uriBuilder.append("?").append(
+                    payload.entrySet().stream().map(par ->
+                            URLEncoder.encode(par.getKey(), UTF_8) + "=" + URLEncoder.encode(par.getValue(), UTF_8)
+                    ).collect(Collectors.joining("&"))
+            );
+        }
+
+        // Initialize GET.
+        try {
+            var req = HttpRequest.newBuilder(new URI(uriBuilder.toString()));
+
+            // Set X-Vault-Token header.
+            if (token != null) {
+                req.setHeader(HEADER_VAULT_TOKEN, token);
+            }
+
+            return request(req, retries);
+        } catch (URISyntaxException e) {
+            /* this should never occur and may leak sensible information */
+            throw new InvalidRequestException(Error.URI_FORMAT);
+        }
+    }
+
+    /**
+     * Execute HTTP request using GET method and parse JSON result to target class.
+     *
+     * @param path    URL path (relative to base).
+     * @param payload Map of payload values (will be converted to JSON).
+     * @param token   Vault token (may be {@code null}).
+     * @param target  Target class.
+     * @param <T>     Target type.
+     * @return HTTP response
+     * @throws VaultConnectorException on connection error
+     * @since 0.8
+     */
+    public <T> T get(final String path, final Map<String, String> payload, final String token, final Class<T> target)
+            throws VaultConnectorException {
+        try {
+            String response = get(path, payload, token);
+            return jsonMapper.readValue(response, target);
+        } catch (IOException e) {
+            throw new InvalidResponseException(Error.PARSE_RESPONSE, e);
+        }
+    }
+
+    /**
+     * Execute prepared HTTP request and return result.
+     *
+     * @param requestBuilder Prepared request.
+     * @param retries        Number of retries.
+     * @return HTTP response
+     * @throws VaultConnectorException on connection error
+     */
+    private String request(final HttpRequest.Builder requestBuilder, final int retries) throws VaultConnectorException {
+        // Set JSON Header.
+        requestBuilder.setHeader("accept", "application/json");
+
+        var clientBuilder = HttpClient.newBuilder();
+
+        // Set custom timeout, if defined.
+        if (this.timeout != null) {
+            clientBuilder.connectTimeout(Duration.ofMillis(timeout));
+        }
+
+        // Set custom SSL context.
+        clientBuilder.sslContext(createSSLContext());
+
+        HttpClient client = clientBuilder.build();
+
+        // Execute request.
+        try {
+            HttpResponse<InputStream> response = client.sendAsync(
+                    requestBuilder.build(),
+                    HttpResponse.BodyHandlers.ofInputStream()
+            ).join();
+
+            /* Check if response is valid */
+            if (response == null) {
+                throw new InvalidResponseException("Response unavailable");
+            }
+
+            switch (response.statusCode()) {
+                case 200:
+                    return handleResult(response);
+                case 204:
+                    return "";
+                case 403:
+                    throw new PermissionDeniedException();
+                default:
+                    if (response.statusCode() >= 500 && response.statusCode() < 600 && retries > 0) {
+                        // Retry on 5xx errors.
+                        return request(requestBuilder, retries - 1);
+                    } else {
+                        // Fail on different error code and/or no retries left.
+                        handleError(response);
+
+                        // Throw exception without details, if response entity is empty.
+                        throw new InvalidResponseException(Error.RESPONSE_CODE, response.statusCode());
+                    }
+            }
+        } catch (CompletionException e) {
+            throw new ConnectionException(Error.CONNECTION, e.getCause());
+        } finally {
+            if (client instanceof AutoCloseable) {
+                // Close the client, which is supported since JDK21.
+                try {
+                    ((AutoCloseable) client).close();
+                } catch (Exception ignored) {
+                    // Ignore
+                }
+            }
+        }
+    }
+
+    /**
+     * Create a custom SSL context from trusted CA certificate.
+     *
+     * @return The context.
+     * @throws TlsException An error occurred during initialization of the SSL context.
+     * @since 0.8.0
+     * @since 0.10 Generate {@link SSLContext} instead of Apache {@code SSLConnectionSocketFactory}
+     */
+    private SSLContext createSSLContext() throws TlsException {
+        try {
+            // Create context.
+            var sslContext = SSLContext.getInstance(tlsVersion);
+
+            if (trustedCaCert != null) {
+                // Create Keystore with trusted certificate.
+                var keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+                keyStore.load(null, null);
+                keyStore.setCertificateEntry("trustedCert", trustedCaCert);
+
+                // Initialize TrustManager.
+                var tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+                tmf.init(keyStore);
+                sslContext.init(null, tmf.getTrustManagers(), null);
+            } else {
+                sslContext.init(null, null, null);
+            }
+
+            return sslContext;
+        } catch (CertificateException | NoSuchAlgorithmException | KeyStoreException | IOException |
+                 KeyManagementException e) {
+            throw new TlsException(Error.INIT_SSL_CONTEXT, e);
+        }
+    }
+
+    /**
+     * Handle successful result.
+     *
+     * @param response The raw HTTP response (assuming status code 200)
+     * @return Complete response body as String
+     * @throws InvalidResponseException on reading errors
+     */
+    private String handleResult(final HttpResponse<InputStream> response) throws InvalidResponseException {
+        try (var reader = new BufferedReader(new InputStreamReader(response.body(), UTF_8))) {
+            return reader.lines().collect(Collectors.joining("\n"));
+        } catch (IOException ignored) {
+            throw new InvalidResponseException(Error.READ_RESPONSE, 200);
+        }
+    }
+
+    /**
+     * Handle unsuccessful response. Throw detailed exception if possible.
+     *
+     * @param response The raw HTTP response (assuming status code 5xx)
+     * @throws VaultConnectorException Expected exception with details to throw
+     */
+    private void handleError(final HttpResponse<InputStream> response) throws VaultConnectorException {
+        if (response.body() != null) {
+            try (var reader = new BufferedReader(new InputStreamReader(response.body(), UTF_8))) {
+                var responseString = reader.lines().collect(Collectors.joining("\n"));
+                ErrorResponse er = jsonMapper.readValue(responseString, ErrorResponse.class);
+                /* Check for "permission denied" response */
+                if (!er.getErrors().isEmpty() && er.getErrors().get(0).equals("permission denied")) {
+                    throw new PermissionDeniedException();
+                }
+                throw new InvalidResponseException(Error.RESPONSE_CODE, response.statusCode(), er.toString());
+            } catch (IOException ignored) {
+                // Exception ignored.
+            }
+        }
+    }
+}
--- a/src/main/java/de/stklcode/jvault/connector/model/AppRole.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/AppRole.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2018 Stefan Kalscheuer
+ * Copyright 2016-2023 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -18,16 +18,22 @@ package de.stklcode.jvault.connector.model;

 import com.fasterxml.jackson.annotation.*;

+import java.io.Serializable;
+import java.util.ArrayList;
 import java.util.List;
+import java.util.Objects;

 /**
 * Vault AppRole role metamodel.
 *
 * @author Stefan Kalscheuer
 * @since 0.4.0
+ * @since 1.1 implements {@link Serializable}
 */
@JsonIgnoreProperties(ignoreUnknown = true)
-public final class AppRole {
+public final class AppRole implements Serializable {
+    private static final long serialVersionUID = -6248529625864573990L;
+
    @JsonProperty("role_name")
    private String name;

@ -39,9 +45,7 @@ public final class AppRole {
    @JsonInclude(JsonInclude.Include.NON_NULL)
    private Boolean bindSecretId;

-    private List<String> boundCidrList;
-
-    private List<String> policies;
+    private List<String> secretIdBoundCidrs;

    @JsonProperty("secret_id_num_uses")
    @JsonInclude(JsonInclude.Include.NON_NULL)
@ -51,6 +55,10 @@ public final class AppRole {
    @JsonInclude(JsonInclude.Include.NON_NULL)
    private Integer secretIdTtl;

+    @JsonProperty("enable_local_secret_ids")
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private Boolean enableLocalSecretIds;
+
    @JsonProperty("token_ttl")
    @JsonInclude(JsonInclude.Include.NON_NULL)
    private Integer tokenTtl;
@ -59,44 +67,71 @@ public final class AppRole {
    @JsonInclude(JsonInclude.Include.NON_NULL)
    private Integer tokenMaxTtl;

-    @JsonProperty("period")
+    private List<String> tokenPolicies;
+
+    @JsonProperty("token_bound_cidrs")
    @JsonInclude(JsonInclude.Include.NON_NULL)
-    private Integer period;
+    private List<String> tokenBoundCidrs;
+
+    @JsonProperty("token_explicit_max_ttl")
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private Integer tokenExplicitMaxTtl;
+
+    @JsonProperty("token_no_default_policy")
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private Boolean tokenNoDefaultPolicy;
+
+    @JsonProperty("token_num_uses")
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private Integer tokenNumUses;
+
+    @JsonProperty("token_period")
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private Integer tokenPeriod;
+
+    @JsonProperty("token_type")
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private String tokenType;

    /**
     * Construct empty {@link AppRole} object.
     */
    public AppRole() {
-
    }

    /**
-     * Construct complete {@link AppRole} object.
+     * Construct {@link AppRole} object from {@link AppRole.Builder}.
     *
-     * @param name            Role name (required)
-     * @param id              Role ID (optional)
-     * @param bindSecretId    Bind secret ID (optional)
-     * @param boundCidrList   Whitelist of subnets in CIDR notation (optional)
-     * @param policies        List of policies (optional)
-     * @param secretIdNumUses Maximum number of uses per secret (optional)
-     * @param secretIdTtl     Maximum TTL in seconds for secrets (optional)
-     * @param tokenTtl        Token TTL in seconds (optional)
-     * @param tokenMaxTtl     Maximum token TTL in seconds, including renewals (optional)
-     * @param period          Duration in seconds, if set the token is a periodic token (optional)
+     * @param builder AppRole builder.
     */
-    public AppRole(final String name, final String id, final Boolean bindSecretId, final List<String> boundCidrList,
-                   final List<String> policies, final Integer secretIdNumUses, final Integer secretIdTtl,
-                   final Integer tokenTtl, final Integer tokenMaxTtl, final Integer period) {
-        this.name = name;
-        this.id = id;
-        this.bindSecretId = bindSecretId;
-        this.boundCidrList = boundCidrList;
-        this.policies = policies;
-        this.secretIdNumUses = secretIdNumUses;
-        this.secretIdTtl = secretIdTtl;
-        this.tokenTtl = tokenTtl;
-        this.tokenMaxTtl = tokenMaxTtl;
-        this.period = period;
+    public AppRole(final Builder builder) {
+        this.name = builder.name;
+        this.id = builder.id;
+        this.bindSecretId = builder.bindSecretId;
+        this.secretIdBoundCidrs = builder.secretIdBoundCidrs;
+        this.secretIdNumUses = builder.secretIdNumUses;
+        this.secretIdTtl = builder.secretIdTtl;
+        this.enableLocalSecretIds = builder.enableLocalSecretIds;
+        this.tokenTtl = builder.tokenTtl;
+        this.tokenMaxTtl = builder.tokenMaxTtl;
+        this.tokenPolicies = builder.tokenPolicies;
+        this.tokenBoundCidrs = builder.tokenBoundCidrs;
+        this.tokenExplicitMaxTtl = builder.tokenExplicitMaxTtl;
+        this.tokenNoDefaultPolicy = builder.tokenNoDefaultPolicy;
+        this.tokenNumUses = builder.tokenNumUses;
+        this.tokenPeriod = builder.tokenPeriod;
+        this.tokenType = builder.tokenType != null ? builder.tokenType.value() : null;
+    }
+
+    /**
+     * Get {@link Builder} instance.
+     *
+     * @param name Role name.
+     * @return AppRole Builder.
+     * @since 0.8
+     */
+    public static Builder builder(final String name) {
+        return new Builder(name);
    }

    /**
@ -121,55 +156,93 @@ public final class AppRole {
    }

    /**
-     * @return list of bound CIDR subnets
+     * @return list of bound CIDR subnets of associated tokens
+     * @since 0.9
     */
-    public List<String> getBoundCidrList() {
-        return boundCidrList;
+    public List<String> getTokenBoundCidrs() {
+        return tokenBoundCidrs;
    }

    /**
     * @param boundCidrList list of subnets in CIDR notation to bind role to
+     * @since 0.9
     */
-    @JsonSetter("bound_cidr_list")
-    public void setBoundCidrList(final List<String> boundCidrList) {
-        this.boundCidrList = boundCidrList;
+    @JsonSetter("token_bound_cidrs")
+    public void setBoundCidrs(final List<String> boundCidrList) {
+        this.tokenBoundCidrs = boundCidrList;
    }

    /**
     * @return list of subnets in CIDR notation as comma-separated {@link String}
+     * @since 0.9
     */
-    @JsonGetter("bound_cidr_list")
+    @JsonGetter("token_bound_cidrs")
    @JsonInclude(JsonInclude.Include.NON_EMPTY)
-    public String getBoundCidrListString() {
-        if (boundCidrList == null || boundCidrList.isEmpty())
+    public String getTokenBoundCidrsString() {
+        if (tokenBoundCidrs == null || tokenBoundCidrs.isEmpty()) {
            return "";
-        return String.join(",", boundCidrList);
+        }
+        return String.join(",", tokenBoundCidrs);
    }

    /**
-     * @return list of policies
+     * @return list of bound CIDR subnets
+     * @since 0.8 replaces {@code getBoundCidrList()}
     */
-    public List<String> getPolicies() {
-        return policies;
+    public List<String> getSecretIdBoundCidrs() {
+        return secretIdBoundCidrs;
    }

    /**
-     * @param policies list of policies
+     * @param secretIdBoundCidrs List of subnets in CIDR notation to bind secrets of this role to.
+     * @since 0.8 replaces {@code setBoundCidrList(List)}
     */
-    @JsonSetter("policies")
-    public void setPolicies(final List<String> policies) {
-        this.policies = policies;
+    @JsonSetter("secret_id_bound_cidrs")
+    public void setSecretIdBoundCidrs(final List<String> secretIdBoundCidrs) {
+        this.secretIdBoundCidrs = secretIdBoundCidrs;
+    }
+
+    /**
+     * @return List of subnets in CIDR notation as comma-separated {@link String}
+     * @since 0.8 replaces {@code getBoundCidrListString()} ()}
+     */
+    @JsonGetter("secret_id_bound_cidrs")
+    @JsonInclude(JsonInclude.Include.NON_EMPTY)
+    public String getSecretIdBoundCidrsString() {
+        if (secretIdBoundCidrs == null || secretIdBoundCidrs.isEmpty()) {
+            return "";
+        }
+        return String.join(",", secretIdBoundCidrs);
+    }
+
+    /**
+     * @return list of token policies
+     * @since 0.9
+     */
+    public List<String> getTokenPolicies() {
+        return tokenPolicies;
+    }
+
+    /**
+     * @param tokenPolicies list of token policies
+     * @since 0.9
+     */
+    @JsonSetter("token_policies")
+    public void setTokenPolicies(final List<String> tokenPolicies) {
+        this.tokenPolicies = tokenPolicies;
    }

    /**
     * @return list of policies as comma-separated {@link String}
+     * @since 0.9
     */
-    @JsonGetter("policies")
+    @JsonGetter("token_policies")
    @JsonInclude(JsonInclude.Include.NON_EMPTY)
-    public String getPoliciesString() {
-        if (policies == null || policies.isEmpty())
+    public String getTokenPoliciesString() {
+        if (tokenPolicies == null || tokenPolicies.isEmpty()) {
            return "";
-        return String.join(",", policies);
+        }
+        return String.join(",", tokenPolicies);
    }

    /**
@ -186,6 +259,14 @@ public final class AppRole {
        return secretIdTtl;
    }

+    /**
+     * @return Enable local secret IDs?
+     * @since 0.9
+     */
+    public Boolean getEnableLocalSecretIds() {
+        return enableLocalSecretIds;
+    }
+
    /**
     * @return token TTL in seconds
     */
@ -201,9 +282,378 @@ public final class AppRole {
    }

    /**
-     * @return duration in seconds, if specified
+     * @return explicit maximum token TTL in seconds, including renewals
+     * @since 0.9
     */
-    public Integer getPeriod() {
-        return period;
+    public Integer getTokenExplicitMaxTtl() {
+        return tokenExplicitMaxTtl;
+    }
+
+    /**
+     * @return enable default policy for token?
+     * @since 0.9
+     */
+    public Boolean getTokenNoDefaultPolicy() {
+        return tokenNoDefaultPolicy;
+    }
+
+    /**
+     * @return number of uses for token
+     * @since 0.9
+     */
+    public Integer getTokenNumUses() {
+        return tokenNumUses;
+    }
+
+    /**
+     * @return duration in seconds, if specified
+     * @since 0.9
+     */
+    public Integer getTokenPeriod() {
+        return tokenPeriod;
+    }
+
+    /**
+     * @return duration in seconds, if specified
+     * @since 0.9
+     */
+    public String getTokenType() {
+        return tokenType;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        AppRole appRole = (AppRole) o;
+        return Objects.equals(name, appRole.name) &&
+                Objects.equals(id, appRole.id) &&
+                Objects.equals(bindSecretId, appRole.bindSecretId) &&
+                Objects.equals(secretIdBoundCidrs, appRole.secretIdBoundCidrs) &&
+                Objects.equals(secretIdNumUses, appRole.secretIdNumUses) &&
+                Objects.equals(secretIdTtl, appRole.secretIdTtl) &&
+                Objects.equals(enableLocalSecretIds, appRole.enableLocalSecretIds) &&
+                Objects.equals(tokenTtl, appRole.tokenTtl) &&
+                Objects.equals(tokenMaxTtl, appRole.tokenMaxTtl) &&
+                Objects.equals(tokenPolicies, appRole.tokenPolicies) &&
+                Objects.equals(tokenBoundCidrs, appRole.tokenBoundCidrs) &&
+                Objects.equals(tokenExplicitMaxTtl, appRole.tokenExplicitMaxTtl) &&
+                Objects.equals(tokenNoDefaultPolicy, appRole.tokenNoDefaultPolicy) &&
+                Objects.equals(tokenNumUses, appRole.tokenNumUses) &&
+                Objects.equals(tokenPeriod, appRole.tokenPeriod) &&
+                Objects.equals(tokenType, appRole.tokenType);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(name, id, bindSecretId, secretIdBoundCidrs, secretIdNumUses, secretIdTtl,
+                enableLocalSecretIds, tokenTtl, tokenMaxTtl, tokenPolicies, tokenBoundCidrs, tokenExplicitMaxTtl,
+                tokenNoDefaultPolicy, tokenNumUses, tokenPeriod, tokenType);
+    }
+
+
+    /**
+     * A builder for vault AppRole roles..
+     *
+     * @author Stefan Kalscheuer
+     * @since 0.4.0
+     * @since 0.9 Moved into subclass of {@link AppRole}.
+     */
+    public static final class Builder {
+        private String name;
+        private String id;
+        private Boolean bindSecretId;
+        private List<String> secretIdBoundCidrs;
+        private List<String> tokenPolicies;
+        private Integer secretIdNumUses;
+        private Integer secretIdTtl;
+        private Boolean enableLocalSecretIds;
+        private Integer tokenTtl;
+        private Integer tokenMaxTtl;
+        private List<String> tokenBoundCidrs;
+        private Integer tokenExplicitMaxTtl;
+        private Boolean tokenNoDefaultPolicy;
+        private Integer tokenNumUses;
+        private Integer tokenPeriod;
+        private Token.Type tokenType;
+
+        /**
+         * Construct {@link Builder} with only the role name set.
+         *
+         * @param name Role name
+         */
+        public Builder(final String name) {
+            this.name = name;
+        }
+
+        /**
+         * Add role name.
+         *
+         * @param name Role name
+         * @return self
+         */
+        public Builder withName(final String name) {
+            this.name = name;
+            return this;
+        }
+
+        /**
+         * Add custom role ID. (optional)
+         *
+         * @param id the ID
+         * @return self
+         */
+        public Builder withId(final String id) {
+            this.id = id;
+            return this;
+        }
+
+        /**
+         * Set if role is bound to secret ID.
+         *
+         * @param bindSecretId the display name
+         * @return self
+         */
+        public Builder withBindSecretID(final Boolean bindSecretId) {
+            this.bindSecretId = bindSecretId;
+            return this;
+        }
+
+        /**
+         * Bind role to secret ID.
+         * Convenience method for {@link #withBindSecretID(Boolean)}
+         *
+         * @return self
+         */
+        public Builder withBindSecretID() {
+            return withBindSecretID(true);
+        }
+
+        /**
+         * Do not bind role to secret ID.
+         * Convenience method for {@link #withBindSecretID(Boolean)}
+         *
+         * @return self
+         */
+        public Builder withoutBindSecretID() {
+            return withBindSecretID(false);
+        }
+
+        /**
+         * Set bound CIDR blocks.
+         *
+         * @param secretIdBoundCidrs List of CIDR blocks which can perform login
+         * @return self
+         * @since 0.8 replaces {@code withBoundCidrList(List)}
+         */
+        public Builder withSecretIdBoundCidrs(final List<String> secretIdBoundCidrs) {
+            if (this.secretIdBoundCidrs == null) {
+                this.secretIdBoundCidrs = new ArrayList<>();
+            }
+            this.secretIdBoundCidrs.addAll(secretIdBoundCidrs);
+            return this;
+        }
+
+        /**
+         * Add a CIDR block to list of bound blocks for secret.
+         *
+         * @param secretBoundCidr the CIDR block
+         * @return self
+         * @since 0.9
+         */
+        public Builder withSecretBoundCidr(final String secretBoundCidr) {
+            if (secretIdBoundCidrs == null) {
+                secretIdBoundCidrs = new ArrayList<>();
+            }
+            secretIdBoundCidrs.add(secretBoundCidr);
+            return this;
+        }
+
+        /**
+         * Add given policies.
+         *
+         * @param tokenPolicies the token policies
+         * @return self
+         * @since 0.9
+         */
+        public Builder withTokenPolicies(final List<String> tokenPolicies) {
+            if (this.tokenPolicies == null) {
+                this.tokenPolicies = new ArrayList<>();
+            }
+            this.tokenPolicies.addAll(tokenPolicies);
+            return this;
+        }
+
+        /**
+         * Add a single policy.
+         *
+         * @param tokenPolicy the token policy
+         * @return self
+         * @since 0.9
+         */
+        public Builder withTokenPolicy(final String tokenPolicy) {
+            if (this.tokenPolicies == null) {
+                this.tokenPolicies = new ArrayList<>();
+            }
+            tokenPolicies.add(tokenPolicy);
+            return this;
+        }
+
+        /**
+         * Set number of uses for sectet IDs.
+         *
+         * @param secretIdNumUses the number of uses
+         * @return self
+         */
+        public Builder withSecretIdNumUses(final Integer secretIdNumUses) {
+            this.secretIdNumUses = secretIdNumUses;
+            return this;
+        }
+
+        /**
+         * Set default sectet ID TTL in seconds.
+         *
+         * @param secretIdTtl the TTL
+         * @return self
+         */
+        public Builder withSecretIdTtl(final Integer secretIdTtl) {
+            this.secretIdTtl = secretIdTtl;
+            return this;
+        }
+
+        /**
+         * Enable or disable local secret IDs.
+         *
+         * @param enableLocalSecretIds Enable local secret IDs?
+         * @return self
+         * @since 0.9
+         */
+        public Builder withEnableLocalSecretIds(final Boolean enableLocalSecretIds) {
+            this.enableLocalSecretIds = enableLocalSecretIds;
+            return this;
+        }
+
+        /**
+         * Set default token TTL in seconds.
+         *
+         * @param tokenTtl the TTL
+         * @return self
+         */
+        public Builder withTokenTtl(final Integer tokenTtl) {
+            this.tokenTtl = tokenTtl;
+            return this;
+        }
+
+        /**
+         * Set maximum token TTL in seconds.
+         *
+         * @param tokenMaxTtl the TTL
+         * @return self
+         */
+        public Builder withTokenMaxTtl(final Integer tokenMaxTtl) {
+            this.tokenMaxTtl = tokenMaxTtl;
+            return this;
+        }
+
+        /**
+         * Set bound CIDR blocks for associated tokens.
+         *
+         * @param tokenBoundCidrs List of CIDR blocks which can perform login
+         * @return self
+         * @since 0.9
+         */
+        public Builder withTokenBoundCidrs(final List<String> tokenBoundCidrs) {
+            if (this.tokenBoundCidrs == null) {
+                this.tokenBoundCidrs = new ArrayList<>();
+            }
+            this.tokenBoundCidrs.addAll(tokenBoundCidrs);
+            return this;
+        }
+
+        /**
+         * Add a CIDR block to list of bound blocks for token.
+         *
+         * @param tokenBoundCidr the CIDR block
+         * @return self
+         * @since 0.9
+         */
+        public Builder withTokenBoundCidr(final String tokenBoundCidr) {
+            if (tokenBoundCidrs == null) {
+                tokenBoundCidrs = new ArrayList<>();
+            }
+            tokenBoundCidrs.add(tokenBoundCidr);
+            return this;
+        }
+
+        /**
+         * Set explicit maximum token TTL in seconds.
+         *
+         * @param tokenExplicitMaxTtl the TTL
+         * @return self
+         */
+        public Builder withTokenExplicitMaxTtl(final Integer tokenExplicitMaxTtl) {
+            this.tokenExplicitMaxTtl = tokenExplicitMaxTtl;
+            return this;
+        }
+
+        /**
+         * Enable or disable default policy for generated token.
+         *
+         * @param tokenNoDefaultPolicy Enable default policy for token?
+         * @return self
+         * @since 0.9
+         */
+        public Builder withTokenNoDefaultPolicy(final Boolean tokenNoDefaultPolicy) {
+            this.tokenNoDefaultPolicy = tokenNoDefaultPolicy;
+            return this;
+        }
+
+        /**
+         * Set number of uses for generated tokens.
+         *
+         * @param tokenNumUses number of uses for tokens
+         * @return self
+         * @since 0.9
+         */
+        public Builder withTokenNumUses(final Integer tokenNumUses) {
+            this.tokenNumUses = tokenNumUses;
+            return this;
+        }
+
+        /**
+         * Set renewal period for generated token in seconds.
+         *
+         * @param tokenPeriod period in seconds
+         * @return self
+         * @since 0.9
+         */
+        public Builder withTokenPeriod(final Integer tokenPeriod) {
+            this.tokenPeriod = tokenPeriod;
+            return this;
+        }
+
+        /**
+         * Set type of generated token.
+         *
+         * @param tokenType token type
+         * @return self
+         * @since 0.9
+         */
+        public Builder withTokenType(final Token.Type tokenType) {
+            this.tokenType = tokenType;
+            return this;
+        }
+
+        /**
+         * Build the AppRole role based on given parameters.
+         *
+         * @return the role
+         */
+        public AppRole build() {
+            return new AppRole(this);
+        }
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/AppRoleBuilder.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/AppRoleBuilder.java
@ -1,214 +0,0 @@
-/*
- * Copyright 2016-2018 Stefan Kalscheuer
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package de.stklcode.jvault.connector.model;
-
-import java.util.ArrayList;
-import java.util.List;
-
-/**
- * A builder for vault AppRole roles..
- *
- * @author Stefan Kalscheuer
- * @since 0.4.0
- */
-public final class AppRoleBuilder {
-    private String name;
-    private String id;
-    private Boolean bindSecretId;
-    private List<String> boundCidrList;
-    private List<String> policies;
-    private Integer secretIdNumUses;
-    private Integer secretIdTtl;
-    private Integer tokenTtl;
-    private Integer tokenMaxTtl;
-    private Integer period;
-
-    /**
-     * Construct {@link AppRoleBuilder} with only the role name set.
-     *
-     * @param name Role name
-     */
-    public AppRoleBuilder(final String name) {
-        this.name = name;
-    }
-
-    /**
-     * Add custom role ID. (optional)
-     *
-     * @param id the ID
-     * @return self
-     */
-    public AppRoleBuilder withId(final String id) {
-        this.id = id;
-        return this;
-    }
-
-    /**
-     * Set if role is bound to secret ID.
-     *
-     * @param bindSecretId the display name
-     * @return self
-     */
-    public AppRoleBuilder withBindSecretID(final Boolean bindSecretId) {
-        this.bindSecretId = bindSecretId;
-        return this;
-    }
-
-    /**
-     * Bind role to secret ID.
-     * Convenience method for {@link #withBindSecretID(Boolean)}
-     *
-     * @return self
-     */
-    public AppRoleBuilder withBindSecretID() {
-        return withBindSecretID(true);
-    }
-
-    /**
-     * Do not bind role to secret ID.
-     * Convenience method for {@link #withBindSecretID(Boolean)}
-     *
-     * @return self
-     */
-    public AppRoleBuilder withoutBindSecretID() {
-        return withBindSecretID(false);
-    }
-
-    /**
-     * Set bound CIDR blocks.
-     *
-     * @param boundCidrList List of CIDR blocks which can perform login
-     * @return self
-     */
-    public AppRoleBuilder withBoundCidrList(final List<String> boundCidrList) {
-        this.boundCidrList = boundCidrList;
-        return this;
-    }
-
-    /**
-     * Add a CIDR block to list of bound blocks.
-     *
-     * @param cidrBlock the CIDR block
-     * @return self
-     */
-    public AppRoleBuilder withCidrBlock(final String cidrBlock) {
-        if (boundCidrList == null)
-            boundCidrList = new ArrayList<>();
-        boundCidrList.add(cidrBlock);
-        return this;
-    }
-
-    /**
-     * Add given policies.
-     *
-     * @param policies the policies
-     * @return self
-     */
-    public AppRoleBuilder withPolicies(final List<String> policies) {
-        if (this.policies == null)
-            this.policies = new ArrayList<>();
-        this.policies.addAll(policies);
-        return this;
-    }
-
-    /**
-     * Add a single policy.
-     *
-     * @param policy the policy
-     * @return self
-     */
-    public AppRoleBuilder withPolicy(final String policy) {
-        if (this.policies == null)
-            this.policies = new ArrayList<>();
-        policies.add(policy);
-        return this;
-    }
-
-    /**
-     * Set number of uses for sectet IDs.
-     *
-     * @param secredIdNumUses the number of uses
-     * @return self
-     */
-    public AppRoleBuilder withSecretIdNumUses(final Integer secredIdNumUses) {
-        this.secretIdNumUses = secredIdNumUses;
-        return this;
-    }
-
-    /**
-     * Set default sectet ID TTL in seconds.
-     *
-     * @param secredIdTtl the TTL
-     * @return self
-     */
-    public AppRoleBuilder withSecretIdTtl(final Integer secredIdTtl) {
-        this.secretIdTtl = secredIdTtl;
-        return this;
-    }
-
-    /**
-     * Set default token TTL in seconds.
-     *
-     * @param tokenTtl the TTL
-     * @return self
-     */
-    public AppRoleBuilder withTokenTtl(final Integer tokenTtl) {
-        this.tokenTtl = tokenTtl;
-        return this;
-    }
-
-    /**
-     * Set maximum token TTL in seconds.
-     *
-     * @param tokenMaxTtl the TTL
-     * @return self
-     */
-    public AppRoleBuilder withTokenMaxTtl(final Integer tokenMaxTtl) {
-        this.tokenMaxTtl = tokenMaxTtl;
-        return this;
-    }
-
-    /**
-     * Set renewal period for generated token in seconds.
-     *
-     * @param period period in seconds
-     * @return self
-     */
-    public AppRoleBuilder withPeriod(final Integer period) {
-        this.period = period;
-        return this;
-    }
-
-
-    /**
-     * Build the AppRole role based on given parameters.
-     *
-     * @return the role
-     */
-    public AppRole build() {
-        return new AppRole(name,
-                id,
-                bindSecretId,
-                boundCidrList,
-                policies,
-                secretIdNumUses,
-                secretIdTtl,
-                tokenTtl,
-                tokenMaxTtl,
-                period);
-    }
-}
--- a/src/main/java/de/stklcode/jvault/connector/model/AppRoleSecret.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/AppRoleSecret.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2018 Stefan Kalscheuer
+ * Copyright 2016-2023 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -18,17 +18,22 @@ package de.stklcode.jvault.connector.model;

 import com.fasterxml.jackson.annotation.*;

+import java.io.Serializable;
 import java.util.List;
 import java.util.Map;
+import java.util.Objects;

 /**
 * Vault AppRole role metamodel.
 *
 * @author Stefan Kalscheuer
 * @since 0.4.0
+ * @since 1.1 implements {@link Serializable}
 */
@JsonIgnoreProperties(ignoreUnknown = true)
-public final class AppRoleSecret {
+public final class AppRoleSecret implements Serializable {
+    private static final long serialVersionUID = -3401074170145792641L;
+
    @JsonProperty("secret_id")
    @JsonInclude(JsonInclude.Include.NON_NULL)
    private String id;
@ -126,8 +131,9 @@ public final class AppRoleSecret {
     */
    @JsonGetter("cidr_list")
    public String getCidrListString() {
-        if (cidrList == null || cidrList.isEmpty())
+        if (cidrList == null || cidrList.isEmpty()) {
            return "";
+        }
        return String.join(",", cidrList);
    }

@ -165,4 +171,29 @@ public final class AppRoleSecret {
    public Integer getTtl() {
        return ttl;
    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        AppRoleSecret that = (AppRoleSecret) o;
+        return Objects.equals(id, that.id) &&
+                Objects.equals(accessor, that.accessor) &&
+                Objects.equals(metadata, that.metadata) &&
+                Objects.equals(cidrList, that.cidrList) &&
+                Objects.equals(creationTime, that.creationTime) &&
+                Objects.equals(expirationTime, that.expirationTime) &&
+                Objects.equals(lastUpdatedTime, that.lastUpdatedTime) &&
+                Objects.equals(numUses, that.numUses) &&
+                Objects.equals(ttl, that.ttl);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(id, accessor, metadata, cidrList, creationTime, expirationTime, lastUpdatedTime, numUses,
+                ttl);
+    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/AuthBackend.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/AuthBackend.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2018 Stefan Kalscheuer
+ * Copyright 2016-2023 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -24,6 +24,7 @@ package de.stklcode.jvault.connector.model;
 */
 public enum AuthBackend {
    TOKEN("token"),
+    @Deprecated(since = "1.1.3", forRemoval = true)
    APPID("app-id"),
    APPROLE("approle"),
    USERPASS("userpass"),
@ -48,9 +49,11 @@ public enum AuthBackend {
     * @return Auth backend value
     */
    public static AuthBackend forType(final String type) {
-        for (AuthBackend v : values())
-            if (v.type.equalsIgnoreCase(type))
+        for (AuthBackend v : values()) {
+            if (v.type.equalsIgnoreCase(type)) {
                return v;
+            }
+        }
        return UNKNOWN;
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/Token.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/Token.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2018 Stefan Kalscheuer
+ * Copyright 2016-2023 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -20,21 +20,28 @@ import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonInclude;
 import com.fasterxml.jackson.annotation.JsonProperty;

-import java.util.List;
-import java.util.Map;
+import java.io.Serializable;
+import java.util.*;

 /**
 * Vault Token metamodel.
 *
 * @author Stefan Kalscheuer
 * @since 0.4.0
+ * @since 1.1 implements {@link Serializable}
 */
@JsonIgnoreProperties(ignoreUnknown = true)
-public final class Token {
+public final class Token implements Serializable {
+    private static final long serialVersionUID = 5208508683665365287L;
+
    @JsonProperty("id")
    @JsonInclude(JsonInclude.Include.NON_NULL)
    private String id;

+    @JsonProperty("type")
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private String type;
+
    @JsonProperty("display_name")
    @JsonInclude(JsonInclude.Include.NON_NULL)
    private String displayName;
@ -51,6 +58,10 @@ public final class Token {
    @JsonInclude(JsonInclude.Include.NON_NULL)
    private Integer ttl;

+    @JsonProperty("explicit_max_ttl")
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private Integer explicitMaxTtl;
+
    @JsonProperty("num_uses")
    @JsonInclude(JsonInclude.Include.NON_NULL)
    private Integer numUses;
@ -67,37 +78,49 @@ public final class Token {
    @JsonInclude(JsonInclude.Include.NON_NULL)
    private Boolean renewable;

+    @JsonProperty("period")
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private Integer period;
+
+    @JsonProperty("entity_alias")
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private String entityAlias;
+
    /**
-     * Construct complete {@link Token} object.
-     *
-     * @param id              Token ID (optional)
-     * @param displayName     Token display name (optional)
-     * @param noParent        Token has no parent (optional)
-     * @param noDefaultPolicy Do not add default policy (optional)
-     * @param ttl             Token TTL in seconds (optional)
-     * @param numUses         Number of uses (optional)
-     * @param policies        List of policies (optional)
-     * @param meta            Metadata (optional)
-     * @param renewable       Is the token renewable (optional)
+     * Construct empty {@link Token} object.
     */
-    public Token(final String id,
-                 final String displayName,
-                 final Boolean noParent,
-                 final Boolean noDefaultPolicy,
-                 final Integer ttl,
-                 final Integer numUses,
-                 final List<String> policies,
-                 final Map<String, String> meta,
-                 final Boolean renewable) {
-        this.id = id;
-        this.displayName = displayName;
-        this.ttl = ttl;
-        this.numUses = numUses;
-        this.noParent = noParent;
-        this.noDefaultPolicy = noDefaultPolicy;
-        this.policies = policies;
-        this.meta = meta;
-        this.renewable = renewable;
+    public Token() {
+    }
+
+    /**
+     * Construct {@link Token} object from {@link Builder}.
+     *
+     * @param builder Token builder.
+     */
+    public Token(final Builder builder) {
+        this.id = builder.id;
+        this.type = builder.type != null ? builder.type.value() : null;
+        this.displayName = builder.displayName;
+        this.noParent = builder.noParent;
+        this.noDefaultPolicy = builder.noDefaultPolicy;
+        this.ttl = builder.ttl;
+        this.explicitMaxTtl = builder.explicitMaxTtl;
+        this.numUses = builder.numUses;
+        this.policies = builder.policies;
+        this.meta = builder.meta;
+        this.renewable = builder.renewable;
+        this.period = builder.period;
+        this.entityAlias = builder.entityAlias;
+    }
+
+    /**
+     * Get {@link Builder} instance.
+     *
+     * @return Token Builder.
+     * @since 0.8
+     */
+    public static Builder builder() {
+        return new Builder();
    }

    /**
@ -107,6 +130,14 @@ public final class Token {
        return id;
    }

+    /**
+     * @return Token type
+     * @since 0.9
+     */
+    public String getType() {
+        return type;
+    }
+
    /**
     * @return Token display name
     */
@ -135,6 +166,14 @@ public final class Token {
        return ttl;
    }

+    /**
+     * @return Explicit maximum time-to-live in seconds
+     * @since 0.9
+     */
+    public Integer getExplicitMaxTtl() {
+        return explicitMaxTtl;
+    }
+
    /**
     * @return Number of uses
     */
@ -162,4 +201,354 @@ public final class Token {
    public Boolean isRenewable() {
        return renewable;
    }
+
+    /**
+     * @return Token period.
+     * @since 0.9
+     */
+    public Integer getPeriod() {
+        return period;
+    }
+
+    /**
+     * @return Token entity alias.
+     * @since 0.9
+     */
+    public String getEntityAlias() {
+        return entityAlias;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        Token token = (Token) o;
+        return Objects.equals(id, token.id) &&
+                Objects.equals(type, token.type) &&
+                Objects.equals(displayName, token.displayName) &&
+                Objects.equals(noParent, token.noParent) &&
+                Objects.equals(noDefaultPolicy, token.noDefaultPolicy) &&
+                Objects.equals(ttl, token.ttl) &&
+                Objects.equals(explicitMaxTtl, token.explicitMaxTtl) &&
+                Objects.equals(numUses, token.numUses) &&
+                Objects.equals(policies, token.policies) &&
+                Objects.equals(meta, token.meta) &&
+                Objects.equals(renewable, token.renewable) &&
+                Objects.equals(period, token.period) &&
+                Objects.equals(entityAlias, token.entityAlias);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(id, type, displayName, noParent, noDefaultPolicy, ttl, explicitMaxTtl, numUses, policies,
+                meta, renewable, period, entityAlias);
+    }
+
+    /**
+     * Constants for token types.
+     */
+    public enum Type {
+        DEFAULT("default"),
+        BATCH("batch"),
+        SERVICE("service"),
+        DEFAULT_SERVICE("default-service"),
+        DEFAULT_BATCH("default-batch");
+
+        private final String value;
+
+        Type(String value) {
+            this.value = value;
+        }
+
+        public String value() {
+            return value;
+        }
+    }
+
+
+    /**
+     * A builder for vault tokens.
+     *
+     * @author Stefan Kalscheuer
+     * @since 0.4.0
+     * @since 0.9 Moved into subclass of {@link Token}.
+     */
+    public static final class Builder {
+        private String id;
+        private Type type;
+        private String displayName;
+        private Boolean noParent;
+        private Boolean noDefaultPolicy;
+        private Integer ttl;
+        private Integer explicitMaxTtl;
+        private Integer numUses;
+        private List<String> policies;
+        private Map<String, String> meta;
+        private Boolean renewable;
+        private Integer period;
+        private String entityAlias;
+
+        /**
+         * Add token ID. (optional)
+         *
+         * @param id the ID
+         * @return self
+         */
+        public Builder withId(final String id) {
+            this.id = id;
+            return this;
+        }
+
+        /**
+         * Specify token type.
+         *
+         * @param type the type
+         * @return self
+         * @since 0.9
+         */
+        public Builder withType(final Token.Type type) {
+            this.type = type;
+            return this;
+        }
+
+        /**
+         * Add display name.
+         *
+         * @param displayName the display name
+         * @return self
+         */
+        public Builder withDisplayName(final String displayName) {
+            this.displayName = displayName;
+            return this;
+        }
+
+        /**
+         * Set desired time to live.
+         *
+         * @param ttl the ttl
+         * @return self
+         */
+        public Builder withTtl(final Integer ttl) {
+            this.ttl = ttl;
+            return this;
+        }
+
+        /**
+         * Set desired explicit maximum time to live.
+         *
+         * @param explicitMaxTtl the explicit max. TTL
+         * @return self
+         */
+        public Builder withExplicitMaxTtl(final Integer explicitMaxTtl) {
+            this.explicitMaxTtl = explicitMaxTtl;
+            return this;
+        }
+
+        /**
+         * Set desired number of uses.
+         *
+         * @param numUses the number of uses
+         * @return self
+         */
+        public Builder withNumUses(final Integer numUses) {
+            this.numUses = numUses;
+            return this;
+        }
+
+        /**
+         * Set TRUE if the token should be created without parent.
+         *
+         * @param noParent if TRUE, token is created as orphan
+         * @return self
+         */
+        public Builder withNoParent(final boolean noParent) {
+            this.noParent = noParent;
+            return this;
+        }
+
+        /**
+         * Create token without parent.
+         * Convenience method for withNoParent()
+         *
+         * @return self
+         */
+        public Builder asOrphan() {
+            return withNoParent(true);
+        }
+
+        /**
+         * Create token with parent.
+         * Convenience method for withNoParent()
+         *
+         * @return self
+         */
+        public Builder withParent() {
+            return withNoParent(false);
+        }
+
+        /**
+         * Set TRUE if the default policy should not be part of this token.
+         *
+         * @param noDefaultPolicy if TRUE, default policy is not attached
+         * @return self
+         */
+        public Builder withNoDefaultPolicy(final boolean noDefaultPolicy) {
+            this.noDefaultPolicy = noDefaultPolicy;
+            return this;
+        }
+
+        /**
+         * Attach default policy to token.
+         * Convenience method for withNoDefaultPolicy()
+         *
+         * @return self
+         */
+        public Builder withDefaultPolicy() {
+            return withNoDefaultPolicy(false);
+        }
+
+        /**
+         * Do not attach default policy to token.
+         * Convenience method for withNoDefaultPolicy()
+         *
+         * @return self
+         */
+        public Builder withoutDefaultPolicy() {
+            return withNoDefaultPolicy(true);
+        }
+
+        /**
+         * Add given policies.
+         *
+         * @param policies the policies
+         * @return self
+         * @since 0.5.0
+         */
+        public Builder withPolicies(final String... policies) {
+            return withPolicies(Arrays.asList(policies));
+        }
+
+        /**
+         * Add given policies.
+         *
+         * @param policies the policies
+         * @return self
+         */
+        public Builder withPolicies(final List<String> policies) {
+            if (this.policies == null) {
+                this.policies = new ArrayList<>();
+            }
+            this.policies.addAll(policies);
+            return this;
+        }
+
+        /**
+         * Add a single policy.
+         *
+         * @param policy the policy
+         * @return self
+         */
+        public Builder withPolicy(final String policy) {
+            if (this.policies == null) {
+                this.policies = new ArrayList<>();
+            }
+            policies.add(policy);
+            return this;
+        }
+
+        /**
+         * Add meta data.
+         *
+         * @param meta the metadata
+         * @return self
+         */
+        public Builder withMeta(final Map<String, String> meta) {
+            if (this.meta == null) {
+                this.meta = new HashMap<>();
+            }
+            this.meta.putAll(meta);
+            return this;
+        }
+
+        /**
+         * Add meta data.
+         *
+         * @param key   the key
+         * @param value the value
+         * @return self
+         */
+        public Builder withMeta(final String key, final String value) {
+            if (this.meta == null) {
+                this.meta = new HashMap<>();
+            }
+            this.meta.put(key, value);
+            return this;
+        }
+
+        /**
+         * Set if token is renewable.
+         *
+         * @param renewable TRUE, if renewable
+         * @return self
+         */
+        public Builder withRenewable(final Boolean renewable) {
+            this.renewable = renewable;
+            return this;
+        }
+
+        /**
+         * Set token to be renewable.
+         * Convenience method for withRenewable()
+         *
+         * @return self
+         */
+        public Builder renewable() {
+            return withRenewable(true);
+        }
+
+        /**
+         * Set token to be not renewable.
+         * Convenience method for withRenewable()
+         *
+         * @return self
+         */
+        public Builder notRenewable() {
+            return withRenewable(false);
+        }
+
+        /**
+         * Set token period (former lease time).
+         *
+         * @param period Period in seconds.
+         * @return self
+         */
+        public Builder withPeriod(final Integer period) {
+            this.period = period;
+            return this;
+        }
+
+        /**
+         * Set entity alias for token.
+         * Only works in combination with an associated token role.
+         *
+         * @param entityAlias Entity alias.
+         * @return self
+         */
+        public Builder withEntityAlias(final String entityAlias) {
+            this.entityAlias = entityAlias;
+            return this;
+        }
+
+        /**
+         * Build the token based on given parameters.
+         *
+         * @return the token
+         */
+        public Token build() {
+            return new Token(this);
+        }
+    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/TokenBuilder.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/TokenBuilder.java
@ -1,255 +0,0 @@
-/*
- * Copyright 2016-2018 Stefan Kalscheuer
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package de.stklcode.jvault.connector.model;
-
-import java.util.*;
-
-/**
- * A builder for vault tokens.
- *
- * @author Stefan Kalscheuer
- * @since 0.4.0
- */
-public final class TokenBuilder {
-    private String id;
-    private String displayName;
-    private Boolean noParent;
-    private Boolean noDefaultPolicy;
-    private Integer ttl;
-    private Integer numUses;
-    private List<String> policies;
-    private Map<String, String> meta;
-    private Boolean renewable;
-
-    /**
-     * Add token ID. (optional)
-     *
-     * @param id the ID
-     * @return self
-     */
-    public TokenBuilder withId(final String id) {
-        this.id = id;
-        return this;
-    }
-
-    /**
-     * Add display name.
-     *
-     * @param displayName the display name
-     * @return self
-     */
-    public TokenBuilder withDisplayName(final String displayName) {
-        this.displayName = displayName;
-        return this;
-    }
-
-    /**
-     * Set desired time to live.
-     *
-     * @param ttl the ttl
-     * @return self
-     */
-    public TokenBuilder withTtl(final Integer ttl) {
-        this.ttl = ttl;
-        return this;
-    }
-
-    /**
-     * Set desired number of uses.
-     *
-     * @param numUses the number of uses
-     * @return self
-     */
-    public TokenBuilder withNumUses(final Integer numUses) {
-        this.numUses = numUses;
-        return this;
-    }
-
-    /**
-     * Set TRUE if the token should be created without parent.
-     *
-     * @param noParent if TRUE, token is created as orphan
-     * @return self
-     */
-    public TokenBuilder withNoParent(final boolean noParent) {
-        this.noParent = noParent;
-        return this;
-    }
-
-    /**
-     * Create token without parent.
-     * Convenience method for withNoParent()
-     *
-     * @return self
-     */
-    public TokenBuilder asOrphan() {
-        return withNoParent(true);
-    }
-
-    /**
-     * Create token with parent.
-     * Convenience method for withNoParent()
-     *
-     * @return self
-     */
-    public TokenBuilder withParent() {
-        return withNoParent(false);
-    }
-
-    /**
-     * Set TRUE if the default policy should not be part of this token.
-     *
-     * @param noDefaultPolicy if TRUE, default policy is not attached
-     * @return self
-     */
-    public TokenBuilder withNoDefaultPolicy(final boolean noDefaultPolicy) {
-        this.noDefaultPolicy = noDefaultPolicy;
-        return this;
-    }
-
-    /**
-     * Attach default policy to token.
-     * Convenience method for withNoDefaultPolicy()
-     *
-     * @return self
-     */
-    public TokenBuilder withDefaultPolicy() {
-        return withNoDefaultPolicy(false);
-    }
-
-    /**
-     * Do not attach default policy to token.
-     * Convenience method for withNoDefaultPolicy()
-     *
-     * @return self
-     */
-    public TokenBuilder withoutDefaultPolicy() {
-        return withNoDefaultPolicy(true);
-    }
-
-    /**
-     * Add given policies.
-     *
-     * @param policies the policies
-     * @return self
-     * @since 0.5.0
-     */
-    public TokenBuilder withPolicies(final String... policies) {
-        return withPolicies(Arrays.asList(policies));
-    }
-
-    /**
-     * Add given policies.
-     *
-     * @param policies the policies
-     * @return self
-     */
-    public TokenBuilder withPolicies(final List<String> policies) {
-        if (this.policies == null)
-            this.policies = new ArrayList<>();
-        this.policies.addAll(policies);
-        return this;
-    }
-
-    /**
-     * Add a single policy.
-     *
-     * @param policy the policy
-     * @return self
-     */
-    public TokenBuilder withPolicy(final String policy) {
-        if (this.policies == null)
-            this.policies = new ArrayList<>();
-        policies.add(policy);
-        return this;
-    }
-
-    /**
-     * Add meta data.
-     *
-     * @param meta the metadata
-     * @return self
-     */
-    public TokenBuilder withMeta(final Map<String, String> meta) {
-        if (this.meta == null)
-            this.meta = new HashMap<>();
-        this.meta.putAll(meta);
-        return this;
-    }
-
-    /**
-     * Add meta data.
-     *
-     * @param key   the key
-     * @param value the value
-     * @return self
-     */
-    public TokenBuilder withMeta(final String key, final String value) {
-        if (this.meta == null)
-            this.meta = new HashMap<>();
-        this.meta.put(key, value);
-        return this;
-    }
-
-    /**
-     * Set if token is renewable.
-     *
-     * @param renewable TRUE, if renewable
-     * @return self
-     */
-    public TokenBuilder withRenewable(final Boolean renewable) {
-        this.renewable = renewable;
-        return this;
-    }
-
-    /**
-     * Set token to be renewable.
-     * Convenience method for withRenewable()
-     *
-     * @return self
-     */
-    public TokenBuilder renewable() {
-        return withRenewable(true);
-    }
-
-    /**
-     * Set token to be not renewable.
-     * Convenience method for withRenewable()
-     *
-     * @return self
-     */
-    public TokenBuilder notRenewable() {
-        return withRenewable(false);
-    }
-
-    /**
-     * Build the token based on given parameters.
-     *
-     * @return the token
-     */
-    public Token build() {
-        return new Token(id,
-                displayName,
-                noParent,
-                noDefaultPolicy,
-                ttl,
-                numUses,
-                policies,
-                meta,
-                renewable);
-    }
-}
--- a/src/main/java/de/stklcode/jvault/connector/model/TokenRole.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/TokenRole.java
@ -0,0 +1,598 @@
+/*
+ * Copyright 2016-2023 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Objects;
+
+/**
+ * Vault Token Role metamodel.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.9
+ * @since 1.1 implements {@link Serializable}
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public final class TokenRole implements Serializable {
+    private static final long serialVersionUID = -3505215215838576321L;
+
+    @JsonProperty("name")
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private String name;
+
+    @JsonProperty("allowed_policies")
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private List<String> allowedPolicies;
+
+    @JsonProperty("allowed_policies_glob")
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private List<String> allowedPoliciesGlob;
+
+    @JsonProperty("disallowed_policies")
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private List<String> disallowedPolicies;
+
+    @JsonProperty("disallowed_policies_glob")
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private List<String> disallowedPoliciesGlob;
+
+    @JsonProperty("orphan")
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private Boolean orphan;
+
+    @JsonProperty("renewable")
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private Boolean renewable;
+
+    @JsonProperty("path_suffix")
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private String pathSuffix;
+
+    @JsonProperty("allowed_entity_aliases")
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private List<String> allowedEntityAliases;
+
+    @JsonProperty("token_bound_cidrs")
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private List<String> tokenBoundCidrs;
+
+    @JsonProperty("token_explicit_max_ttl")
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private Integer tokenExplicitMaxTtl;
+
+    @JsonProperty("token_no_default_policy")
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private Boolean tokenNoDefaultPolicy;
+
+    @JsonProperty("token_num_uses")
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private Integer tokenNumUses;
+
+    @JsonProperty("token_period")
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private Integer tokenPeriod;
+
+    @JsonProperty("token_type")
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private String tokenType;
+
+    /**
+     * Construct empty {@link TokenRole} object.
+     */
+    public TokenRole() {
+    }
+
+    public TokenRole(final Builder builder) {
+        this.name = builder.name;
+        this.allowedPolicies = builder.allowedPolicies;
+        this.allowedPoliciesGlob = builder.allowedPoliciesGlob;
+        this.disallowedPolicies = builder.disallowedPolicies;
+        this.disallowedPoliciesGlob = builder.disallowedPoliciesGlob;
+        this.orphan = builder.orphan;
+        this.renewable = builder.renewable;
+        this.pathSuffix = builder.pathSuffix;
+        this.allowedEntityAliases = builder.allowedEntityAliases;
+        this.tokenBoundCidrs = builder.tokenBoundCidrs;
+        this.tokenExplicitMaxTtl = builder.tokenExplicitMaxTtl;
+        this.tokenNoDefaultPolicy = builder.tokenNoDefaultPolicy;
+        this.tokenNumUses = builder.tokenNumUses;
+        this.tokenPeriod = builder.tokenPeriod;
+        this.tokenType = builder.tokenType != null ? builder.tokenType.value() : null;
+    }
+
+    /**
+     * Get {@link Builder} instance.
+     *
+     * @return Token Role Builder.
+     */
+    public static Builder builder() {
+        return new Builder();
+    }
+
+    /**
+     * @return Token Role name
+     */
+    public String getName() {
+        return name;
+    }
+
+    /**
+     * @return List of allowed policies
+     */
+    public List<String> getAllowedPolicies() {
+        return allowedPolicies;
+    }
+
+    /**
+     * @return List of allowed policy glob patterns
+     * @since 1.1
+     */
+    public List<String> getAllowedPoliciesGlob() {
+        return allowedPoliciesGlob;
+    }
+
+    /**
+     * @return List of disallowed policies
+     */
+    public List<String> getDisallowedPolicies() {
+        return disallowedPolicies;
+    }
+
+    /**
+     * @return List of disallowed policy glob patterns
+     * @since 1.1
+     */
+    public List<String> getDisallowedPoliciesGlob() {
+        return disallowedPoliciesGlob;
+    }
+
+    /**
+     * @return Is Token Role orphan?
+     */
+    public Boolean getOrphan() {
+        return orphan;
+    }
+
+    /**
+     * @return Is Token Role renewable?
+     */
+    public Boolean getRenewable() {
+        return renewable;
+    }
+
+    /**
+     * @return Path suffix
+     */
+    public String getPathSuffix() {
+        return pathSuffix;
+    }
+
+    /**
+     * @return List of allowed entity aliases
+     */
+    public List<String> getAllowedEntityAliases() {
+        return allowedEntityAliases;
+    }
+
+    /**
+     * @return Token bound CIDR blocks
+     */
+    public List<String> getTokenBoundCidrs() {
+        return tokenBoundCidrs;
+    }
+
+    /**
+     * @return Token explicit maximum TTL
+     */
+    public Integer getTokenExplicitMaxTtl() {
+        return tokenExplicitMaxTtl;
+    }
+
+    /**
+     * @return Token without default policy?
+     */
+    public Boolean getTokenNoDefaultPolicy() {
+        return tokenNoDefaultPolicy;
+    }
+
+    /**
+     * @return Token number of uses
+     */
+    public Integer getTokenNumUses() {
+        return tokenNumUses;
+    }
+
+    /**
+     * @return Token period
+     */
+    public Integer getTokenPeriod() {
+        return tokenPeriod;
+    }
+
+    /**
+     * @return Token type
+     */
+    public String getTokenType() {
+        return tokenType;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        TokenRole tokenRole = (TokenRole) o;
+        return Objects.equals(name, tokenRole.name) &&
+                Objects.equals(allowedPolicies, tokenRole.allowedPolicies) &&
+                Objects.equals(allowedPoliciesGlob, tokenRole.allowedPoliciesGlob) &&
+                Objects.equals(disallowedPolicies, tokenRole.disallowedPolicies) &&
+                Objects.equals(disallowedPoliciesGlob, tokenRole.disallowedPoliciesGlob) &&
+                Objects.equals(orphan, tokenRole.orphan) &&
+                Objects.equals(renewable, tokenRole.renewable) &&
+                Objects.equals(pathSuffix, tokenRole.pathSuffix) &&
+                Objects.equals(allowedEntityAliases, tokenRole.allowedEntityAliases) &&
+                Objects.equals(tokenBoundCidrs, tokenRole.tokenBoundCidrs) &&
+                Objects.equals(tokenExplicitMaxTtl, tokenRole.tokenExplicitMaxTtl) &&
+                Objects.equals(tokenNoDefaultPolicy, tokenRole.tokenNoDefaultPolicy) &&
+                Objects.equals(tokenNumUses, tokenRole.tokenNumUses) &&
+                Objects.equals(tokenPeriod, tokenRole.tokenPeriod) &&
+                Objects.equals(tokenType, tokenRole.tokenType);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(name, allowedPolicies, allowedPoliciesGlob, disallowedPolicies, disallowedPoliciesGlob,
+                orphan, renewable, pathSuffix, allowedEntityAliases, tokenBoundCidrs, tokenExplicitMaxTtl,
+                tokenNoDefaultPolicy, tokenNumUses, tokenPeriod, tokenType);
+    }
+
+    /**
+     * A builder for vault token roles.
+     *
+     * @author Stefan Kalscheuer
+     * @since 0.9
+     */
+    public static final class Builder {
+        private String name;
+        private List<String> allowedPolicies;
+        private List<String> allowedPoliciesGlob;
+        private List<String> disallowedPolicies;
+        private List<String> disallowedPoliciesGlob;
+        private Boolean orphan;
+        private Boolean renewable;
+        private String pathSuffix;
+        private List<String> allowedEntityAliases;
+        private List<String> tokenBoundCidrs;
+        private Integer tokenExplicitMaxTtl;
+        private Boolean tokenNoDefaultPolicy;
+        private Integer tokenNumUses;
+        private Integer tokenPeriod;
+        private Token.Type tokenType;
+
+        /**
+         * Add token role name.
+         *
+         * @param name role name
+         * @return self
+         */
+        public Builder forName(final String name) {
+            this.name = name;
+            return this;
+        }
+
+        /**
+         * Add an allowed policy.
+         *
+         * @param allowedPolicy allowed policy to add
+         * @return self
+         */
+        public Builder withAllowedPolicy(final String allowedPolicy) {
+            if (allowedPolicy != null) {
+                if (this.allowedPolicies == null) {
+                    this.allowedPolicies = new ArrayList<>();
+                }
+                this.allowedPolicies.add(allowedPolicy);
+            }
+            return this;
+        }
+
+        /**
+         * Add allowed policies.
+         *
+         * @param allowedPolicies list of allowed policies
+         * @return self
+         */
+        public Builder withAllowedPolicies(final List<String> allowedPolicies) {
+            if (allowedPolicies != null) {
+                if (this.allowedPolicies == null) {
+                    this.allowedPolicies = new ArrayList<>();
+                }
+                this.allowedPolicies.addAll(allowedPolicies);
+            }
+            return this;
+        }
+
+        /**
+         * Add an allowed policy glob pattern.
+         *
+         * @param allowedPolicyGlob allowed policy glob pattern to add
+         * @return self
+         * @since 1.1
+         */
+        public Builder withAllowedPolicyGlob(final String allowedPolicyGlob) {
+            if (allowedPolicyGlob != null) {
+                if (this.allowedPoliciesGlob == null) {
+                    this.allowedPoliciesGlob = new ArrayList<>();
+                }
+                this.allowedPoliciesGlob.add(allowedPolicyGlob);
+            }
+            return this;
+        }
+
+        /**
+         * Add allowed policy glob patterns.
+         *
+         * @param allowedPoliciesGlob list of allowed policy glob patterns
+         * @return self
+         * @since 1.1
+         */
+        public Builder withAllowedPoliciesGlob(final List<String> allowedPoliciesGlob) {
+            if (allowedPoliciesGlob != null) {
+                if (this.allowedPoliciesGlob == null) {
+                    this.allowedPoliciesGlob = new ArrayList<>();
+                }
+                this.allowedPoliciesGlob.addAll(allowedPoliciesGlob);
+            }
+            return this;
+        }
+
+        /**
+         * Add a disallowed policy.
+         *
+         * @param disallowedPolicy disallowed policy to add
+         * @return self
+         */
+        public Builder withDisallowedPolicy(final String disallowedPolicy) {
+            if (disallowedPolicy != null) {
+                if (this.disallowedPolicies == null) {
+                    this.disallowedPolicies = new ArrayList<>();
+                }
+                this.disallowedPolicies.add(disallowedPolicy);
+            }
+            return this;
+        }
+
+        /**
+         * Add disallowed policies.
+         *
+         * @param disallowedPolicies list of disallowed policies
+         * @return self
+         */
+        public Builder withDisallowedPolicies(final List<String> disallowedPolicies) {
+            if (disallowedPolicies != null) {
+                if (this.disallowedPolicies == null) {
+                    this.disallowedPolicies = new ArrayList<>();
+                }
+                this.disallowedPolicies.addAll(disallowedPolicies);
+            }
+            return this;
+        }
+
+        /**
+         * Add an allowed policy glob pattern.
+         *
+         * @param disallowedPolicyGlob disallowed policy glob pattern to add
+         * @return self
+         * @since 1.1
+         */
+        public Builder withDisallowedPolicyGlob(final String disallowedPolicyGlob) {
+            if (disallowedPolicyGlob != null) {
+                if (this.disallowedPoliciesGlob == null) {
+                    this.disallowedPoliciesGlob = new ArrayList<>();
+                }
+                this.disallowedPoliciesGlob.add(disallowedPolicyGlob);
+            }
+            return this;
+        }
+
+        /**
+         * Add disallowed policy glob patterns.
+         *
+         * @param disallowedPoliciesGlob list of disallowed policy glob patterns
+         * @return self
+         * @since 1.1
+         */
+        public Builder withDisallowedPoliciesGlob(final List<String> disallowedPoliciesGlob) {
+            if (disallowedPoliciesGlob != null) {
+                if (this.disallowedPoliciesGlob == null) {
+                    this.disallowedPoliciesGlob = new ArrayList<>();
+                }
+                this.disallowedPoliciesGlob.addAll(disallowedPoliciesGlob);
+            }
+            return this;
+        }
+
+        /**
+         * Set TRUE if the token role should be created orphan.
+         *
+         * @param orphan if TRUE, token role is created as orphan
+         * @return self
+         */
+        public Builder orphan(final Boolean orphan) {
+            this.orphan = orphan;
+            return this;
+        }
+
+        /**
+         * Set TRUE if the token role should be created renewable.
+         *
+         * @param renewable if TRUE, token role is created renewable
+         * @return self
+         */
+        public Builder renewable(final Boolean renewable) {
+            this.renewable = renewable;
+            return this;
+        }
+
+        /**
+         * Set token role path suffix.
+         *
+         * @param pathSuffix path suffix to use
+         * @return self
+         */
+        public Builder withPathSuffix(final String pathSuffix) {
+            this.pathSuffix = pathSuffix;
+            return this;
+        }
+
+        /**
+         * Add an allowed entity alias.
+         *
+         * @param allowedEntityAlias allowed entity alias to add
+         * @return self
+         */
+        public Builder withAllowedEntityAlias(final String allowedEntityAlias) {
+            if (allowedEntityAlias != null) {
+                if (this.allowedEntityAliases == null) {
+                    this.allowedEntityAliases = new ArrayList<>();
+                }
+                this.allowedEntityAliases.add(allowedEntityAlias);
+            }
+            return this;
+        }
+
+        /**
+         * Add allowed entity aliases.
+         *
+         * @param allowedEntityAliases list of allowed entity aliases to add
+         * @return self
+         */
+        public Builder withAllowedEntityAliases(final List<String> allowedEntityAliases) {
+            if (allowedEntityAliases != null) {
+                if (this.allowedEntityAliases == null) {
+                    this.allowedEntityAliases = new ArrayList<>();
+                }
+                this.allowedEntityAliases.addAll(allowedEntityAliases);
+            }
+            return this;
+        }
+
+        /**
+         * Add a single bound CIDR.
+         *
+         * @param tokenBoundCidr bound CIDR to add
+         * @return self
+         */
+        public Builder withTokenBoundCidr(final String tokenBoundCidr) {
+            if (tokenBoundCidr != null) {
+                if (this.tokenBoundCidrs == null) {
+                    this.tokenBoundCidrs = new ArrayList<>();
+                }
+                this.tokenBoundCidrs.add(tokenBoundCidr);
+            }
+            return this;
+        }
+
+        /**
+         * Add a list of bound CIDRs.
+         *
+         * @param tokenBoundCidrs list of bound CIDRs to add
+         * @return self
+         */
+        public Builder withTokenBoundCidrs(final List<String> tokenBoundCidrs) {
+            if (tokenBoundCidrs != null) {
+                if (this.tokenBoundCidrs == null) {
+                    this.tokenBoundCidrs = new ArrayList<>();
+                }
+                this.tokenBoundCidrs.addAll(tokenBoundCidrs);
+            }
+            return this;
+        }
+
+        /**
+         * Set explicit max. TTL for token.
+         *
+         * @param tokenExplicitMaxTtl explicit maximum TTL
+         * @return self
+         */
+        public Builder withTokenExplicitMaxTtl(final Integer tokenExplicitMaxTtl) {
+            this.tokenExplicitMaxTtl = tokenExplicitMaxTtl;
+            return this;
+        }
+
+        /**
+         * Set TRUE if the token role should be created renewable.
+         *
+         * @param tokenNoDefaultPolicy if TRUE, token is created without default policy.
+         * @return self
+         */
+        public Builder withTokenNoDefaultPolicy(final Boolean tokenNoDefaultPolicy) {
+            this.tokenNoDefaultPolicy = tokenNoDefaultPolicy;
+            return this;
+        }
+
+        /**
+         * Set number of uses for tokens.
+         *
+         * @param tokenNumUses number of uses for associated tokens.
+         * @return self
+         */
+        public Builder withTokenNumUses(final Integer tokenNumUses) {
+            this.tokenNumUses = tokenNumUses;
+            return this;
+        }
+
+        /**
+         * Set token period.
+         *
+         * @param tokenPeriod token period
+         * @return self
+         */
+        public Builder withTokenPeriod(final Integer tokenPeriod) {
+            this.tokenPeriod = tokenPeriod;
+            return this;
+        }
+
+        /**
+         * Set token type.
+         *
+         * @param tokenType token type
+         * @return self
+         */
+        public Builder withTokenType(final Token.Type tokenType) {
+            this.tokenType = tokenType;
+            return this;
+        }
+
+        /**
+         * Build the token based on given parameters.
+         *
+         * @return the token
+         */
+        public TokenRole build() {
+            return new TokenRole(this);
+        }
+    }
+}
--- a/src/main/java/de/stklcode/jvault/connector/model/package-info.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/package-info.java
@ -0,0 +1,20 @@
+/*
+ * Copyright 2016-2023 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * Model classes for communication with the Vault API.
+ */
+package de.stklcode.jvault.connector.model;
--- a/src/main/java/de/stklcode/jvault/connector/model/response/AppRoleResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/AppRoleResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2018 Stefan Kalscheuer
+ * Copyright 2016-2023 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -17,13 +17,10 @@
 package de.stklcode.jvault.connector.model.response;

 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import com.fasterxml.jackson.annotation.JsonProperty;
 import de.stklcode.jvault.connector.model.AppRole;

-import java.io.IOException;
-import java.util.HashMap;
-import java.util.Map;
+import java.util.Objects;

 /**
 * Vault response for AppRole lookup.
@ -33,22 +30,10 @@ import java.util.Map;
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public final class AppRoleResponse extends VaultDataResponse {
-    private AppRole role;
+    private static final long serialVersionUID = -6536422219633829177L;

-    @Override
-    public void setData(final Map<String, Object> data) throws InvalidResponseException {
-        ObjectMapper mapper = new ObjectMapper();
-        try {
-            /* null empty strings on list objects */
-            Map<String, Object> filteredData = new HashMap<>();
-            data.forEach((k, v) -> {
-                if (!(v instanceof String && ((String) v).isEmpty())) filteredData.put(k, v);
-            });
-            this.role = mapper.readValue(mapper.writeValueAsString(filteredData), AppRole.class);
-        } catch (IOException e) {
-            throw new InvalidResponseException("Failed deserializing response", e);
-        }
-    }
+    @JsonProperty("data")
+    private AppRole role;

    /**
     * @return The role
@ -56,4 +41,20 @@ public final class AppRoleResponse extends VaultDataResponse {
    public AppRole getRole() {
        return role;
    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass() || !super.equals(o)) {
+            return false;
+        }
+        AppRoleResponse that = (AppRoleResponse) o;
+        return Objects.equals(role, that.role);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(super.hashCode(), role);
+    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/AppRoleSecretResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/AppRoleSecretResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2018 Stefan Kalscheuer
+ * Copyright 2016-2023 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -17,13 +17,10 @@
 package de.stklcode.jvault.connector.model.response;

 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import com.fasterxml.jackson.annotation.JsonProperty;
 import de.stklcode.jvault.connector.model.AppRoleSecret;

-import java.io.IOException;
-import java.util.HashMap;
-import java.util.Map;
+import java.util.Objects;

 /**
 * Vault response for AppRole lookup.
@ -33,22 +30,10 @@ import java.util.Map;
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public final class AppRoleSecretResponse extends VaultDataResponse {
-    private AppRoleSecret secret;
+    private static final long serialVersionUID = -2484103304072370585L;

-    @Override
-    public void setData(final Map<String, Object> data) throws InvalidResponseException {
-        ObjectMapper mapper = new ObjectMapper();
-        try {
-            /* null empty strings on list objects */
-            Map<String, Object> filteredData = new HashMap<>();
-            data.forEach((k, v) -> {
-                if (!(v instanceof String && ((String) v).isEmpty())) filteredData.put(k, v);
-            });
-            this.secret = mapper.readValue(mapper.writeValueAsString(filteredData), AppRoleSecret.class);
-        } catch (IOException e) {
-            throw new InvalidResponseException("Failed deserializing response", e);
-        }
-    }
+    @JsonProperty("data")
+    private AppRoleSecret secret;

    /**
     * @return The secret
@ -56,4 +41,20 @@ public final class AppRoleSecretResponse extends VaultDataResponse {
    public AppRoleSecret getSecret() {
        return secret;
    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass() || !super.equals(o)) {
+            return false;
+        }
+        AppRoleSecretResponse that = (AppRoleSecretResponse) o;
+        return Objects.equals(secret, that.secret);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(super.hashCode(), secret);
+    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/AuthMethodsResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/AuthMethodsResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2018 Stefan Kalscheuer
+ * Copyright 2016-2023 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -17,22 +17,24 @@
 package de.stklcode.jvault.connector.model.response;

 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import com.fasterxml.jackson.annotation.JsonProperty;
 import de.stklcode.jvault.connector.model.response.embedded.AuthMethod;

-import java.io.IOException;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.Objects;

 /**
 * Authentication method response.
 *
- * @author  Stefan Kalscheuer
- * @since   0.1
+ * @author Stefan Kalscheuer
+ * @since 0.1
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public final class AuthMethodsResponse extends VaultDataResponse {
+    private static final long serialVersionUID = -1802724129533405375L;
+
+    @JsonProperty("data")
    private Map<String, AuthMethod> supportedMethods;

    /**
@ -42,23 +44,26 @@ public final class AuthMethodsResponse extends VaultDataResponse {
        this.supportedMethods = new HashMap<>();
    }

-    @Override
-    public void setData(final Map<String, Object> data) throws InvalidResponseException {
-        ObjectMapper mapper = new ObjectMapper();
-        for (Map.Entry<String, Object> entry : data.entrySet()) {
-            try {
-                this.supportedMethods.put(entry.getKey(),
-                        mapper.readValue(mapper.writeValueAsString(entry.getValue()), AuthMethod.class));
-            } catch (IOException e) {
-                throw new InvalidResponseException();
-            }
-        }
-    }
-
    /**
     * @return Supported authentication methods
     */
    public Map<String, AuthMethod> getSupportedMethods() {
        return supportedMethods;
    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass() || !super.equals(o)) {
+            return false;
+        }
+        AuthMethodsResponse that = (AuthMethodsResponse) o;
+        return Objects.equals(supportedMethods, that.supportedMethods);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(super.hashCode(), supportedMethods);
+    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/AuthResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/AuthResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2018 Stefan Kalscheuer
+ * Copyright 2016-2023 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -18,12 +18,9 @@ package de.stklcode.jvault.connector.model.response;

 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import de.stklcode.jvault.connector.exception.InvalidResponseException;
 import de.stklcode.jvault.connector.model.response.embedded.AuthData;

-import java.io.IOException;
-import java.util.Map;
+import java.util.Objects;

 /**
 * Vault response for authentication providing auth info in {@link AuthData} field.
@ -33,37 +30,10 @@ import java.util.Map;
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public final class AuthResponse extends VaultDataResponse {
-    private Map<String, Object> data;
+    private static final long serialVersionUID = 1628851361067456715L;

-    private AuthData auth;
-
-    /**
-     * Set authentication data. The input will be mapped to the {@link AuthData} model.
-     *
-     * @param auth Raw authentication data
-     * @throws InvalidResponseException on mapping errors
-     */
    @JsonProperty("auth")
-    public void setAuth(final Map<String, Object> auth) throws InvalidResponseException {
-        ObjectMapper mapper = new ObjectMapper();
-        try {
-            this.auth = mapper.readValue(mapper.writeValueAsString(auth), AuthData.class);
-        } catch (IOException e) {
-            throw new InvalidResponseException("Failed deserializing response", e);
-        }
-    }
-
-    @Override
-    public void setData(final Map<String, Object> data) {
-        this.data = data;
-    }
-
-    /**
-     * @return Raw data
-     */
-    public Map<String, Object> getData() {
-        return data;
-    }
+    private AuthData auth;

    /**
     * @return Authentication data
@ -71,4 +41,20 @@ public final class AuthResponse extends VaultDataResponse {
    public AuthData getAuth() {
        return auth;
    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass() || !super.equals(o)) {
+            return false;
+        }
+        AuthResponse that = (AuthResponse) o;
+        return Objects.equals(auth, that.auth);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(super.hashCode(), auth);
+    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/CredentialsResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/CredentialsResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2018 Stefan Kalscheuer
+ * Copyright 2016-2023 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -21,19 +21,21 @@ import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 /**
 * Vault response from credentials lookup. Simple wrapper for data objects containing username and password fields.
 *
- * @author  Stefan Kalscheuer
- * @since   0.5.0
+ * @author Stefan Kalscheuer
+ * @since 0.5.0
 */
@JsonIgnoreProperties(ignoreUnknown = true)
-public final class CredentialsResponse extends SecretResponse {
+public final class CredentialsResponse extends PlainSecretResponse {
+    private static final long serialVersionUID = -1439692963299045425L;

    /**
     * @return Username
     */
    public String getUsername() {
        Object username = get("username");
-        if (username != null)
+        if (username != null) {
            return username.toString();
+        }
        return null;
    }

@ -42,8 +44,9 @@ public final class CredentialsResponse extends SecretResponse {
     */
    public String getPassword() {
        Object password = get("password");
-        if (password != null)
+        if (password != null) {
            return password.toString();
+        }
        return null;
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/ErrorResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/ErrorResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2018 Stefan Kalscheuer
+ * Copyright 2016-2023 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -20,15 +20,18 @@ import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;

 import java.util.List;
+import java.util.Objects;

 /**
 * Vault response in case of errors.
 *
- * @author  Stefan Kalscheuer
- * @since   0.1
+ * @author Stefan Kalscheuer
+ * @since 0.1
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public final class ErrorResponse implements VaultResponse {
+    private static final long serialVersionUID = -6227368087842549149L;
+
    @JsonProperty("errors")
    private List<String> errors;

@ -47,4 +50,20 @@ public final class ErrorResponse implements VaultResponse {
            return errors.get(0);
        }
    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        ErrorResponse that = (ErrorResponse) o;
+        return Objects.equals(errors, that.errors);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(errors);
+    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/HealthResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/HealthResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2018 Stefan Kalscheuer
+ * Copyright 2016-2023 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -19,14 +19,18 @@ package de.stklcode.jvault.connector.model.response;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;

+import java.util.Objects;
+
 /**
 * Vault response for health query.
 *
- * @author  Stefan Kalscheuer
- * @since   0.7.0
+ * @author Stefan Kalscheuer
+ * @since 0.7.0
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public final class HealthResponse implements VaultResponse {
+    private static final long serialVersionUID = 6483840078694294401L;
+
    @JsonProperty("cluster_id")
    private String clusterID;

@ -48,6 +52,15 @@ public final class HealthResponse implements VaultResponse {
    @JsonProperty("initialized")
    private Boolean initialized;

+    @JsonProperty("replication_performance_mode")
+    private String replicationPerfMode;
+
+    @JsonProperty("replication_dr_mode")
+    private String replicationDrMode;
+
+    @JsonProperty("performance_standby")
+    private Boolean performanceStandby;
+
    /**
     * @return The Cluster ID.
     */
@ -96,4 +109,54 @@ public final class HealthResponse implements VaultResponse {
    public Boolean isInitialized() {
        return initialized;
    }
+
+    /**
+     * @return Replication performance mode of the active node (since Vault 0.9.2).
+     * @since 0.8 (#21)
+     */
+    public String getReplicationPerfMode() {
+        return replicationPerfMode;
+    }
+
+    /**
+     * @return Replication DR mode of the active node (since Vault 0.9.2).
+     * @since 0.8 (#21)
+     */
+    public String getReplicationDrMode() {
+        return replicationDrMode;
+    }
+
+    /**
+     * @return Performance standby status.
+     * @since 0.8 (#21)
+     */
+    public Boolean isPerformanceStandby() {
+        return performanceStandby;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        HealthResponse that = (HealthResponse) o;
+        return Objects.equals(clusterID, that.clusterID) &&
+                Objects.equals(clusterName, that.clusterName) &&
+                Objects.equals(version, that.version) &&
+                Objects.equals(serverTimeUTC, that.serverTimeUTC) &&
+                Objects.equals(standby, that.standby) &&
+                Objects.equals(sealed, that.sealed) &&
+                Objects.equals(initialized, that.initialized) &&
+                Objects.equals(replicationPerfMode, that.replicationPerfMode) &&
+                Objects.equals(replicationDrMode, that.replicationDrMode) &&
+                Objects.equals(performanceStandby, that.performanceStandby);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(clusterID, clusterName, version, serverTimeUTC, standby, sealed, initialized,
+                replicationPerfMode, replicationDrMode, performanceStandby);
+    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/HelpResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/HelpResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2018 Stefan Kalscheuer
+ * Copyright 2016-2023 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -19,14 +19,18 @@ package de.stklcode.jvault.connector.model.response;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;

+import java.util.Objects;
+
 /**
 * Vault response for help request.
 *
- * @author  Stefan Kalscheuer
- * @since   0.1
+ * @author Stefan Kalscheuer
+ * @since 0.1
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public final class HelpResponse implements VaultResponse {
+    private static final long serialVersionUID = -1152070966642848490L;
+
    @JsonProperty("help")
    private String help;

@ -36,4 +40,20 @@ public final class HelpResponse implements VaultResponse {
    public String getHelp() {
        return help;
    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        HelpResponse that = (HelpResponse) o;
+        return Objects.equals(help, that.help);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(help);
+    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/MetaSecretResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/MetaSecretResponse.java
@ -0,0 +1,75 @@
+/*
+ * Copyright 2016-2021 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import de.stklcode.jvault.connector.model.response.embedded.SecretWrapper;
+import de.stklcode.jvault.connector.model.response.embedded.VersionMetadata;
+
+import java.io.Serializable;
+import java.util.Collections;
+import java.util.Map;
+import java.util.Objects;
+
+/**
+ * Vault response for secret responses with metadata.
+ *
+ * @author Stefan Kalscheuer
+ * @since 1.1 abstract
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class MetaSecretResponse extends SecretResponse {
+    private static final long serialVersionUID = -1076542846391240162L;
+
+    @JsonProperty("data")
+    private SecretWrapper secret;
+
+    @Override
+    public final Map<String, Serializable> getData() {
+        if (secret != null) {
+            return secret.getData();
+        } else {
+            return Collections.emptyMap();
+        }
+    }
+
+    @Override
+    public final VersionMetadata getMetadata() {
+        if (secret != null) {
+            return secret.getMetadata();
+        } else {
+            return null;
+        }
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass() || !super.equals(o)) {
+            return false;
+        }
+        MetaSecretResponse that = (MetaSecretResponse) o;
+        return Objects.equals(secret, that.secret);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(super.hashCode(), secret);
+    }
+}
--- a/src/main/java/de/stklcode/jvault/connector/model/response/MetadataResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/MetadataResponse.java
@ -0,0 +1,63 @@
+/*
+ * Copyright 2016-2023 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import de.stklcode.jvault.connector.model.response.embedded.SecretMetadata;
+
+import java.util.Objects;
+
+
+/**
+ * Vault response for secret metadata (KV v2).
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.8
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class MetadataResponse extends VaultDataResponse {
+    private static final long serialVersionUID = -3679762333630984679L;
+
+    @JsonProperty("data")
+    private SecretMetadata metadata;
+
+    /**
+     * Get the actual metadata.
+     *
+     * @return Metadata.
+     */
+    public SecretMetadata getMetadata() {
+        return metadata;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass() || !super.equals(o)) {
+            return false;
+        }
+        MetadataResponse that = (MetadataResponse) o;
+        return Objects.equals(metadata, that.metadata);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(super.hashCode(), metadata);
+    }
+}
--- a/src/main/java/de/stklcode/jvault/connector/model/response/PlainSecretResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/PlainSecretResponse.java
@ -0,0 +1,66 @@
+/*
+ * Copyright 2016-2021 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import de.stklcode.jvault.connector.model.response.embedded.VersionMetadata;
+
+import java.io.Serializable;
+import java.util.Collections;
+import java.util.Map;
+import java.util.Objects;
+
+/**
+ * Vault response for plain secret responses.
+ *
+ * @author Stefan Kalscheuer
+ * @since 1.1 abstract
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class PlainSecretResponse extends SecretResponse {
+    private static final long serialVersionUID = 3010138542437913023L;
+
+    @JsonProperty("data")
+    private Map<String, Serializable> data;
+
+    @Override
+    public final Map<String, Serializable> getData() {
+        return Objects.requireNonNullElseGet(data, Collections::emptyMap);
+    }
+
+    @Override
+    public final VersionMetadata getMetadata() {
+        return null;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass() || !super.equals(o)) {
+            return false;
+        }
+        PlainSecretResponse that = (PlainSecretResponse) o;
+        return Objects.equals(data, that.data);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(super.hashCode(), data);
+    }
+}
--- a/src/main/java/de/stklcode/jvault/connector/model/response/RawDataResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/RawDataResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2018 Stefan Kalscheuer
+ * Copyright 2016-2023 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -17,28 +17,45 @@
 package de.stklcode.jvault.connector.model.response;

 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;

+import java.io.Serializable;
 import java.util.Map;
+import java.util.Objects;

 /**
 * Simple Vault data response.
 *
- * @author  Stefan Kalscheuer
- * @since   0.4.0
+ * @author Stefan Kalscheuer
+ * @since 0.4.0
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public final class RawDataResponse extends VaultDataResponse {
-    private Map<String, Object> data;
+    private static final long serialVersionUID = -319727427792124071L;

-    @Override
-    public void setData(final Map<String, Object> data) {
-        this.data = data;
-    }
+    @JsonProperty("data")
+    private Map<String, Serializable> data;

    /**
     * @return Raw data {@link Map}
     */
-    public Map<String, Object> getData() {
+    public Map<String, Serializable> getData() {
        return data;
    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass() || !super.equals(o)) {
+            return false;
+        }
+        RawDataResponse that = (RawDataResponse) o;
+        return Objects.equals(data, that.data);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(super.hashCode(), data);
+    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/SealResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/SealResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2018 Stefan Kalscheuer
+ * Copyright 2016-2023 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -19,17 +19,28 @@ package de.stklcode.jvault.connector.model.response;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;

+import java.time.ZonedDateTime;
+import java.util.Objects;
+
 /**
 * Vault response for seal status or unseal request.
 *
- * @author  Stefan Kalscheuer
- * @since   0.1
+ * @author Stefan Kalscheuer
+ * @since 0.1
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public final class SealResponse implements VaultResponse {
+    private static final long serialVersionUID = -6000309255473305787L;
+
+    @JsonProperty("type")
+    private String type;
+
    @JsonProperty("sealed")
    private boolean sealed;

+    @JsonProperty("initialized")
+    private boolean initialized;
+
    @JsonProperty("t")
    private Integer threshold;

@ -39,6 +50,38 @@ public final class SealResponse implements VaultResponse {
    @JsonProperty("progress")
    private Integer progress;

+    @JsonProperty("version")
+    private String version;
+
+    @JsonProperty("build_date")
+    private ZonedDateTime buildDate;
+
+    @JsonProperty("nonce")
+    private String nonce;
+
+    @JsonProperty("cluster_name")
+    private String clusterName;
+
+    @JsonProperty("cluster_id")
+    private String clusterId;
+
+    @JsonProperty("migration")
+    private Boolean migration;
+
+    @JsonProperty("recovery_seal")
+    private Boolean recoverySeal;
+
+    @JsonProperty("storage_type")
+    private String storageType;
+
+    /**
+     * @return Seal type.
+     * @since 0.8
+     */
+    public String getType() {
+        return type;
+    }
+
    /**
     * @return Seal status
     */
@ -46,6 +89,14 @@ public final class SealResponse implements VaultResponse {
        return sealed;
    }

+    /**
+     * @return Vault initialization status (since Vault 0.11.2).
+     * @since 0.8
+     */
+    public boolean isInitialized() {
+        return initialized;
+    }
+
    /**
     * @return Required threshold of secret shares
     */
@ -66,4 +117,98 @@ public final class SealResponse implements VaultResponse {
    public Integer getProgress() {
        return progress;
    }
+
+    /**
+     * @return Vault version.
+     * @since 0.8
+     */
+    public String getVersion() {
+        return version;
+    }
+
+    /**
+     * @return Vault build date.
+     * @since 1.2
+     */
+    public ZonedDateTime getBuildDate() {
+        return buildDate;
+    }
+
+    /**
+     * @return A random nonce.
+     * @since 0.8
+     */
+    public String getNonce() {
+        return nonce;
+    }
+
+    /**
+     * @return Vault cluster name (only if unsealed).
+     * @since 0.8
+     */
+    public String getClusterName() {
+        return clusterName;
+    }
+
+    /**
+     * @return Vault cluster ID (only if unsealed).
+     * @since 0.8
+     */
+    public String getClusterId() {
+        return clusterId;
+    }
+
+    /**
+     * @return Migration status (since Vault 1.4)
+     * @since 1.1
+     */
+    public Boolean getMigration() {
+        return migration;
+    }
+
+    /**
+     * @return Recovery seal status.
+     * @since 1.1
+     */
+    public Boolean getRecoverySeal() {
+        return recoverySeal;
+    }
+
+    /**
+     * @return Storage type (since Vault 1.3).
+     * @since 1.1
+     */
+    public String getStorageType() {
+        return storageType;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        SealResponse that = (SealResponse) o;
+        return sealed == that.sealed &&
+                initialized == that.initialized &&
+                Objects.equals(type, that.type) &&
+                Objects.equals(threshold, that.threshold) &&
+                Objects.equals(numberOfShares, that.numberOfShares) &&
+                Objects.equals(progress, that.progress) &&
+                Objects.equals(version, that.version) &&
+                Objects.equals(buildDate, that.buildDate) &&
+                Objects.equals(nonce, that.nonce) &&
+                Objects.equals(clusterName, that.clusterName) &&
+                Objects.equals(clusterId, that.clusterId) &&
+                Objects.equals(migration, that.migration) &&
+                Objects.equals(recoverySeal, that.recoverySeal) &&
+                Objects.equals(storageType, that.storageType);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(type, sealed, initialized, threshold, numberOfShares, progress, version, buildDate, nonce,
+                clusterName, clusterId, migration, recoverySeal, storageType);
+    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/SecretListResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/SecretListResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2018 Stefan Kalscheuer
+ * Copyright 2016-2023 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -18,10 +18,11 @@ package de.stklcode.jvault.connector.model.response;

 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
-import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import de.stklcode.jvault.connector.model.response.embedded.SecretListWrapper;

+import java.util.Collections;
 import java.util.List;
-import java.util.Map;
+import java.util.Objects;

 /**
 * Vault response for secret list request.
@ -31,27 +32,34 @@ import java.util.Map;
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public final class SecretListResponse extends VaultDataResponse {
-    private List<String> keys;

-    /**
-     * Set data. Extracts list of keys from raw response data.
-     *
-     * @param data Raw data
-     * @throws InvalidResponseException on parsing errors
-     */
+    private static final long serialVersionUID = 8597121175002967213L;
    @JsonProperty("data")
-    public void setData(final Map<String, Object> data) throws InvalidResponseException {
-        try {
-            this.keys = (List<String>) data.get("keys");
-        } catch (ClassCastException e) {
-            throw new InvalidResponseException("Keys could not be parsed from data.", e);
-        }
-    }
+    private SecretListWrapper data;

    /**
     * @return List of secret keys
     */
    public List<String> getKeys() {
-        return keys;
+        if (data == null) {
+            return Collections.emptyList();
+        }
+        return Objects.requireNonNullElseGet(data.getKeys(), Collections::emptyList);
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass() || !super.equals(o)) {
+            return false;
+        }
+        SecretListResponse that = (SecretListResponse) o;
+        return Objects.equals(data, that.data);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(super.hashCode(), data);
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/SecretResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/SecretResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2018 Stefan Kalscheuer
+ * Copyright 2016-2023 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -17,11 +17,15 @@
 package de.stklcode.jvault.connector.model.response;

 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.SerializationFeature;
+import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
 import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import de.stklcode.jvault.connector.model.response.embedded.VersionMetadata;

 import java.io.IOException;
-import java.util.HashMap;
+import java.io.Serializable;
 import java.util.Map;

 /**
@ -29,27 +33,28 @@ import java.util.Map;
 *
 * @author Stefan Kalscheuer
 * @since 0.1
+ * @since 1.1 abstract
 */
@JsonIgnoreProperties(ignoreUnknown = true)
-public class SecretResponse extends VaultDataResponse {
-    private Map<String, Object> data;
-
-    @Override
-    public final void setData(final Map<String, Object> data) throws InvalidResponseException {
-        this.data = data;
-    }
+public abstract class SecretResponse extends VaultDataResponse {
+    private static final long serialVersionUID = 5198088815871692951L;

    /**
     * Get complete data object.
     *
     * @return data map
     * @since 0.4.0
+     * @since 1.1 Serializable map value.
     */
-    public final Map<String, Object> getData() {
-        if (data == null)
-            return new HashMap<>();
-        return data;
-    }
+    public abstract Map<String, Serializable> getData();
+
+    /**
+     * Get secret metadata. This is only available for KV v2 secrets.
+     *
+     * @return Metadata of the secret.
+     * @since 0.8
+     */
+    public abstract VersionMetadata getMetadata();

    /**
     * Get a single value for given key.
@ -59,57 +64,38 @@ public class SecretResponse extends VaultDataResponse {
     * @since 0.4.0
     */
    public final Object get(final String key) {
-        if (data == null)
-            return null;
        return getData().get(key);
    }

-    /**
-     * Get data element for key "value".
-     * Method for backwards compatibility in case of simple secrets.
-     *
-     * @return the value
-     * @deprecated Deprecated artifact, will be removed at latest at v1.0.0
-     */
-    @Deprecated
-    public final String getValue() {
-        Object value = get("value");
-        if (value == null)
-            return null;
-        return value.toString();
-    }
-
    /**
     * Get response parsed as JSON.
     *
+     * @param key  the key
     * @param type Class to parse response
-     * @param <T>  Class to parse response
-     * @return Parsed object
-     * @throws InvalidResponseException on parsing error
-     * @since 0.3
-     * @deprecated Deprecated artifact, will be removed at latest at v1.0.0
-     */
-    @Deprecated
-    public final <T> T getValue(final Class<T> type) throws InvalidResponseException {
-        return get("value", type);
-    }
-
-    /**
-     * Get response parsed as JSON.
-     *
-     * @param key the key
-     * @param type Class to parse response
-     * @param <T>  Class to parse response
+     * @param <C>  Class to parse response
     * @return Parsed object or {@code null} if absent
     * @throws InvalidResponseException on parsing error
     * @since 0.4.0
     */
-    public final <T> T get(final String key, final Class<T> type) throws InvalidResponseException {
+    public final <C> C get(final String key, final Class<C> type) throws InvalidResponseException {
        try {
            Object rawValue = get(key);
-            if (rawValue == null)
+            if (rawValue == null) {
                return null;
-            return new ObjectMapper().readValue(rawValue.toString(), type);
+            } else if (type.isInstance(rawValue)) {
+                return type.cast(rawValue);
+            } else {
+                var om = new ObjectMapper()
+                        .registerModule(new JavaTimeModule())
+                        .enable(SerializationFeature.WRITE_DATES_AS_TIMESTAMPS)
+                        .disable(DeserializationFeature.ADJUST_DATES_TO_CONTEXT_TIME_ZONE);
+
+                if (rawValue instanceof String) {
+                    return om.readValue((String) rawValue, type);
+                } else {
+                    return om.readValue(om.writeValueAsString(rawValue), type);
+                }
+            }
        } catch (IOException e) {
            throw new InvalidResponseException("Unable to parse response payload: " + e.getMessage());
        }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/SecretVersionResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/SecretVersionResponse.java
@ -0,0 +1,62 @@
+/*
+ * Copyright 2016-2023 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import de.stklcode.jvault.connector.model.response.embedded.VersionMetadata;
+
+import java.util.Objects;
+
+/**
+ * Vault response for a single secret version metadata, i.e. after update (KV v2).
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.8
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class SecretVersionResponse extends VaultDataResponse {
+    private static final long serialVersionUID = 2748635005258576174L;
+
+    @JsonProperty("data")
+    private VersionMetadata metadata;
+
+    /**
+     * Get the actual metadata.
+     *
+     * @return Metadata.
+     */
+    public VersionMetadata getMetadata() {
+        return metadata;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass() || !super.equals(o)) {
+            return false;
+        }
+        SecretVersionResponse that = (SecretVersionResponse) o;
+        return Objects.equals(metadata, that.metadata);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(super.hashCode(), metadata);
+    }
+}
--- a/src/main/java/de/stklcode/jvault/connector/model/response/TokenResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/TokenResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2018 Stefan Kalscheuer
+ * Copyright 2016-2023 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -18,12 +18,9 @@ package de.stklcode.jvault.connector.model.response;

 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import de.stklcode.jvault.connector.exception.InvalidResponseException;
 import de.stklcode.jvault.connector.model.response.embedded.TokenData;

-import java.io.IOException;
-import java.util.Map;
+import java.util.Objects;

 /**
 * Vault response from token lookup providing Token information in {@link TokenData} field.
@ -33,31 +30,41 @@ import java.util.Map;
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public final class TokenResponse extends VaultDataResponse {
+    private static final long serialVersionUID = -4053126653764241197L;
+
+    @JsonProperty("data")
    private TokenData data;

    @JsonProperty("auth")
    private Boolean auth;

-    /**
-     * Set data. Parses response data map to {@link TokenData}.
-     *
-     * @param data Raw response data
-     * @throws InvalidResponseException on parsing errors
-     */
-    @Override
-    public void setData(final Map<String, Object> data) throws InvalidResponseException {
-        ObjectMapper mapper = new ObjectMapper();
-        try {
-            this.data = mapper.readValue(mapper.writeValueAsString(data), TokenData.class);
-        } catch (IOException e) {
-            throw new InvalidResponseException("Failed deserializing response", e);
-        }
-    }
-
    /**
     * @return Token data
     */
    public TokenData getData() {
        return data;
    }
+
+    /**
+     * @return Auth data
+     */
+    public Boolean getAuth() {
+        return auth;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass() || !super.equals(o)) {
+            return false;
+        }
+        TokenResponse that = (TokenResponse) o;
+        return Objects.equals(data, that.data) && Objects.equals(auth, that.auth);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(super.hashCode(), data, auth);
+    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/TokenRoleResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/TokenRoleResponse.java
@ -0,0 +1,61 @@
+/*
+ * Copyright 2016-2023 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import de.stklcode.jvault.connector.model.TokenRole;
+import de.stklcode.jvault.connector.model.response.embedded.TokenData;
+
+import java.util.Objects;
+
+/**
+ * Vault response from token role lookup providing Token information in {@link TokenData} field.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.9
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public final class TokenRoleResponse extends VaultDataResponse {
+    private static final long serialVersionUID = 5265363857731948626L;
+
+    @JsonProperty("data")
+    private TokenRole data;
+
+    /**
+     * @return TokenRole data
+     */
+    public TokenRole getData() {
+        return data;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass() || !super.equals(o)) {
+            return false;
+        }
+        TokenRoleResponse that = (TokenRoleResponse) o;
+        return Objects.equals(data, that.data);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(super.hashCode(), data);
+    }
+}
--- a/src/main/java/de/stklcode/jvault/connector/model/response/VaultDataResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/VaultDataResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2018 Stefan Kalscheuer
+ * Copyright 2016-2023 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -17,10 +17,10 @@
 package de.stklcode.jvault.connector.model.response;

 import com.fasterxml.jackson.annotation.JsonProperty;
-import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import de.stklcode.jvault.connector.model.response.embedded.WrapInfo;

 import java.util.List;
-import java.util.Map;
+import java.util.Objects;

 /**
 * Abstract Vault response with default payload fields.
@ -29,6 +29,11 @@ import java.util.Map;
 * @since 0.1
 */
 public abstract class VaultDataResponse implements VaultResponse {
+    private static final long serialVersionUID = 7486270767477652184L;
+
+    @JsonProperty("request_id")
+    private String requestId;
+
    @JsonProperty("lease_id")
    private String leaseId;

@ -41,14 +46,16 @@ public abstract class VaultDataResponse implements VaultResponse {
    @JsonProperty("warnings")
    private List<String> warnings;

+    @JsonProperty("wrap_info")
+    private WrapInfo wrapInfo;
+
    /**
-     * Set data. To be implemented in the specific subclasses, as data can be of arbitrary structure.
-     *
-     * @param data Raw response data
-     * @throws InvalidResponseException on parsing errors
+     * @return Request ID
+     * @since 1.1
     */
-    @JsonProperty("data")
-    public abstract void setData(final Map<String, Object> data) throws InvalidResponseException;
+    public final String getRequestId() {
+        return requestId;
+    }

    /**
     * @return Lease ID
@ -77,4 +84,33 @@ public abstract class VaultDataResponse implements VaultResponse {
    public final List<String> getWarnings() {
        return warnings;
    }
+
+    /**
+     * @return Wrapping information
+     * @since 1.1
+     */
+    public final WrapInfo getWrapInfo() {
+        return wrapInfo;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        VaultDataResponse that = (VaultDataResponse) o;
+        return renewable == that.renewable &&
+                Objects.equals(requestId, that.requestId) &&
+                Objects.equals(leaseId, that.leaseId) &&
+                Objects.equals(leaseDuration, that.leaseDuration) &&
+                Objects.equals(warnings, that.warnings) &&
+                Objects.equals(wrapInfo, that.wrapInfo);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(requestId, leaseId, renewable, leaseDuration, warnings, wrapInfo);
+    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/VaultResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/VaultResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2018 Stefan Kalscheuer
+ * Copyright 2016-2023 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -16,11 +16,14 @@

 package de.stklcode.jvault.connector.model.response;

+import java.io.Serializable;
+
 /**
 * Marker interface for responses from Vault backend.
 *
- * @author  Stefan Kalscheuer
- * @since   0.1
+ * @author Stefan Kalscheuer
+ * @since 0.1
+ * @since 1.1 extends {@link Serializable}
 */
-public interface VaultResponse {
+public interface VaultResponse extends Serializable {
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/AuthData.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/AuthData.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2018 Stefan Kalscheuer
+ * Copyright 2016-2023 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -19,17 +19,22 @@ package de.stklcode.jvault.connector.model.response.embedded;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;

+import java.io.Serializable;
 import java.util.List;
 import java.util.Map;
+import java.util.Objects;

 /**
 * Embedded authorization information inside Vault response.
 *
- * @author  Stefan Kalscheuer
- * @since   0.1
+ * @author Stefan Kalscheuer
+ * @since 0.1
+ * @since 1.1 implements {@link Serializable}
 */
@JsonIgnoreProperties(ignoreUnknown = true)
-public final class AuthData {
+public final class AuthData implements Serializable {
+    private static final long serialVersionUID = 3067695351664603536L;
+
    @JsonProperty("client_token")
    private String clientToken;

@ -39,6 +44,9 @@ public final class AuthData {
    @JsonProperty("policies")
    private List<String> policies;

+    @JsonProperty("token_policies")
+    private List<String> tokenPolicies;
+
    @JsonProperty("metadata")
    private Map<String, Object> metadata;

@ -48,6 +56,18 @@ public final class AuthData {
    @JsonProperty("renewable")
    private boolean renewable;

+    @JsonProperty("entity_id")
+    private String entityId;
+
+    @JsonProperty("token_type")
+    private String tokenType;
+
+    @JsonProperty("orphan")
+    private boolean orphan;
+
+    @JsonProperty("mfa_requirement")
+    private MfaRequirement mfaRequirement;
+
    /**
     * @return Client token
     */
@ -56,10 +76,11 @@ public final class AuthData {
    }

    /**
-     * @return Token accessor
+     * @return Token type
+     * @since 0.9
     */
-    public String getAccessor() {
-        return accessor;
+    public String getTokenType() {
+        return tokenType;
    }

    /**
@ -69,6 +90,14 @@ public final class AuthData {
        return policies;
    }

+    /**
+     * @return List of policies associated with the token
+     * @since 0.9
+     */
+    public List<String> getTokenPolicies() {
+        return tokenPolicies;
+    }
+
    /**
     * @return Metadata
     */
@ -89,4 +118,63 @@ public final class AuthData {
    public boolean isRenewable() {
        return renewable;
    }
+
+    /**
+     * @return Entity ID
+     * @since 0.9
+     */
+    public String getEntityId() {
+        return entityId;
+    }
+
+    /**
+     * @return Token accessor
+     */
+    public String getAccessor() {
+        return accessor;
+    }
+
+    /**
+     * @return Token is orphan
+     * @since 0.9
+     */
+    public boolean isOrphan() {
+        return orphan;
+    }
+
+    /**
+     * @return multi-factor requirement
+     * @since 1.2
+     */
+    public MfaRequirement getMfaRequirement() {
+        return mfaRequirement;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        }
+        if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        AuthData authData = (AuthData) o;
+        return renewable == authData.renewable &&
+                orphan == authData.orphan &&
+                Objects.equals(clientToken, authData.clientToken) &&
+                Objects.equals(accessor, authData.accessor) &&
+                Objects.equals(policies, authData.policies) &&
+                Objects.equals(tokenPolicies, authData.tokenPolicies) &&
+                Objects.equals(metadata, authData.metadata) &&
+                Objects.equals(leaseDuration, authData.leaseDuration) &&
+                Objects.equals(entityId, authData.entityId) &&
+                Objects.equals(tokenType, authData.tokenType) &&
+                Objects.equals(mfaRequirement, authData.mfaRequirement);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(clientToken, accessor, policies, tokenPolicies, metadata, leaseDuration, renewable,
+                entityId, tokenType, orphan, mfaRequirement);
+    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/AuthMethod.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/AuthMethod.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2018 Stefan Kalscheuer
+ * Copyright 2016-2023 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -21,28 +21,60 @@ import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.annotation.JsonSetter;
 import de.stklcode.jvault.connector.model.AuthBackend;

+import java.io.Serializable;
 import java.util.Map;
+import java.util.Objects;

 /**
 * Embedded authentication method response.
 *
- * @author  Stefan Kalscheuer
- * @since   0.1
+ * @author Stefan Kalscheuer
+ * @since 0.1
+ * @since 1.1 implements {@link Serializable}
 */
@JsonIgnoreProperties(ignoreUnknown = true)
-public final class AuthMethod {
+public final class AuthMethod implements Serializable {
+    private static final long serialVersionUID = -439987082190917691L;
+
    private AuthBackend type;
    private String rawType;

+    @JsonProperty("accessor")
+    private String accessor;
+
+    @JsonProperty("deprecation_status")
+    private String deprecationStatus;
+
    @JsonProperty("description")
    private String description;

    @JsonProperty("config")
-    private Map<String, String> config;
+    private MountConfig config;
+
+    @JsonProperty("external_entropy_access")
+    private boolean externalEntropyAccess;

    @JsonProperty("local")
    private boolean local;

+    @JsonProperty("options")
+    private Map<String, String> options;
+
+    @JsonProperty("plugin_version")
+    private String pluginVersion;
+
+    @JsonProperty("running_plugin_version")
+    private String runningPluginVersion;
+
+    @JsonProperty("running_sha256")
+    private String runningSha256;
+
+    @JsonProperty("seal_wrap")
+    private boolean sealWrap;
+
+    @JsonProperty("uuid")
+    private String uuid;
+
    /**
     * @param type Backend type, passed to {@link AuthBackend#forType(String)}
     */
@ -66,6 +98,22 @@ public final class AuthMethod {
        return rawType;
    }

+    /**
+     * @return Accessor
+     * @since 1.1
+     */
+    public String getAccessor() {
+        return accessor;
+    }
+
+    /**
+     * @return Deprecation status
+     * @since 1.2
+     */
+    public String getDeprecationStatus() {
+        return deprecationStatus;
+    }
+
    /**
     * @return Description
     */
@ -75,15 +123,103 @@ public final class AuthMethod {

    /**
     * @return Configuration data
+     * @since 0.2
+     * @since 1.2 Returns {@link MountConfig} instead of {@link Map}
     */
-    public Map<String, String> getConfig() {
+    public MountConfig getConfig() {
        return config;
    }

+    /**
+     * @return Backend has access to external entropy source
+     * @since 1.1
+     */
+    public boolean isExternalEntropyAccess() {
+        return externalEntropyAccess;
+    }
+
    /**
     * @return Is local backend
     */
    public boolean isLocal() {
        return local;
    }
+
+    /**
+     * @return Options
+     * @since 1.2
+     */
+    public Map<String, String> getOptions() {
+        return options;
+    }
+
+    /**
+     * @return Plugin version
+     * @since 1.2
+     */
+    public String getPluginVersion() {
+        return pluginVersion;
+    }
+
+    /**
+     * @return Running plugin version
+     * @since 1.2
+     */
+    public String getRunningPluginVersion() {
+        return runningPluginVersion;
+    }
+
+    /**
+     * @return Running SHA256
+     * @since 1.2
+     */
+    public String getRunningSha256() {
+        return runningSha256;
+    }
+
+    /**
+     * @return Seal wrapping enabled
+     * @since 1.1
+     */
+    public boolean isSealWrap() {
+        return sealWrap;
+    }
+
+    /**
+     * @return Backend UUID
+     * @since 1.1
+     */
+    public String getUuid() {
+        return uuid;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        AuthMethod that = (AuthMethod) o;
+        return local == that.local &&
+                type == that.type &&
+                externalEntropyAccess == that.externalEntropyAccess &&
+                sealWrap == that.sealWrap &&
+                Objects.equals(rawType, that.rawType) &&
+                Objects.equals(accessor, that.accessor) &&
+                Objects.equals(deprecationStatus, that.deprecationStatus) &&
+                Objects.equals(description, that.description) &&
+                Objects.equals(config, that.config) &&
+                Objects.equals(options, that.options) &&
+                Objects.equals(pluginVersion, that.pluginVersion) &&
+                Objects.equals(runningPluginVersion, that.runningPluginVersion) &&
+                Objects.equals(runningSha256, that.runningSha256) &&
+                Objects.equals(uuid, that.uuid);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(type, rawType, accessor, deprecationStatus, description, config, externalEntropyAccess,
+            local, options, pluginVersion, runningPluginVersion, runningSha256, sealWrap, uuid);
+    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/MfaConstraintAny.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/MfaConstraintAny.java
@ -0,0 +1,62 @@
+/*
+ * Copyright 2016-2023 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response.embedded;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.io.Serializable;
+import java.util.List;
+import java.util.Objects;
+
+/**
+ * Embedded multi-factor-authentication (MFA) constraint "any".
+ *
+ * @author Stefan Kalscheuer
+ * @since 1.2
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public final class MfaConstraintAny implements Serializable {
+    private static final long serialVersionUID = 1226126781813149627L;
+
+    @JsonProperty("any")
+    private List<MfaMethodId> any;
+
+    /**
+     * @return List of "any" MFA methods
+     */
+    public List<MfaMethodId> getAny() {
+        return any;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        }
+        if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        MfaConstraintAny mfaRequirement = (MfaConstraintAny) o;
+        return Objects.equals(any, mfaRequirement.any);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(any);
+    }
+}
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/MfaMethodId.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/MfaMethodId.java
@ -0,0 +1,94 @@
+/*
+ * Copyright 2016-2023 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response.embedded;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.io.Serializable;
+import java.util.Objects;
+
+/**
+ * Embedded multi-factor-authentication (MFA) requirement.
+ *
+ * @author Stefan Kalscheuer
+ * @since 1.2
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public final class MfaMethodId implements Serializable {
+    private static final long serialVersionUID = 691298070242998814L;
+
+    @JsonProperty("type")
+    private String type;
+
+    @JsonProperty("id")
+    private String id;
+
+    @JsonProperty("uses_passcode")
+    private Boolean usesPasscode;
+
+    @JsonProperty("name")
+    private String name;
+
+    /**
+     * @return MFA method type
+     */
+    public String getType() {
+        return type;
+    }
+
+    /**
+     * @return MFA method id
+     */
+    public String getId() {
+        return id;
+    }
+
+    /**
+     * @return MFA uses passcode id
+     */
+    public Boolean getUsesPasscode() {
+        return usesPasscode;
+    }
+
+    /**
+     * @return MFA method name
+     */
+    public String getName() {
+        return name;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        }
+        if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        MfaMethodId mfaMethodId = (MfaMethodId) o;
+        return Objects.equals(type, mfaMethodId.type) &&
+            Objects.equals(id, mfaMethodId.id) &&
+            Objects.equals(usesPasscode, mfaMethodId.usesPasscode) &&
+            Objects.equals(name, mfaMethodId.name);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(type, id, usesPasscode, name);
+    }
+}
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/MfaRequirement.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/MfaRequirement.java
@ -0,0 +1,73 @@
+/*
+ * Copyright 2016-2023 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response.embedded;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.io.Serializable;
+import java.util.Map;
+import java.util.Objects;
+
+/**
+ * Embedded multi-factor-authentication (MFA) requirement.
+ *
+ * @author Stefan Kalscheuer
+ * @since 1.2
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public final class MfaRequirement implements Serializable {
+    private static final long serialVersionUID = -2516941512455319638L;
+
+    @JsonProperty("mfa_request_id")
+    private String mfaRequestId;
+
+    @JsonProperty("mfa_constraints")
+    private Map<String, MfaConstraintAny> mfaConstraints;
+
+    /**
+     * @return MFA request ID
+     */
+    public String getMfaRequestId() {
+        return mfaRequestId;
+    }
+
+    /**
+     * @return MFA constraints
+     */
+    public Map<String, MfaConstraintAny> getMfaConstraints() {
+        return mfaConstraints;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        }
+        if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        MfaRequirement mfaRequirement = (MfaRequirement) o;
+        return Objects.equals(mfaRequestId, mfaRequirement.mfaRequestId) &&
+            Objects.equals(mfaConstraints, mfaRequirement.mfaConstraints);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(mfaRequestId, mfaConstraints);
+    }
+}
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/MountConfig.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/MountConfig.java
@ -0,0 +1,168 @@
+package de.stklcode.jvault.connector.model.response.embedded;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.io.Serializable;
+import java.util.List;
+import java.util.Objects;
+
+/**
+ * Embedded mount config output.
+ *
+ * @author Stefan Kalscheuer
+ * @since 1.2
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class MountConfig implements Serializable {
+    private static final long serialVersionUID = -8653909672663717792L;
+
+    @JsonProperty("default_lease_ttl")
+    private Integer defaultLeaseTtl;
+
+    @JsonProperty("max_lease_ttl")
+    private Integer maxLeaseTtl;
+
+    @JsonProperty("force_no_cache")
+    private Boolean forceNoCache;
+
+    @JsonProperty("token_type")
+    private String tokenType;
+
+    @JsonProperty("audit_non_hmac_request_keys")
+    private List<String> auditNonHmacRequestKeys;
+
+    @JsonProperty("audit_non_hmac_response_keys")
+    private List<String> auditNonHmacResponseKeys;
+
+    @JsonProperty("listing_visibility")
+    private String listingVisibility;
+
+    @JsonProperty("passthrough_request_headers")
+    private List<String> passthroughRequestHeaders;
+
+    @JsonProperty("allowed_response_headers")
+    private List<String> allowedResponseHeaders;
+
+    @JsonProperty("allowed_managed_keys")
+    private List<String> allowedManagedKeys;
+
+    @JsonProperty("delegated_auth_accessors")
+    private List<String> delegatedAuthAccessors;
+
+    @JsonProperty("user_lockout_config")
+    private UserLockoutConfig userLockoutConfig;
+
+    /**
+     * @return Default lease TTL
+     */
+    public Integer getDefaultLeaseTtl() {
+        return defaultLeaseTtl;
+    }
+
+    /**
+     * @return Maximum lease TTL
+     */
+    public Integer getMaxLeaseTtl() {
+        return maxLeaseTtl;
+    }
+
+    /**
+     * @return Force no cache?
+     */
+    public Boolean getForceNoCache() {
+        return forceNoCache;
+    }
+
+    /**
+     * @return Token type
+     */
+    public String getTokenType() {
+        return tokenType;
+    }
+
+    /**
+     * @return Audit non HMAC request keys
+     */
+    public List<String> getAuditNonHmacRequestKeys() {
+        return auditNonHmacRequestKeys;
+    }
+
+    /**
+     * @return Audit non HMAC response keys
+     */
+    public List<String> getAuditNonHmacResponseKeys() {
+        return auditNonHmacResponseKeys;
+    }
+
+    /**
+     * @return Listing visibility
+     */
+    public String getListingVisibility() {
+        return listingVisibility;
+    }
+
+    /**
+     * @return Passthrough request headers
+     */
+    public List<String> getPassthroughRequestHeaders() {
+        return passthroughRequestHeaders;
+    }
+
+    /**
+     * @return Allowed response headers
+     */
+    public List<String> getAllowedResponseHeaders() {
+        return allowedResponseHeaders;
+    }
+
+    /**
+     * @return Allowed managed keys
+     */
+    public List<String> getAllowedManagedKeys() {
+        return allowedManagedKeys;
+    }
+
+    /**
+     * @return Delegated auth accessors
+     */
+    public List<String> getDelegatedAuthAccessors() {
+        return delegatedAuthAccessors;
+    }
+
+    /**
+     * @return User lockout config
+     */
+    public UserLockoutConfig getUserLockoutConfig() {
+        return userLockoutConfig;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        MountConfig that = (MountConfig) o;
+        return Objects.equals(defaultLeaseTtl, that.defaultLeaseTtl) &&
+            Objects.equals(maxLeaseTtl, that.maxLeaseTtl) &&
+            Objects.equals(forceNoCache, that.forceNoCache) &&
+            Objects.equals(tokenType, that.tokenType) &&
+            Objects.equals(auditNonHmacRequestKeys, that.auditNonHmacRequestKeys) &&
+            Objects.equals(auditNonHmacResponseKeys, that.auditNonHmacResponseKeys) &&
+            Objects.equals(listingVisibility, that.listingVisibility) &&
+            Objects.equals(passthroughRequestHeaders, that.passthroughRequestHeaders) &&
+            Objects.equals(allowedResponseHeaders, that.allowedResponseHeaders) &&
+            Objects.equals(allowedManagedKeys, that.allowedManagedKeys) &&
+            Objects.equals(delegatedAuthAccessors, that.delegatedAuthAccessors) &&
+            Objects.equals(userLockoutConfig, that.userLockoutConfig);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(defaultLeaseTtl, maxLeaseTtl, forceNoCache, tokenType, auditNonHmacRequestKeys,
+            auditNonHmacResponseKeys, listingVisibility, passthroughRequestHeaders, allowedResponseHeaders,
+            allowedManagedKeys, delegatedAuthAccessors, userLockoutConfig);
+    }
+}
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/SecretListWrapper.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/SecretListWrapper.java
@ -0,0 +1,42 @@
+package de.stklcode.jvault.connector.model.response.embedded;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.io.Serializable;
+import java.util.List;
+import java.util.Objects;
+
+/**
+ * Wrapper object for secret key lists.
+ *
+ * @author Stefan Kalscheuer
+ * @since 1.1
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class SecretListWrapper implements Serializable {
+
+    private static final long serialVersionUID = -8777605197063766125L;
+    @JsonProperty("keys")
+    private List<String> keys;
+
+    public List<String> getKeys() {
+        return keys;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        SecretListWrapper that = (SecretListWrapper) o;
+        return Objects.equals(keys, that.keys);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(keys);
+    }
+}
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/SecretMetadata.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/SecretMetadata.java
@ -0,0 +1,148 @@
+/*
+ * Copyright 2016-2023 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response.embedded;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.io.Serializable;
+import java.time.ZonedDateTime;
+import java.time.format.DateTimeFormatter;
+import java.util.Map;
+import java.util.Objects;
+
+/**
+ * Embedded metadata for Key-Value v2 secrets.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.8
+ * @since 1.1 implements {@link Serializable}
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public final class SecretMetadata implements Serializable {
+    private static final long serialVersionUID = -4967896264361344676L;
+
+    private static final DateTimeFormatter TIME_FORMAT =
+            DateTimeFormatter.ofPattern("yyyy-MM-dd'T'HH:mm:ss.SSSSSSSSSXXX");
+
+    @JsonProperty("created_time")
+    private ZonedDateTime createdTime;
+
+    @JsonProperty("current_version")
+    private Integer currentVersion;
+
+    @JsonProperty("max_versions")
+    private Integer maxVersions;
+
+    @JsonProperty("oldest_version")
+    private Integer oldestVersion;
+
+    @JsonProperty("updated_time")
+    private ZonedDateTime updatedTime;
+
+    @JsonProperty("versions")
+    private Map<Integer, VersionMetadata> versions;
+
+    /**
+     * @return Time of secret creation as raw string representation.
+     * @deprecated Method left for backwards compatibility only. Use {@link #getCreatedTime()} instead.
+     */
+    @Deprecated(since = "1.2", forRemoval = true)
+    public String getCreatedTimeString() {
+        if (createdTime != null) {
+            return TIME_FORMAT.format(createdTime);
+        }
+
+        return null;
+    }
+
+    /**
+     * @return Time of secret creation.
+     */
+    public ZonedDateTime getCreatedTime() {
+        return createdTime;
+    }
+
+    /**
+     * @return Current version number.
+     */
+    public Integer getCurrentVersion() {
+        return currentVersion;
+    }
+
+    /**
+     * @return Maximum number of versions.
+     */
+    public Integer getMaxVersions() {
+        return maxVersions;
+    }
+
+    /**
+     * @return Oldest available version number.
+     */
+    public Integer getOldestVersion() {
+        return oldestVersion;
+    }
+
+    /**
+     * @return Time of secret update as raw string representation.
+     * @deprecated Method left for backwards compatibility only. Use {@link #getUpdatedTime()} instead.
+     */
+    @Deprecated(since = "1.2", forRemoval = true)
+    public String getUpdatedTimeString() {
+        if (updatedTime != null) {
+            return TIME_FORMAT.format(updatedTime);
+        }
+
+        return null;
+    }
+
+    /**
+     * @return Time of secret update.
+     */
+    public ZonedDateTime getUpdatedTime() {
+        return updatedTime;
+    }
+
+    /**
+     * @return Version of the entry.
+     */
+    public Map<Integer, VersionMetadata> getVersions() {
+        return versions;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        SecretMetadata that = (SecretMetadata) o;
+        return Objects.equals(createdTime, that.createdTime) &&
+                Objects.equals(currentVersion, that.currentVersion) &&
+                Objects.equals(maxVersions, that.maxVersions) &&
+                Objects.equals(oldestVersion, that.oldestVersion) &&
+                Objects.equals(updatedTime, that.updatedTime) &&
+                Objects.equals(versions, that.versions);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(createdTime, currentVersion, maxVersions, oldestVersion, updatedTime, versions);
+    }
+}
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/SecretWrapper.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/SecretWrapper.java
@ -0,0 +1,49 @@
+package de.stklcode.jvault.connector.model.response.embedded;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.io.Serializable;
+import java.util.Map;
+import java.util.Objects;
+
+/**
+ * Wrapper object for secret data and metadata.
+ *
+ * @author Stefan Kalscheuer
+ * @since 1.1
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class SecretWrapper implements Serializable {
+    private static final long serialVersionUID = 8600413181758893378L;
+
+    @JsonProperty("data")
+    private Map<String, Serializable> data;
+
+    @JsonProperty("metadata")
+    private VersionMetadata metadata;
+
+    public Map<String, Serializable> getData() {
+        return data;
+    }
+
+    public VersionMetadata getMetadata() {
+        return metadata;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        SecretWrapper that = (SecretWrapper) o;
+        return Objects.equals(data, that.data) && Objects.equals(metadata, that.metadata);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(data, metadata);
+    }
+}
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/TokenData.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/TokenData.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2018 Stefan Kalscheuer
+ * Copyright 2016-2023 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -19,14 +19,27 @@ package de.stklcode.jvault.connector.model.response.embedded;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;

+import java.io.Serializable;
+import java.time.ZonedDateTime;
+import java.time.format.DateTimeFormatter;
+import java.util.List;
+import java.util.Map;
+import java.util.Objects;
+
 /**
 * Embedded token information inside Vault response.
 *
- * @author  Stefan Kalscheuer
- * @since   0.1
+ * @author Stefan Kalscheuer
+ * @since 0.1
+ * @since 1.1 implements {@link Serializable}
 */
@JsonIgnoreProperties(ignoreUnknown = true)
-public final class TokenData {
+public final class TokenData implements Serializable {
+    private static final long serialVersionUID = -5749716740973138916L;
+
+    private static final DateTimeFormatter TIME_FORMAT =
+            DateTimeFormatter.ofPattern("yyyy-MM-dd'T'HH:mm:ss.SSSSSSSSSXXX");
+
    @JsonProperty("accessor")
    private String accessor;

@ -39,11 +52,23 @@ public final class TokenData {
    @JsonProperty("display_name")
    private String name;

+    @JsonProperty("entity_id")
+    private String entityId;
+
+    @JsonProperty("expire_time")
+    private ZonedDateTime expireTime;
+
+    @JsonProperty("explicit_max_ttl")
+    private Integer explicitMaxTtl;
+
    @JsonProperty("id")
    private String id;

+    @JsonProperty("issue_time")
+    private ZonedDateTime issueTime;
+
    @JsonProperty("meta")
-    private String meta;
+    private Map<String, Object> meta;

    @JsonProperty("num_uses")
    private Integer numUses;
@ -54,12 +79,18 @@ public final class TokenData {
    @JsonProperty("path")
    private String path;

-    @JsonProperty("role")
-    private String role;
+    @JsonProperty("policies")
+    private List<String> policies;
+
+    @JsonProperty("renewable")
+    private boolean renewable;

    @JsonProperty("ttl")
    private Integer ttl;

+    @JsonProperty("type")
+    private String type;
+
    /**
     * @return Token accessor
     */
@ -88,6 +119,44 @@ public final class TokenData {
        return name;
    }

+    /**
+     * @return Entity ID
+     * @since 0.9
+     */
+    public String getEntityId() {
+        return entityId;
+    }
+
+    /**
+     * @return Expire time as raw string value
+     * @since 0.9
+     * @deprecated Method left for backwards compatibility only. Use {@link #getExpireTime()} instead.
+     */
+    @Deprecated(since = "1.2", forRemoval = true)
+    public String getExpireTimeString() {
+        if (expireTime != null) {
+            return TIME_FORMAT.format(expireTime);
+        }
+
+        return null;
+    }
+
+    /**
+     * @return Expire time (parsed)
+     * @since 0.9
+     */
+    public ZonedDateTime getExpireTime() {
+        return expireTime;
+    }
+
+    /**
+     * @return Explicit maximum TTL
+     * @since 0.9
+     */
+    public Integer getExplicitMaxTtl() {
+        return explicitMaxTtl;
+    }
+
    /**
     * @return Token ID
     */
@ -95,6 +164,36 @@ public final class TokenData {
        return id;
    }

+    /**
+     * @return Issue time as raw string value
+     * @since 0.9
+     * @deprecated Method left for backwards compatibility only. Use {@link #getIssueTime()} instead.
+     */
+    @Deprecated(since = "1.2", forRemoval = true)
+    public String getIssueTimeString() {
+        if (issueTime != null) {
+            return TIME_FORMAT.format(issueTime);
+        }
+
+        return null;
+    }
+
+    /**
+     * @return Expire time (parsed)
+     * @since 0.9
+     */
+    public ZonedDateTime getIssueTime() {
+        return issueTime;
+    }
+
+    /**
+     * @return Token type
+     * @since 0.9
+     */
+    public String getType() {
+        return type;
+    }
+
    /**
     * @return Number of uses
     */
@ -117,10 +216,19 @@ public final class TokenData {
    }

    /**
-     * @return Token role
+     * @return Token policies
+     * @since 0.9
     */
-    public String getRole() {
-        return role;
+    public List<String> getPolicies() {
+        return policies;
+    }
+
+    /**
+     * @return Token is renewable
+     * @since 0.9
+     */
+    public boolean isRenewable() {
+        return renewable;
    }

    /**
@ -133,7 +241,40 @@ public final class TokenData {
    /**
     * @return Metadata
     */
-    public String getMeta() {
+    public Map<String, Object> getMeta() {
        return meta;
    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        TokenData tokenData = (TokenData) o;
+        return orphan == tokenData.orphan &&
+                renewable == tokenData.renewable &&
+                Objects.equals(accessor, tokenData.accessor) &&
+                Objects.equals(creationTime, tokenData.creationTime) &&
+                Objects.equals(creationTtl, tokenData.creationTtl) &&
+                Objects.equals(name, tokenData.name) &&
+                Objects.equals(entityId, tokenData.entityId) &&
+                Objects.equals(expireTime, tokenData.expireTime) &&
+                Objects.equals(explicitMaxTtl, tokenData.explicitMaxTtl) &&
+                Objects.equals(id, tokenData.id) &&
+                Objects.equals(issueTime, tokenData.issueTime) &&
+                Objects.equals(meta, tokenData.meta) &&
+                Objects.equals(numUses, tokenData.numUses) &&
+                Objects.equals(path, tokenData.path) &&
+                Objects.equals(policies, tokenData.policies) &&
+                Objects.equals(ttl, tokenData.ttl) &&
+                Objects.equals(type, tokenData.type);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(accessor, creationTime, creationTtl, name, entityId, expireTime, explicitMaxTtl, id,
+                issueTime, meta, numUses, orphan, path, policies, renewable, ttl, type);
+    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/UserLockoutConfig.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/UserLockoutConfig.java
@ -0,0 +1,77 @@
+package de.stklcode.jvault.connector.model.response.embedded;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.io.Serializable;
+import java.util.Objects;
+
+/**
+ * Embedded user lockout config output.
+ *
+ * @author Stefan Kalscheuer
+ * @since 1.2
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class UserLockoutConfig implements Serializable {
+    private static final long serialVersionUID = -8051060041593140550L;
+
+    @JsonProperty("lockout_threshold")
+    private Integer lockoutThreshold;
+
+    @JsonProperty("lockout_duration")
+    private Integer lockoutDuration;
+
+    @JsonProperty("lockout_counter_reset_duration")
+    private Integer lockoutCounterResetDuration;
+
+    @JsonProperty("lockout_disable")
+    private Boolean lockoutDisable;
+
+    /**
+     * @return Lockout threshold
+     */
+    public Integer getLockoutThreshold() {
+        return lockoutThreshold;
+    }
+
+    /**
+     * @return Lockout duration
+     */
+    public Integer getLockoutDuration() {
+        return lockoutDuration;
+    }
+
+    /**
+     * @return Lockout counter reset duration
+     */
+    public Integer getLockoutCounterResetDuration() {
+        return lockoutCounterResetDuration;
+    }
+
+    /**
+     * @return Lockout disabled?
+     */
+    public Boolean getLockoutDisable() {
+        return lockoutDisable;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        UserLockoutConfig that = (UserLockoutConfig) o;
+        return Objects.equals(lockoutThreshold, that.lockoutThreshold) &&
+            Objects.equals(lockoutDuration, that.lockoutDuration) &&
+            Objects.equals(lockoutCounterResetDuration, that.lockoutCounterResetDuration) &&
+            Objects.equals(lockoutDisable, that.lockoutDisable);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(lockoutThreshold, lockoutDuration, lockoutCounterResetDuration, lockoutDisable);
+    }
+}
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/VersionMetadata.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/VersionMetadata.java
@ -0,0 +1,125 @@
+/*
+ * Copyright 2016-2023 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response.embedded;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.io.Serializable;
+import java.time.ZonedDateTime;
+import java.time.format.DateTimeFormatter;
+import java.util.Objects;
+
+/**
+ * Embedded metadata for a single Key-Value v2 version.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.8
+ * @since 1.1 implements {@link Serializable}
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public final class VersionMetadata implements Serializable {
+    private static final long serialVersionUID = -6815731513868586713L;
+
+    private static final DateTimeFormatter TIME_FORMAT =
+            DateTimeFormatter.ofPattern("yyyy-MM-dd'T'HH:mm:ss.SSSSSSSSSXXX");
+
+    @JsonProperty("created_time")
+    private ZonedDateTime createdTime;
+
+    @JsonProperty("deletion_time")
+    private ZonedDateTime deletionTime;
+
+    @JsonProperty("destroyed")
+    private boolean destroyed;
+
+    @JsonProperty("version")
+    private Integer version;
+
+    /**
+     * @return Time of secret creation as raw string representation.
+     * @deprecated Method left for backwards compatibility only. Use {@link #getCreatedTime()} instead.
+     */
+    @Deprecated(since = "1.2", forRemoval = true)
+    public String getCreatedTimeString() {
+        if (createdTime != null) {
+            return TIME_FORMAT.format(createdTime);
+        }
+
+        return null;
+    }
+
+    /**
+     * @return Time of secret creation.
+     */
+    public ZonedDateTime getCreatedTime() {
+        return createdTime;
+    }
+
+    /**
+     * @return Time for secret deletion as raw string representation.
+     * @deprecated Method left for backwards compatibility only. Use {@link #getDeletionTime()} instead.
+     */
+    @Deprecated(since = "1.2", forRemoval = true)
+    public String getDeletionTimeString() {
+        if (deletionTime != null) {
+            return TIME_FORMAT.format(deletionTime);
+        }
+
+        return null;
+    }
+
+    /**
+     * @return Time for secret deletion.
+     */
+    public ZonedDateTime getDeletionTime() {
+        return deletionTime;
+    }
+
+    /**
+     * @return Whether the secret is destroyed.
+     */
+    public boolean isDestroyed() {
+        return destroyed;
+    }
+
+    /**
+     * @return Version of the entry.
+     */
+    public Integer getVersion() {
+        return version;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        VersionMetadata that = (VersionMetadata) o;
+        return destroyed == that.destroyed &&
+                Objects.equals(createdTime, that.createdTime) &&
+                Objects.equals(deletionTime, that.deletionTime) &&
+                Objects.equals(version, that.version);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(createdTime, deletionTime, destroyed, version);
+    }
+}
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/WrapInfo.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/WrapInfo.java
@ -0,0 +1,92 @@
+/*
+ * Copyright 2016-2023 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response.embedded;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.io.Serializable;
+import java.time.ZonedDateTime;
+import java.util.Objects;
+
+/**
+ * Wrapping information object.
+ *
+ * @author Stefan Kalscheuer
+ * @since 1.1
+ */
+public class WrapInfo implements Serializable {
+    private static final long serialVersionUID = 4864973237090355607L;
+
+    @JsonProperty("token")
+    private String token;
+
+    @JsonProperty("ttl")
+    private Integer ttl;
+
+    @JsonProperty("creation_time")
+    private ZonedDateTime creationTime;
+
+    @JsonProperty("creation_path")
+    private String creationPath;
+
+    /**
+     * @return Token
+     */
+    public String getToken() {
+        return token;
+    }
+
+    /**
+     * @return TTL (in seconds)
+     */
+    public Integer getTtl() {
+        return ttl;
+    }
+
+    /**
+     * @return Creation time
+     */
+    public ZonedDateTime getCreationTime() {
+        return creationTime;
+    }
+
+    /**
+     * @return Creation path
+     */
+    public String getCreationPath() {
+        return creationPath;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        WrapInfo that = (WrapInfo) o;
+        return Objects.equals(token, that.token) &&
+                Objects.equals(ttl, that.ttl) &&
+                Objects.equals(creationTime, that.creationTime) &&
+                Objects.equals(creationPath, that.creationPath);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(token, ttl, creationTime, creationPath);
+    }
+}
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/package-info.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/package-info.java
@ -0,0 +1,20 @@
+/*
+ * Copyright 2016-2023 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * Embedded data classes for responses from the Vault API.
+ */
+package de.stklcode.jvault.connector.model.response.embedded;
--- a/src/main/java/de/stklcode/jvault/connector/model/response/package-info.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/package-info.java
@ -0,0 +1,20 @@
+/*
+ * Copyright 2016-2023 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * Model classes for responses from the Vault API.
+ */
+package de.stklcode.jvault.connector.model.response;
--- a/src/main/java/de/stklcode/jvault/connector/package-info.java
+++ b/src/main/java/de/stklcode/jvault/connector/package-info.java
@ -0,0 +1,21 @@
+/*
+ * Copyright 2016-2023 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * Java Vault Connector base package - contains {@link de.stklcode.jvault.connector.VaultConnector} interface and
+ * default implementation.
+ */
+package de.stklcode.jvault.connector;
--- a/src/main/java/module-info.java
+++ b/src/main/java/module-info.java
@ -0,0 +1,36 @@
+/*
+ * Copyright 2016-2023 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * JVaultConnector module.
+ *
+ * @author Stefan Kalscheuer
+ */
+module de.stklcode.jvault.connector {
+    exports de.stklcode.jvault.connector;
+    exports de.stklcode.jvault.connector.exception;
+    exports de.stklcode.jvault.connector.model;
+    exports de.stklcode.jvault.connector.model.response;
+    exports de.stklcode.jvault.connector.model.response.embedded;
+
+    opens de.stklcode.jvault.connector.model to com.fasterxml.jackson.databind;
+    opens de.stklcode.jvault.connector.model.response to com.fasterxml.jackson.databind;
+    opens de.stklcode.jvault.connector.model.response.embedded to com.fasterxml.jackson.databind;
+
+    requires java.net.http;
+    requires com.fasterxml.jackson.databind;
+    requires com.fasterxml.jackson.datatype.jsr310;
+}
--- a/src/main/javadoc/overview.html
+++ b/src/main/javadoc/overview.html
@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <title>API Overview</title>
+</head>
+<body>
+<p>Java Vault Connector is a connector library for Vault by Hashicorp written in Java.</p>
+<p>The connector allows simple usage of Vault's secret store in own applications.</p>
+<p>It features a default implementation for the HTTP(S) interface and supports various authorization methods including
+    AppRole, token and secret handling.</p>
+</body>
+</html>
--- a/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorBuilderTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorBuilderTest.java
@ -0,0 +1,189 @@
+/*
+ * Copyright 2016-2023 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector;
+
+import com.github.stefanbirkner.systemlambda.SystemLambda;
+import de.stklcode.jvault.connector.exception.ConnectionException;
+import de.stklcode.jvault.connector.exception.TlsException;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.io.TempDir;
+
+import java.io.File;
+import java.lang.reflect.Field;
+import java.net.URISyntaxException;
+import java.nio.file.NoSuchFileException;
+
+import static com.github.stefanbirkner.systemlambda.SystemLambda.withEnvironmentVariable;
+import static org.junit.jupiter.api.Assertions.*;
+
+/**
+ * JUnit test for HTTP Vault connector factory
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.8.0
+ */
+class HTTPVaultConnectorBuilderTest {
+    private static final String VAULT_ADDR = "https://localhost:8201";
+    private static final Integer VAULT_MAX_RETRIES = 13;
+    private static final String VAULT_TOKEN = "00001111-2222-3333-4444-555566667777";
+
+    @TempDir
+    File tempDir;
+
+    /**
+     * Test the builder.
+     */
+    @Test
+    void builderTest() throws Exception {
+        // Minimal configuration.
+        HTTPVaultConnector connector = HTTPVaultConnector.builder().withHost("vault.example.com").build();
+
+        assertEquals("https://vault.example.com:8200/v1/", getRequestHelperPrivate(connector, "baseURL"), "URL not set correctly");
+        assertNull(getRequestHelperPrivate(connector, "trustedCaCert"), "Trusted CA cert set when no cert provided");
+        assertEquals(0, getRequestHelperPrivate(connector, "retries"), "Number of retries unexpectedly set");
+
+        // Specify all options.
+        HTTPVaultConnectorBuilder builder = HTTPVaultConnector.builder()
+                .withHost("vault2.example.com")
+                .withoutTLS()
+                .withPort(1234)
+                .withPrefix("/foo/")
+                .withTimeout(5678)
+                .withNumberOfRetries(9);
+        connector = builder.build();
+
+        assertEquals("http://vault2.example.com:1234/foo/", getRequestHelperPrivate(connector, "baseURL"), "URL not set correctly");
+        assertNull(getRequestHelperPrivate(connector, "trustedCaCert"), "Trusted CA cert set when no cert provided");
+        assertEquals(9, getRequestHelperPrivate(connector, "retries"), "Unexpected number of retries");
+        assertEquals(5678, getRequestHelperPrivate(connector, "timeout"), "Number timeout value");
+        assertThrows(ConnectionException.class, builder::buildAndAuth, "Immediate authentication should throw exception without token");
+
+        // Initialization from URL.
+        assertThrows(
+                URISyntaxException.class,
+                () -> HTTPVaultConnector.builder().withBaseURL("foo:/\\1nv4l1d_UrL"),
+                "Initialization from invalid URL should fail"
+        );
+        connector = assertDoesNotThrow(
+                () -> HTTPVaultConnector.builder().withBaseURL("https://vault3.example.com:5678/bar/").build(),
+                "Initialization from valid URL should not fail"
+        );
+        assertEquals("https://vault3.example.com:5678/bar/", getRequestHelperPrivate(connector, "baseURL"), "URL not set correctly");
+
+        // Port numbers.
+        assertThrows(IllegalArgumentException.class, () -> HTTPVaultConnector.builder().withPort(65536), "Too large port number should throw an exception");
+        assertThrows(IllegalArgumentException.class, () -> HTTPVaultConnector.builder().withPort(0), "Port number 0 should throw an exception");
+        builder = assertDoesNotThrow(() -> HTTPVaultConnector.builder().withPort(-1), "Port number -1 should not throw an exception");
+        assertNull(builder.getPort(), "Port number -1 should be omitted");
+        builder = assertDoesNotThrow(() -> HTTPVaultConnector.builder().withPort(null), "Port number NULL should not throw an exception");
+        assertNull(builder.getPort(), "Port number NULL should be passed through");
+    }
+
+    /**
+     * Test building from environment variables
+     */
+    @Test
+    void testFromEnv() throws Exception {
+        // Provide address only should be enough.
+        withVaultEnv(VAULT_ADDR, null, null, null).execute(() -> {
+            HTTPVaultConnectorBuilder builder = assertDoesNotThrow(
+                    () -> HTTPVaultConnector.builder().fromEnv(),
+                    "Factory creation from minimal environment failed"
+            );
+            HTTPVaultConnector connector = builder.build();
+
+            assertEquals(VAULT_ADDR + "/v1/", getRequestHelperPrivate(connector, "baseURL"), "URL not set correctly");
+            assertNull(getRequestHelperPrivate(connector, "trustedCaCert"), "Trusted CA cert set when no cert provided");
+            assertEquals(0, getRequestHelperPrivate(connector, "retries"), "Non-default number of retries, when none set");
+
+            return null;
+        });
+
+        // Provide address and number of retries.
+        withVaultEnv(VAULT_ADDR, null, VAULT_MAX_RETRIES.toString(), null).execute(() -> {
+            HTTPVaultConnectorBuilder builder = assertDoesNotThrow(
+                    () -> HTTPVaultConnector.builder().fromEnv(),
+                    "Factory creation from environment failed"
+            );
+            HTTPVaultConnector connector = builder.build();
+
+            assertEquals(VAULT_ADDR + "/v1/", getRequestHelperPrivate(connector, "baseURL"), "URL not set correctly");
+            assertNull(getRequestHelperPrivate(connector, "trustedCaCert"), "Trusted CA cert set when no cert provided");
+            assertEquals(VAULT_MAX_RETRIES, getRequestHelperPrivate(connector, "retries"), "Number of retries not set correctly");
+
+            return null;
+        });
+
+        // Provide CA certificate.
+        String VAULT_CACERT = tempDir.toString() + "/doesnotexist";
+        withVaultEnv(VAULT_ADDR, VAULT_CACERT, VAULT_MAX_RETRIES.toString(), null).execute(() -> {
+            TlsException e = assertThrows(
+                    TlsException.class,
+                    () -> HTTPVaultConnector.builder().fromEnv(),
+                    "Creation with unknown cert path failed"
+            );
+            assertTrue(e.getCause() instanceof NoSuchFileException);
+            assertEquals(VAULT_CACERT, ((NoSuchFileException) e.getCause()).getFile());
+
+            return null;
+        });
+
+        // Automatic authentication.
+        withVaultEnv(VAULT_ADDR, null, VAULT_MAX_RETRIES.toString(), VAULT_TOKEN).execute(() -> {
+            HTTPVaultConnectorBuilder builder = assertDoesNotThrow(
+                    () -> HTTPVaultConnector.builder().fromEnv(),
+                    "Factory creation from minimal environment failed"
+            );
+            assertEquals(VAULT_TOKEN, getPrivate(builder, "token"), "Token not set correctly");
+
+            return null;
+        });
+
+        // Invalid URL.
+        withVaultEnv("This is not a valid URL!", null, VAULT_MAX_RETRIES.toString(), VAULT_TOKEN).execute(() -> {
+            assertThrows(
+                    ConnectionException.class,
+                    () -> HTTPVaultConnector.builder().fromEnv(),
+                    "Invalid URL from environment should raise an exception"
+            );
+
+            return null;
+        });
+    }
+
+    private SystemLambda.WithEnvironmentVariables withVaultEnv(String vault_addr, String vault_cacert, String vault_max_retries, String vault_token) {
+        return withEnvironmentVariable("VAULT_ADDR", vault_addr)
+                .and("VAULT_CACERT", vault_cacert)
+                .and("VAULT_MAX_RETRIES", vault_max_retries)
+                .and("VAULT_TOKEN", vault_token);
+    }
+
+    private Object getRequestHelperPrivate(HTTPVaultConnector connector, String fieldName) throws NoSuchFieldException, IllegalAccessException {
+        return getPrivate(getPrivate(connector, "request"), fieldName);
+    }
+
+    private Object getPrivate(Object target, String fieldName) throws NoSuchFieldException, IllegalAccessException {
+        Field field = target.getClass().getDeclaredField(fieldName);
+        if (field.canAccess(target)) {
+            return field.get(target);
+        }
+        field.setAccessible(true);
+        Object value = field.get(target);
+        field.setAccessible(false);
+        return value;
+    }
+}
--- a/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorIT.java
+++ b/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorIT.java
--- a/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorOfflineTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorOfflineTest.java
@ -1,483 +0,0 @@
-/*
- * Copyright 2016-2018 Stefan Kalscheuer
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package de.stklcode.jvault.connector;
-
-import de.stklcode.jvault.connector.exception.InvalidRequestException;
-import de.stklcode.jvault.connector.exception.InvalidResponseException;
-import de.stklcode.jvault.connector.exception.PermissionDeniedException;
-import de.stklcode.jvault.connector.exception.VaultConnectorException;
-import net.bytebuddy.ByteBuddy;
-import net.bytebuddy.agent.ByteBuddyAgent;
-import net.bytebuddy.dynamic.loading.ClassReloadingStrategy;
-import org.apache.http.ProtocolVersion;
-import org.apache.http.client.methods.CloseableHttpResponse;
-import org.apache.http.entity.ContentType;
-import org.apache.http.entity.StringEntity;
-import org.apache.http.impl.client.CloseableHttpClient;
-import org.apache.http.impl.client.HttpClientBuilder;
-import org.apache.http.message.BasicStatusLine;
-import org.junit.jupiter.api.BeforeAll;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-
-import javax.net.ssl.SSLContext;
-import java.io.IOException;
-import java.lang.reflect.Field;
-import java.security.NoSuchAlgorithmException;
-import java.util.Collections;
-
-import static net.bytebuddy.implementation.MethodDelegation.to;
-import static net.bytebuddy.matcher.ElementMatchers.named;
-import static org.hamcrest.CoreMatchers.instanceOf;
-import static org.hamcrest.CoreMatchers.nullValue;
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.core.Is.is;
-import static org.junit.jupiter.api.Assertions.fail;
-import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.Mockito.*;
-
-/**
- * JUnit test for HTTP Vault connector.
- * This test suite contains tests that do not require connection to an actual Vault instance.
- *
- * @author Stefan Kalscheuer
- * @since 0.7.0
- */
-public class HTTPVaultConnectorOfflineTest {
-    private static final String INVALID_URL = "foo:/\\1nv4l1d_UrL";
-
-    private static HttpClientBuilder httpMockBuilder = mock(HttpClientBuilder.class);
-    private static CloseableHttpClient httpMock = mock(CloseableHttpClient.class);
-    private CloseableHttpResponse responseMock = mock(CloseableHttpResponse.class);
-
-    @BeforeAll
-    public static void initByteBuddy() {
-        // Install ByteBuddy Agent.
-        ByteBuddyAgent.install();
-    }
-
-    /**
-     * Helper method for redefinition of {@link HttpClientBuilder#create()} from {@link #initHttpMock()}.
-     *
-     * @return Mocked HTTP client builder.
-     */
-    public static HttpClientBuilder create() {
-        return httpMockBuilder;
-    }
-
-    @BeforeEach
-    public void initHttpMock() {
-        // Redefine static method to return Mock on HttpClientBuilder creation.
-        new ByteBuddy().redefine(HttpClientBuilder.class)
-                .method(named("create"))
-                .intercept(to(HTTPVaultConnectorOfflineTest.class))
-                .make()
-                .load(HttpClientBuilder.class.getClassLoader(), ClassReloadingStrategy.fromInstalledAgent());
-
-        // Ignore SSL context settings.
-        when(httpMockBuilder.setSSLContext(null)).thenReturn(httpMockBuilder);
-
-        // Re-initialize HTTP mock to ensure fresh (empty) results.
-        httpMock = mock(CloseableHttpClient.class);
-
-        // Mock actual client creation.
-        when(httpMockBuilder.build()).thenReturn(httpMock);
-    }
-
-    /**
-     * Test exceptions thrown during request.
-     */
-    @Test
-    public void requestExceptionTest() throws IOException {
-        HTTPVaultConnector connector = new HTTPVaultConnector("http://127.0.0.1", null, 0, 250);
-
-        // Test invalid response code.
-        final int responseCode = 400;
-        mockResponse(responseCode, "", ContentType.APPLICATION_JSON);
-        try {
-            connector.getHealth();
-            fail("Querying health status succeeded on invalid instance");
-        } catch (Exception e) {
-            assertThat("Unexpected type of exception", e, instanceOf(InvalidResponseException.class));
-            assertThat("Unexpected exception message", e.getMessage(), is("Invalid response code"));
-            assertThat("Unexpected status code in exception", ((InvalidResponseException) e).getStatusCode(), is(responseCode));
-            assertThat("Response message where none was expected", ((InvalidResponseException) e).getResponse(), is(nullValue()));
-        }
-
-        // Simulate permission denied response.
-        mockResponse(responseCode, "{\"errors\":[\"permission denied\"]}", ContentType.APPLICATION_JSON);
-        try {
-            connector.getHealth();
-            fail("Querying health status succeeded on invalid instance");
-        } catch (Exception e) {
-            assertThat("Unexpected type of exception", e, instanceOf(PermissionDeniedException.class));
-        }
-
-        // Test exception thrown during request.
-        when(httpMock.execute(any())).thenThrow(new IOException("Test Exception"));
-        try {
-            connector.getHealth();
-            fail("Querying health status succeeded on invalid instance");
-        } catch (Exception e) {
-            assertThat("Unexpected type of exception", e, instanceOf(InvalidResponseException.class));
-            assertThat("Unexpected exception message", e.getMessage(), is("Unable to read response"));
-            assertThat("Unexpected cause", e.getCause(), instanceOf(IOException.class));
-        }
-
-        // Now simulate a failing request that succeeds on second try.
-        connector = new HTTPVaultConnector("https://127.0.0.1", null, 1, 250);
-        doReturn(responseMock).doReturn(responseMock).when(httpMock).execute(any());
-        doReturn(new BasicStatusLine(new ProtocolVersion("HTTP", 1, 1), 500, ""))
-                .doReturn(new BasicStatusLine(new ProtocolVersion("HTTP", 1, 1), 500, ""))
-                .doReturn(new BasicStatusLine(new ProtocolVersion("HTTP", 1, 1), 500, ""))
-                .doReturn(new BasicStatusLine(new ProtocolVersion("HTTP", 1, 1), 200, ""))
-                .when(responseMock).getStatusLine();
-        when(responseMock.getEntity()).thenReturn(new StringEntity("{}", ContentType.APPLICATION_JSON));
-
-        try {
-            connector.getHealth();
-        } catch (Exception e) {
-            fail("Request failed unexpectedly: " + e.getMessage());
-        }
-    }
-
-    /**
-     * Test constductors of the {@link HTTPVaultConnector} class.
-     */
-    @Test
-    public void constructorTest() throws NoSuchAlgorithmException {
-        final String url = "https://vault.example.net/test/";
-        final String hostname = "vault.example.com";
-        final Integer port = 1337;
-        final String prefix = "/custom/prefix/";
-        final Integer retries = 42;
-        final String expectedNoTls = "http://" + hostname + "/v1/";
-        final String expectedCustomPort = "https://" + hostname + ":" + port + "/v1/";
-        final String expectedCustomPrefix = "https://" + hostname + ":" + port + prefix;
-        final SSLContext sslContext = SSLContext.getInstance("TLS");
-
-        // Most basic constructor expects complete URL.
-        HTTPVaultConnector connector = new HTTPVaultConnector(url);
-        assertThat("Unexpected base URL", getPrivate(connector, "baseURL"), is(url));
-
-        // Now override TLS usage.
-        connector = new HTTPVaultConnector(hostname, false);
-        assertThat("Unexpected base URL with TLS disabled", getPrivate(connector, "baseURL"), is(expectedNoTls));
-
-        // Specify custom port.
-        connector = new HTTPVaultConnector(hostname, true, port);
-        assertThat("Unexpected base URL with custom port", getPrivate(connector, "baseURL"), is(expectedCustomPort));
-
-        // Specify custom prefix.
-        connector = new HTTPVaultConnector(hostname, true, port, prefix);
-        assertThat("Unexpected base URL with custom prefix", getPrivate(connector, "baseURL"), is(expectedCustomPrefix));
-        assertThat("SSL context set, but not specified", getPrivate(connector, "sslContext"), is(nullValue()));
-
-        // Provide custom SSL context.
-        connector = new HTTPVaultConnector(hostname, true, port, prefix, sslContext);
-        assertThat("Unexpected base URL with custom prefix", getPrivate(connector, "baseURL"), is(expectedCustomPrefix));
-        assertThat("SSL context not filled correctly", getPrivate(connector, "sslContext"), is(sslContext));
-
-        // Specify number of retries.
-        connector = new HTTPVaultConnector(url, sslContext, retries);
-        assertThat("Number of retries not set correctly", getPrivate(connector, "retries"), is(retries));
-    }
-
-    /**
-     * This test is designed to test exceptions caught and thrown by seal-methods if Vault is not reachable.
-     */
-    @Test
-    public void sealExceptionTest() throws IOException {
-        HTTPVaultConnector connector = new HTTPVaultConnector(INVALID_URL);
-        try {
-            connector.sealStatus();
-            fail("Querying seal status succeeded on invalid URL");
-        } catch (Exception e) {
-            assertThat("Unexpected type of exception", e, instanceOf(InvalidRequestException.class));
-            assertThat("Unexpected exception message", e.getMessage(), is("Invalid URI format"));
-        }
-
-        connector = new HTTPVaultConnector("https://127.0.0.1", null, 0, 250);
-
-        // Simulate NULL response (mock not supplied with data).
-
-        try {
-            connector.sealStatus();
-            fail("Querying seal status succeeded on invalid instance");
-        } catch (Exception e) {
-            assertThat("Unexpected type of exception", e, instanceOf(InvalidResponseException.class));
-            assertThat("Unexpected exception message", e.getMessage(), is("Response unavailable"));
-        }
-    }
-
-    /**
-     * This test is designed to test exceptions caught and thrown by seal-methods if Vault is not reachable.
-     */
-    @Test
-    public void healthExceptionTest() throws IOException {
-        HTTPVaultConnector connector = new HTTPVaultConnector(INVALID_URL);
-        try {
-            connector.getHealth();
-            fail("Querying health status succeeded on invalid URL");
-        } catch (Exception e) {
-            assertThat("Unexpected type of exception", e, instanceOf(InvalidRequestException.class));
-            assertThat("Unexpected exception message", e.getMessage(), is("Invalid URI format"));
-        }
-
-        connector = new HTTPVaultConnector("https://127.0.0.1", null, 0, 250);
-
-        // Simulate NULL response (mock not supplied with data).
-        try {
-            connector.getHealth();
-            fail("Querying health status succeeded on invalid instance");
-        } catch (Exception e) {
-            assertThat("Unexpected type of exception", e, instanceOf(InvalidResponseException.class));
-            assertThat("Unexpected exception message", e.getMessage(), is("Response unavailable"));
-        }
-    }
-
-    /**
-     * Test behavior on unparsable responses.
-     */
-    @Test
-    public void parseExceptionTest() throws IOException {
-        HTTPVaultConnector connector = new HTTPVaultConnector("https://127.0.0.1", null, 0, 250);
-        // Mock authorization.
-        setPrivate(connector, "authorized", true);
-        // Mock response.
-        mockResponse(200, "invalid", ContentType.APPLICATION_JSON);
-
-        // Now test the methods.
-        try {
-            connector.sealStatus();
-            fail("sealStatus() succeeded on invalid instance");
-        } catch (Exception e) {
-            assertParseError(e);
-        }
-
-        try {
-            connector.unseal("key");
-            fail("unseal() succeeded on invalid instance");
-        } catch (Exception e) {
-            assertParseError(e);
-        }
-
-        try {
-            connector.getHealth();
-            fail("getHealth() succeeded on invalid instance");
-        } catch (Exception e) {
-            assertParseError(e);
-        }
-
-        try {
-            connector.getAuthBackends();
-            fail("getAuthBackends() succeeded on invalid instance");
-        } catch (Exception e) {
-            assertParseError(e);
-        }
-
-        try {
-            connector.authToken("token");
-            fail("authToken() succeeded on invalid instance");
-        } catch (Exception e) {
-            assertParseError(e);
-        }
-
-        try {
-            connector.lookupAppRole("roleName");
-            fail("lookupAppRole() succeeded on invalid instance");
-        } catch (Exception e) {
-            assertParseError(e);
-        }
-
-        try {
-            connector.getAppRoleID("roleName");
-            fail("getAppRoleID() succeeded on invalid instance");
-        } catch (Exception e) {
-            assertParseError(e);
-        }
-
-        try {
-            connector.createAppRoleSecret("roleName");
-            fail("createAppRoleSecret() succeeded on invalid instance");
-        } catch (Exception e) {
-            assertParseError(e);
-        }
-
-        try {
-            connector.lookupAppRoleSecret("roleName", "secretID");
-            fail("lookupAppRoleSecret() succeeded on invalid instance");
-        } catch (Exception e) {
-            assertParseError(e);
-        }
-
-        try {
-            connector.listAppRoles();
-            fail("listAppRoles() succeeded on invalid instance");
-        } catch (Exception e) {
-            assertParseError(e);
-        }
-
-        try {
-            connector.listAppRoleSecrets("roleName");
-            fail("listAppRoleSecrets() succeeded on invalid instance");
-        } catch (Exception e) {
-            assertParseError(e);
-        }
-
-        try {
-            connector.read("key");
-            fail("read() succeeded on invalid instance");
-        } catch (Exception e) {
-            assertParseError(e);
-        }
-
-        try {
-            connector.list("path");
-            fail("list() succeeded on invalid instance");
-        } catch (Exception e) {
-            assertParseError(e);
-        }
-
-        try {
-            connector.renew("leaseID");
-            fail("renew() succeeded on invalid instance");
-        } catch (Exception e) {
-            assertParseError(e);
-        }
-
-        try {
-            connector.lookupToken("token");
-            fail("lookupToken() succeeded on invalid instance");
-        } catch (Exception e) {
-            assertParseError(e);
-        }
-    }
-
-    private void assertParseError(Exception e) {
-        assertThat("Unexpected type of exception", e, instanceOf(InvalidResponseException.class));
-        assertThat("Unexpected exception message", e.getMessage(), is("Unable to parse response"));
-    }
-
-    /**
-     * Test requests that expect an empty response with code 204, but receive a 200 body.
-     */
-    @Test
-    public void nonEmpty204ResponseTest() throws IOException {
-        HTTPVaultConnector connector = new HTTPVaultConnector("https://127.0.0.1", null, 0, 250);
-        // Mock authorization.
-        setPrivate(connector, "authorized", true);
-        // Mock response.
-        mockResponse(200, "{}", ContentType.APPLICATION_JSON);
-
-        // Now test the methods expecting a 204.
-        try {
-            connector.registerAppId("appID", "policy", "displayName");
-            fail("registerAppId() with 200 response succeeded");
-        } catch (VaultConnectorException e) {
-            assertThat("Unexpected exception type", e, instanceOf(InvalidResponseException.class));
-        }
-
-        try {
-            connector.registerUserId("appID", "userID");
-            fail("registerUserId() with 200 response succeeded");
-        } catch (VaultConnectorException e) {
-            assertThat("Unexpected exception type", e, instanceOf(InvalidResponseException.class));
-        }
-
-        try {
-            connector.createAppRole("appID", Collections.singletonList("policy"));
-            fail("createAppRole() with 200 response succeeded");
-        } catch (VaultConnectorException e) {
-            assertThat("Unexpected exception type", e, instanceOf(InvalidResponseException.class));
-        }
-
-        try {
-            connector.deleteAppRole("roleName");
-            fail("deleteAppRole() with 200 response succeeded");
-        } catch (VaultConnectorException e) {
-            assertThat("Unexpected exception type", e, instanceOf(InvalidResponseException.class));
-        }
-
-        try {
-            connector.setAppRoleID("roleName", "roleID");
-            fail("setAppRoleID() with 200 response succeeded");
-        } catch (VaultConnectorException e) {
-            assertThat("Unexpected exception type", e, instanceOf(InvalidResponseException.class));
-        }
-
-        try {
-            connector.destroyAppRoleSecret("roleName", "secretID");
-            fail("destroyAppRoleSecret() with 200 response succeeded");
-        } catch (VaultConnectorException e) {
-            assertThat("Unexpected exception type", e, instanceOf(InvalidResponseException.class));
-        }
-
-        try {
-            connector.destroyAppRoleSecret("roleName", "secretUD");
-            fail("destroyAppRoleSecret() with 200 response succeeded");
-        } catch (VaultConnectorException e) {
-            assertThat("Unexpected exception type", e, instanceOf(InvalidResponseException.class));
-        }
-
-        try {
-            connector.delete("key");
-            fail("delete() with 200 response succeeded");
-        } catch (VaultConnectorException e) {
-            assertThat("Unexpected exception type", e, instanceOf(InvalidResponseException.class));
-        }
-
-        try {
-            connector.revoke("leaseID");
-            fail("destroyAppRoleSecret() with 200 response succeeded");
-        } catch (VaultConnectorException e) {
-            assertThat("Unexpected exception type", e, instanceOf(InvalidResponseException.class));
-        }
-    }
-
-    private Object getPrivate(Object target, String fieldName) {
-        try {
-            Field field = target.getClass().getDeclaredField(fieldName);
-            if (field.isAccessible())
-                return field.get(target);
-            field.setAccessible(true);
-            Object value = field.get(target);
-            field.setAccessible(false);
-            return value;
-        } catch (NoSuchFieldException | IllegalAccessException e) {
-            return null;
-        }
-    }
-
-    private void setPrivate(Object target, String fieldName, Object value) {
-        try {
-            Field field = target.getClass().getDeclaredField(fieldName);
-            boolean accessible =field.isAccessible();
-            field.setAccessible(true);
-            field.set(target, value);
-            field.setAccessible(accessible);
-        } catch (NoSuchFieldException | IllegalAccessException e) {
-            // Should not occur, to be taken care of in test code.
-        }
-    }
-
-    private void mockResponse(int status, String body, ContentType type) throws IOException {
-        when(httpMock.execute(any())).thenReturn(responseMock);
-        when(responseMock.getStatusLine()).thenReturn(new BasicStatusLine(new ProtocolVersion("HTTP", 1, 1), status, ""));
-        when(responseMock.getEntity()).thenReturn(new StringEntity(body, type));
-    }
-}
--- a/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorTest.java
--- a/src/test/java/de/stklcode/jvault/connector/exception/VaultConnectorExceptionTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/exception/VaultConnectorExceptionTest.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2018 Stefan Kalscheuer
+ * Copyright 2016-2023 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -18,10 +18,8 @@ package de.stklcode.jvault.connector.exception;

 import org.junit.jupiter.api.Test;

-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.instanceOf;
-import static org.hamcrest.Matchers.nullValue;
-import static org.hamcrest.core.Is.is;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNull;

 /**
 * Common JUnit test for Exceptions extending {@link VaultConnectorException}.
@ -29,19 +27,19 @@ import static org.hamcrest.core.Is.is;
 * @author Stefan Kalscheuer
 * @since 0.6.2
 */
-public class VaultConnectorExceptionTest {
+class VaultConnectorExceptionTest {
    private static final String MSG = "This is a test exception!";
    private static final Throwable CAUSE = new Exception("Test-Cause");
    private static final Integer STATUS_CODE = 1337;
    private static final String RESPONSE = "Dummy response";

    @Test
-    public void authorizationRequiredExceptionTest() {
+    void authorizationRequiredExceptionTest() {
        assertEmptyConstructor(new AuthorizationRequiredException());
    }

    @Test
-    public void connectionExceptionTest() {
+    void connectionExceptionTest() {
        assertEmptyConstructor(new ConnectionException());
        assertMsgConstructor(new ConnectionException(MSG));
        assertCauseConstructor(new ConnectionException(CAUSE));
@ -49,7 +47,7 @@ public class VaultConnectorExceptionTest {
    }

    @Test
-    public void invalidRequestExceptionTest() {
+    void invalidRequestExceptionTest() {
        assertEmptyConstructor(new InvalidRequestException());
        assertMsgConstructor(new InvalidRequestException(MSG));
        assertCauseConstructor(new InvalidRequestException(CAUSE));
@ -57,7 +55,7 @@ public class VaultConnectorExceptionTest {
    }

    @Test
-    public void invalidResponseExceptionTest() {
+    void invalidResponseExceptionTest() {
        assertEmptyConstructor(new InvalidResponseException());
        assertMsgConstructor(new InvalidResponseException(MSG));
        assertCauseConstructor(new InvalidResponseException(CAUSE));
@ -65,42 +63,39 @@ public class VaultConnectorExceptionTest {

        // Constructor with message and status code.
        InvalidResponseException e = new InvalidResponseException(MSG, STATUS_CODE);
-        assertThat(e.getMessage(), is(MSG));
-        assertThat(e.getCause(), is(nullValue()));
-        assertThat(e.getStatusCode(), is(STATUS_CODE));
-        assertThat(e.getResponse(), is(nullValue()));
+        assertEquals(MSG, e.getMessage());
+        assertNull(e.getCause());
+        assertEquals(STATUS_CODE, e.getStatusCode());
+        assertNull(e.getResponse());

        // Constructor with message, status code and cause.
        e = new InvalidResponseException(MSG, STATUS_CODE, CAUSE);
-        assertThat(e.getMessage(), is(MSG));
-        assertThat(e.getCause(), is(CAUSE));
-        assertThat(e.getStatusCode(), is(STATUS_CODE));
-        assertThat(e.getResponse(), is(nullValue()));
+        assertEquals(MSG, e.getMessage());
+        assertEquals(CAUSE, e.getCause());
+        assertEquals(STATUS_CODE, e.getStatusCode());
+        assertNull(e.getResponse());

        // Constructor with message, status code and response.
        e = new InvalidResponseException(MSG, STATUS_CODE, RESPONSE);
-        assertThat(e.getMessage(), is(MSG));
-        assertThat(e.getCause(), is(nullValue()));
-        assertThat(e.getStatusCode(), is(STATUS_CODE));
-        assertThat(e.getResponse(), is(RESPONSE));
+        assertEquals(MSG, e.getMessage());
+        assertNull(e.getCause());
+        assertEquals(STATUS_CODE, e.getStatusCode());
+        assertEquals(RESPONSE, e.getResponse());

        // Constructor with message, status code, response and cause.
        e = new InvalidResponseException(MSG, STATUS_CODE, RESPONSE, CAUSE);
-        assertThat(e.getMessage(), is(MSG));
-        assertThat(e.getCause(), is(CAUSE));
-        assertThat(e.getStatusCode(), is(STATUS_CODE));
-        assertThat(e.getResponse(), is(RESPONSE));
+        assertEquals(MSG, e.getMessage());
+        assertEquals(CAUSE, e.getCause());
+        assertEquals(STATUS_CODE, e.getStatusCode());
+        assertEquals(RESPONSE, e.getResponse());
    }

    @Test
-    public void permissionDeniedExceptionTest() {
+    void permissionDeniedExceptionTest() {
        // Default message overwritten.
        PermissionDeniedException e = new PermissionDeniedException();
-        assertThat(e, is(instanceOf(VaultConnectorException.class)));
-        assertThat(e, is(instanceOf(Exception.class)));
-        assertThat(e, is(instanceOf(Throwable.class)));
-        assertThat(e.getMessage(), is("Permission denied"));
-        assertThat(e.getCause(), is(nullValue()));
+        assertEquals("Permission denied", e.getMessage());
+        assertNull(e.getCause());

        assertMsgConstructor(new PermissionDeniedException(MSG));
        assertCauseConstructor(new PermissionDeniedException(CAUSE));
@ -108,7 +103,7 @@ public class VaultConnectorExceptionTest {
    }

    @Test
-    public void tlsExceptionTest() {
+    void tlsExceptionTest() {
        assertEmptyConstructor(new TlsException());
        assertMsgConstructor(new TlsException(MSG));
        assertCauseConstructor(new TlsException(CAUSE));
@ -121,11 +116,8 @@ public class VaultConnectorExceptionTest {
     * @param e the exception
     */
    private void assertEmptyConstructor(VaultConnectorException e) {
-        assertThat(e, is(instanceOf(VaultConnectorException.class)));
-        assertThat(e, is(instanceOf(Exception.class)));
-        assertThat(e, is(instanceOf(Throwable.class)));
-        assertThat(e.getMessage(), is(nullValue()));
-        assertThat(e.getCause(), is(nullValue()));
+        assertNull(e.getMessage());
+        assertNull(e.getCause());
    }

    /**
@ -134,8 +126,8 @@ public class VaultConnectorExceptionTest {
     * @param e the exception
     */
    private void assertMsgConstructor(VaultConnectorException e) {
-        assertThat(e.getMessage(), is(MSG));
-        assertThat(e.getCause(), is(nullValue()));
+        assertEquals(MSG, e.getMessage());
+        assertNull(e.getCause());
    }

    /**
@ -144,8 +136,8 @@ public class VaultConnectorExceptionTest {
     * @param e the exception
     */
    private void assertCauseConstructor(VaultConnectorException e) {
-        assertThat(e.getMessage(), is(CAUSE.toString()));
-        assertThat(e.getCause(), is(CAUSE));
+        assertEquals(CAUSE.toString(), e.getMessage());
+        assertEquals(CAUSE, e.getCause());
    }

    /**
@ -154,7 +146,7 @@ public class VaultConnectorExceptionTest {
     * @param e the exception
     */
    private void assertMsgCauseConstructor(VaultConnectorException e) {
-        assertThat(e.getMessage(), is(MSG));
-        assertThat(e.getCause(), is(CAUSE));
+        assertEquals(MSG, e.getMessage());
+        assertEquals(CAUSE, e.getCause());
    }
 }
--- a/src/test/java/de/stklcode/jvault/connector/factory/HTTPVaultConnectorFactoryTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/factory/HTTPVaultConnectorFactoryTest.java
@ -1,129 +0,0 @@
-/*
- * Copyright 2016-2018 Stefan Kalscheuer
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package de.stklcode.jvault.connector.factory;
-
-import de.stklcode.jvault.connector.HTTPVaultConnector;
-import de.stklcode.jvault.connector.exception.TlsException;
-import de.stklcode.jvault.connector.exception.VaultConnectorException;
-import org.junit.Rule;
-import org.junit.contrib.java.lang.system.EnvironmentVariables;
-import org.junit.jupiter.api.Test;
-import org.junit.jupiter.migrationsupport.rules.EnableRuleMigrationSupport;
-import org.junit.rules.TemporaryFolder;
-
-import java.io.IOException;
-import java.lang.reflect.Field;
-import java.nio.file.NoSuchFileException;
-
-import static org.hamcrest.CoreMatchers.*;
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.junit.jupiter.api.Assertions.fail;
-
-/**
- * JUnit test for HTTP Vault connector factory
- *
- * @author Stefan Kalscheuer
- * @since 0.6.0
- */
-@EnableRuleMigrationSupport
-public class HTTPVaultConnectorFactoryTest {
-    private static String VAULT_ADDR = "https://localhost:8201";
-    private static Integer VAULT_MAX_RETRIES = 13;
-    private static String VAULT_TOKEN = "00001111-2222-3333-4444-555566667777";
-
-    @Rule
-    public TemporaryFolder tmpDir = new TemporaryFolder();
-
-    @Rule
-    public final EnvironmentVariables environment = new EnvironmentVariables();
-
-    /**
-     * Test building from environment variables
-     */
-    @Test
-    public void testFromEnv() throws NoSuchFieldException, IllegalAccessException, IOException {
-        /* Provide address only should be enough */
-        setenv(VAULT_ADDR, null, null, null);
-
-        HTTPVaultConnectorFactory factory = null;
-        HTTPVaultConnector connector;
-        try {
-            factory = VaultConnectorFactory.httpFactory().fromEnv();
-        } catch (VaultConnectorException e) {
-            fail("Factory creation from minimal environment failed");
-        }
-        connector = factory.build();
-
-        assertThat("URL nor set correctly", getPrivate(connector, "baseURL"), is(equalTo(VAULT_ADDR + "/v1/")));
-        assertThat("SSL context set when no cert provided", getPrivate(connector, "sslContext"), is(nullValue()));
-        assertThat("Non-default number of retries, when none set", getPrivate(connector, "retries"), is(0));
-
-        /* Provide address and number of retries */
-        setenv(VAULT_ADDR, null, VAULT_MAX_RETRIES.toString(), null);
-
-        try {
-            factory = VaultConnectorFactory.httpFactory().fromEnv();
-        } catch (VaultConnectorException e) {
-            fail("Factory creation from environment failed");
-        }
-        connector = factory.build();
-
-        assertThat("URL nor set correctly", getPrivate(connector, "baseURL"), is(equalTo(VAULT_ADDR + "/v1/")));
-        assertThat("SSL context set when no cert provided", getPrivate(connector, "sslContext"), is(nullValue()));
-        assertThat("Number of retries not set correctly", getPrivate(connector, "retries"), is(VAULT_MAX_RETRIES));
-
-        /* Provide CA certificate */
-        String VAULT_CACERT = tmpDir.newFolder().toString() + "/doesnotexist";
-        setenv(VAULT_ADDR, VAULT_CACERT, VAULT_MAX_RETRIES.toString(), null);
-
-        try {
-            VaultConnectorFactory.httpFactory().fromEnv();
-            fail("Creation with unknown cert path failed.");
-        } catch (VaultConnectorException e) {
-            assertThat(e, is(instanceOf(TlsException.class)));
-            assertThat(e.getCause(), is(instanceOf(NoSuchFileException.class)));
-            assertThat(((NoSuchFileException)e.getCause()).getFile(), is(VAULT_CACERT));
-        }
-
-        /* Automatic authentication */
-        setenv(VAULT_ADDR, null, VAULT_MAX_RETRIES.toString(), VAULT_TOKEN);
-
-        try {
-            factory = VaultConnectorFactory.httpFactory().fromEnv();
-        } catch (VaultConnectorException e) {
-            fail("Factory creation from minimal environment failed");
-        }
-        assertThat("Token nor set correctly", getPrivate(factory, "token"), is(equalTo(VAULT_TOKEN)));
-    }
-
-    private void setenv(String vault_addr, String vault_cacert, String vault_max_retries, String vault_token) {
-        environment.set("VAULT_ADDR", vault_addr);
-        environment.set("VAULT_CACERT", vault_cacert);
-        environment.set("VAULT_MAX_RETRIES", vault_max_retries);
-        environment.set("VAULT_TOKEN", vault_token);
-    }
-
-    private Object getPrivate(Object target, String fieldName) throws NoSuchFieldException, IllegalAccessException {
-        Field field = target.getClass().getDeclaredField(fieldName);
-        if (field.isAccessible())
-            return field.get(target);
-        field.setAccessible(true);
-        Object value = field.get(target);
-        field.setAccessible(false);
-        return value;
-    }
-}
--- a/src/test/java/de/stklcode/jvault/connector/model/AbstractModelTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/AbstractModelTest.java
@ -0,0 +1,79 @@
+package de.stklcode.jvault.connector.model;
+
+import com.fasterxml.jackson.databind.DeserializationFeature;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.SerializationFeature;
+import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
+import nl.jqno.equalsverifier.EqualsVerifier;
+import org.junit.jupiter.api.Test;
+
+import java.io.*;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.fail;
+
+/**
+ * Abstract testcase for model classes.
+ *
+ * @author Stefan Kalscheuer
+ * @since 1.1
+ */
+public abstract class AbstractModelTest<T> {
+    protected final Class<?> modelClass;
+    protected final ObjectMapper objectMapper;
+
+    /**
+     * Test case constructor.
+     *
+     * @param modelClass Target class to test.
+     */
+    protected AbstractModelTest(Class<T> modelClass) {
+        this.modelClass = modelClass;
+        this.objectMapper = new ObjectMapper()
+                .registerModule(new JavaTimeModule())
+                .enable(SerializationFeature.WRITE_DATES_AS_TIMESTAMPS)
+                .disable(DeserializationFeature.ADJUST_DATES_TO_CONTEXT_TIME_ZONE);
+    }
+
+    /**
+     * Create a "full" model instance.
+     *
+     * @return Model instance.
+     */
+    protected abstract T createFull();
+
+    /**
+     * Test if {@link Object#equals(Object)} and {@link Object#hashCode()} are implemented, s.t. all fields are covered.
+     */
+    @Test
+    void testEqualsHashcode() {
+        EqualsVerifier.simple().forClass(modelClass).verify();
+    }
+
+    /**
+     * Test Java serialization of a full model instance.
+     * Serialization and deserialization must not fail and the resulting object should equal the original object.
+     */
+    @Test
+    void serializationTest() {
+        T original = createFull();
+        byte[] bytes;
+        try (var bos = new ByteArrayOutputStream();
+             var oos = new ObjectOutputStream(bos)) {
+            oos.writeObject(original);
+            bytes = bos.toByteArray();
+        } catch (IOException e) {
+            fail("Serialization failed", e);
+            return;
+        }
+
+        try (var bis = new ByteArrayInputStream(bytes);
+             var ois = new ObjectInputStream(bis)) {
+            Object copy = ois.readObject();
+            assertEquals(modelClass, copy.getClass(), "Invalid class after deserialization");
+            assertEquals(original, copy, "Deserialized object should be equal to the original");
+        } catch (IOException | ClassNotFoundException e) {
+            fail("Deserialization failed", e);
+        }
+    }
+}
--- a/src/test/java/de/stklcode/jvault/connector/model/AppRoleBuilderTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/AppRoleBuilderTest.java
@ -1,149 +0,0 @@
-/*
- * Copyright 2016-2018 Stefan Kalscheuer
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package de.stklcode.jvault.connector.model;
-
-import com.fasterxml.jackson.core.JsonProcessingException;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import org.junit.jupiter.api.BeforeAll;
-import org.junit.jupiter.api.Test;
-
-import java.util.ArrayList;
-import java.util.List;
-
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.*;
-
-/**
- * JUnit Test for AppRole Builder.
- *
- * @author Stefan Kalscheuer
- * @since 0.4.0
- */
-public class AppRoleBuilderTest {
-
-
-    private static final String NAME = "TestRole";
-    private static final String ID = "test-id";
-    private static final Boolean BIND_SECRET_ID = true;
-    private static final List<String> BOUND_CIDR_LIST = new ArrayList<>();
-    private static final String CIDR_1 = "192.168.1.0/24";
-    private static final String CIDR_2 = "172.16.0.0/16";
-    private static final List<String> POLICIES = new ArrayList<>();
-    private static final String POLICY = "policy";
-    private static final String POLICY_2 = "policy2";
-    private static final Integer SECRET_ID_NUM_USES = 10;
-    private static final Integer SECRET_ID_TTL = 7200;
-    private static final Integer TOKEN_TTL = 4800;
-    private static final Integer TOKEN_MAX_TTL = 9600;
-    private static final Integer PERIOD = 1234;
-    private static final String JSON_MIN = "{\"role_name\":\"" + NAME + "\"}";
-    private static final String JSON_FULL = String.format("{\"role_name\":\"%s\",\"role_id\":\"%s\",\"bind_secret_id\":%s,\"bound_cidr_list\":\"%s\",\"policies\":\"%s\",\"secret_id_num_uses\":%d,\"secret_id_ttl\":%d,\"token_ttl\":%d,\"token_max_ttl\":%d,\"period\":%d}",
-            NAME, ID, BIND_SECRET_ID, CIDR_1, POLICY, SECRET_ID_NUM_USES, SECRET_ID_TTL, TOKEN_TTL, TOKEN_MAX_TTL, PERIOD);
-
-    @BeforeAll
-    public static void init() {
-        BOUND_CIDR_LIST.add(CIDR_1);
-        POLICIES.add(POLICY);
-    }
-
-    /**
-     * Build role with only a name.
-     */
-    @Test
-    public void buildDefaultTest() throws JsonProcessingException {
-        AppRole role = new AppRoleBuilder(NAME).build();
-        assertThat(role.getId(), is(nullValue()));
-        assertThat(role.getBindSecretId(), is(nullValue()));
-        assertThat(role.getBoundCidrList(), is(nullValue()));
-        assertThat(role.getPolicies(), is(nullValue()));
-        assertThat(role.getSecretIdNumUses(), is(nullValue()));
-        assertThat(role.getSecretIdTtl(), is(nullValue()));
-        assertThat(role.getTokenTtl(), is(nullValue()));
-        assertThat(role.getTokenMaxTtl(), is(nullValue()));
-        assertThat(role.getPeriod(), is(nullValue()));
-
-        /* optional fields should be ignored, so JSON string should only contain role_name */
-        assertThat(new ObjectMapper().writeValueAsString(role), is(JSON_MIN));
-    }
-
-    /**
-     * Build token without all parameters set.
-     */
-    @Test
-    public void buildFullTest() throws JsonProcessingException {
-        AppRole role = new AppRoleBuilder(NAME)
-                .withId(ID)
-                .withBindSecretID(BIND_SECRET_ID)
-                .withBoundCidrList(BOUND_CIDR_LIST)
-                .withPolicies(POLICIES)
-                .withSecretIdNumUses(SECRET_ID_NUM_USES)
-                .withSecretIdTtl(SECRET_ID_TTL)
-                .withTokenTtl(TOKEN_TTL)
-                .withTokenMaxTtl(TOKEN_MAX_TTL)
-                .withPeriod(PERIOD)
-                .build();
-        assertThat(role.getName(), is(NAME));
-        assertThat(role.getId(), is(ID));
-        assertThat(role.getBindSecretId(), is(BIND_SECRET_ID));
-        assertThat(role.getBoundCidrList(), is(BOUND_CIDR_LIST));
-        assertThat(role.getPolicies(), is(POLICIES));
-        assertThat(role.getSecretIdNumUses(), is(SECRET_ID_NUM_USES));
-        assertThat(role.getSecretIdTtl(), is(SECRET_ID_TTL));
-        assertThat(role.getTokenTtl(), is(TOKEN_TTL));
-        assertThat(role.getTokenMaxTtl(), is(TOKEN_MAX_TTL));
-        assertThat(role.getPeriod(), is(PERIOD));
-
-        /* Verify that all parameters are included in JSON string */
-        assertThat(new ObjectMapper().writeValueAsString(role), is(JSON_FULL));
-    }
-
-    /**
-     * Test convenience methods
-     */
-    @Test
-    public void convenienceMethodsTest() {
-        /* bind_secret_id */
-        AppRole role = new AppRoleBuilder(NAME).build();
-        assertThat(role.getBindSecretId(), is(nullValue()));
-        role = new AppRoleBuilder(NAME).withBindSecretID().build();
-        assertThat(role.getBindSecretId(), is(true));
-        role = new AppRoleBuilder(NAME).withoutBindSecretID().build();
-        assertThat(role.getBindSecretId(), is(false));
-
-        /* Add single CIDR subnet */
-        role = new AppRoleBuilder(NAME).withCidrBlock(CIDR_2).build();
-        assertThat(role.getBoundCidrList(), hasSize(1));
-        assertThat(role.getBoundCidrList(), contains(CIDR_2));
-        role = new AppRoleBuilder(NAME)
-                .withBoundCidrList(BOUND_CIDR_LIST)
-                .withCidrBlock(CIDR_2)
-                .build();
-        assertThat(role.getBoundCidrList(), hasSize(2));
-        assertThat(role.getBoundCidrList(), contains(CIDR_1, CIDR_2));
-
-        /* Add single policy */
-        role = new AppRoleBuilder(NAME).withPolicy(POLICY_2).build();
-        assertThat(role.getPolicies(), hasSize(1));
-        assertThat(role.getPolicies(), contains(POLICY_2));
-        role = new AppRoleBuilder(NAME)
-                .withPolicies(POLICIES)
-                .withPolicy(POLICY_2)
-                .build();
-        assertThat(role.getPolicies(), hasSize(2));
-        assertThat(role.getPolicies(), contains(POLICY, POLICY_2));
-    }
-}
--- a/src/test/java/de/stklcode/jvault/connector/model/AppRoleSecretTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/AppRoleSecretTest.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2018 Stefan Kalscheuer
+ * Copyright 2016-2023 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -16,21 +16,14 @@

 package de.stklcode.jvault.connector.model;

-import com.fasterxml.jackson.core.JsonProcessingException;
-import com.fasterxml.jackson.databind.ObjectMapper;
 import org.junit.jupiter.api.Test;

-import java.io.IOException;
 import java.lang.reflect.Field;
-import java.util.Arrays;
-import java.util.HashMap;
 import java.util.List;
 import java.util.Map;

-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.*;
-import static org.hamcrest.junit.MatcherAssume.assumeThat;
-import static org.junit.jupiter.api.Assertions.fail;
+import static org.junit.jupiter.api.Assertions.*;
+import static org.junit.jupiter.api.Assumptions.assumeTrue;


 /**
@ -39,161 +32,143 @@ import static org.junit.jupiter.api.Assertions.fail;
 * @author Stefan Kalscheuer
 * @since 0.5.0
 */
-public class AppRoleSecretTest {
-
+class AppRoleSecretTest extends AbstractModelTest<AppRoleSecret> {
    private static final String TEST_ID = "abc123";
-    private static final Map<String, Object> TEST_META = new HashMap<>();
-    private static final List<String> TEST_CIDR = Arrays.asList("203.0.113.0/24", "198.51.100.0/24");
+    private static final Map<String, Object> TEST_META = Map.of(
+            "foo", "bar",
+            "number", 1337
+    );
+    private static final List<String> TEST_CIDR = List.of("203.0.113.0/24", "198.51.100.0/24");

-    static {
-        TEST_META.put("foo", "bar");
-        TEST_META.put("number", 1337);
+    AppRoleSecretTest() {
+        super(AppRoleSecret.class);
+    }
+
+    @Override
+    protected AppRoleSecret createFull() {
+        return new AppRoleSecret(TEST_ID, TEST_META, TEST_CIDR);
    }

    /**
     * Test constructors.
     */
    @Test
-    public void constructorTest() {
-        /* Empty constructor */
+    void constructorTest() {
+        // Empty constructor.
        AppRoleSecret secret = new AppRoleSecret();
-        assertThat(secret.getId(), is(nullValue()));
-        assertThat(secret.getAccessor(), is(nullValue()));
-        assertThat(secret.getMetadata(), is(nullValue()));
-        assertThat(secret.getCidrList(), is(nullValue()));
-        assertThat(secret.getCidrListString(), is(emptyString()));
-        assertThat(secret.getCreationTime(), is(nullValue()));
-        assertThat(secret.getExpirationTime(), is(nullValue()));
-        assertThat(secret.getLastUpdatedTime(), is(nullValue()));
-        assertThat(secret.getNumUses(), is(nullValue()));
-        assertThat(secret.getTtl(), is(nullValue()));
+        assertNull(secret.getId());
+        assertNull(secret.getAccessor());
+        assertNull(secret.getMetadata());
+        assertNull(secret.getCidrList());
+        assertEquals("", secret.getCidrListString());
+        assertNull(secret.getCreationTime());
+        assertNull(secret.getExpirationTime());
+        assertNull(secret.getLastUpdatedTime());
+        assertNull(secret.getNumUses());
+        assertNull(secret.getTtl());

-        /* Constructor with ID */
+        // Constructor with ID.
        secret = new AppRoleSecret(TEST_ID);
-        assertThat(secret.getId(), is(TEST_ID));
-        assertThat(secret.getAccessor(), is(nullValue()));
-        assertThat(secret.getMetadata(), is(nullValue()));
-        assertThat(secret.getCidrList(), is(nullValue()));
-        assertThat(secret.getCidrListString(), is(emptyString()));
-        assertThat(secret.getCreationTime(), is(nullValue()));
-        assertThat(secret.getExpirationTime(), is(nullValue()));
-        assertThat(secret.getLastUpdatedTime(), is(nullValue()));
-        assertThat(secret.getNumUses(), is(nullValue()));
-        assertThat(secret.getTtl(), is(nullValue()));
+        assertEquals(TEST_ID, secret.getId());
+        assertNull(secret.getAccessor());
+        assertNull(secret.getMetadata());
+        assertNull(secret.getCidrList());
+        assertEquals("", secret.getCidrListString());
+        assertNull(secret.getCreationTime());
+        assertNull(secret.getExpirationTime());
+        assertNull(secret.getLastUpdatedTime());
+        assertNull(secret.getNumUses());
+        assertNull(secret.getTtl());

-        /* Constructor with Metadata and CIDR bindings */
+        // Constructor with Metadata and CIDR bindings.
        secret = new AppRoleSecret(TEST_ID, TEST_META, TEST_CIDR);
-        assertThat(secret.getId(), is(TEST_ID));
-        assertThat(secret.getAccessor(), is(nullValue()));
-        assertThat(secret.getMetadata(), is(TEST_META));
-        assertThat(secret.getCidrList(), is(TEST_CIDR));
-        assertThat(secret.getCidrListString(), is(String.join(",", TEST_CIDR)));
-        assertThat(secret.getCreationTime(), is(nullValue()));
-        assertThat(secret.getExpirationTime(), is(nullValue()));
-        assertThat(secret.getLastUpdatedTime(), is(nullValue()));
-        assertThat(secret.getNumUses(), is(nullValue()));
-        assertThat(secret.getTtl(), is(nullValue()));
+        assertEquals(TEST_ID, secret.getId());
+        assertNull(secret.getAccessor());
+        assertEquals(TEST_META, secret.getMetadata());
+        assertEquals(TEST_CIDR, secret.getCidrList());
+        assertEquals(String.join(",", TEST_CIDR), secret.getCidrListString());
+        assertNull(secret.getCreationTime());
+        assertNull(secret.getExpirationTime());
+        assertNull(secret.getLastUpdatedTime());
+        assertNull(secret.getNumUses());
+        assertNull(secret.getTtl());
    }

    /**
     * Test setter.
     */
    @Test
-    public void setterTest() {
+    void setterTest() {
        AppRoleSecret secret = new AppRoleSecret(TEST_ID);
-        assertThat(secret.getCidrList(), is(nullValue()));
-        assertThat(secret.getCidrListString(), is(emptyString()));
+        assertNull(secret.getCidrList());
+        assertEquals("", secret.getCidrListString());
        secret.setCidrList(TEST_CIDR);
-        assertThat(secret.getCidrList(), is(TEST_CIDR));
-        assertThat(secret.getCidrListString(), is(String.join(",", TEST_CIDR)));
+        assertEquals(TEST_CIDR, secret.getCidrList());
+        assertEquals(String.join(",", TEST_CIDR), secret.getCidrListString());
        secret.setCidrList(null);
-        assertThat(secret.getCidrList(), is(nullValue()));
-        assertThat(secret.getCidrListString(), is(emptyString()));
+        assertNull(secret.getCidrList());
+        assertEquals("", secret.getCidrListString());
    }

    /**
     * Test JSON (de)serialization.
     */
    @Test
-    public void jsonTest() throws NoSuchFieldException, IllegalAccessException {
-        ObjectMapper mapper = new ObjectMapper();
-
-        /* A simple roundtrip first. All set fields should be present afterwards. */
+    void jsonTest() throws NoSuchFieldException, IllegalAccessException {
+        // A simple roundtrip first. All set fields should be present afterwards..
        AppRoleSecret secret = new AppRoleSecret(TEST_ID, TEST_META, TEST_CIDR);
-        String secretJson = "";
-        try {
-            secretJson = mapper.writeValueAsString(secret);
-        } catch (JsonProcessingException e) {
-            e.printStackTrace();
-            fail("Serialization failed");
-        }
-        /* CIDR list is comma-separated when used as input, but List otherwise, hence convert string to list */
-        secretJson = commaSeparatedToList(secretJson);
+        String secretJson = assertDoesNotThrow(() -> objectMapper.writeValueAsString(secret), "Serialization failed");
+        // CIDR list is comma-separated when used as input, but List otherwise, hence convert string to list.
+        String secretJson2 = commaSeparatedToList(secretJson);

-        AppRoleSecret secret2;
-        try {
-            secret2 = mapper.readValue(secretJson, AppRoleSecret.class);
-            assertThat(secret.getId(), is(secret2.getId()));
-            assertThat(secret.getMetadata(), is(secret2.getMetadata()));
-            assertThat(secret.getCidrList(), is(secret2.getCidrList()));
-        } catch (IOException e) {
-            e.printStackTrace();
-            fail("Deserialization failed");
-        }
+        AppRoleSecret secret2 = assertDoesNotThrow(
+                () -> objectMapper.readValue(secretJson2, AppRoleSecret.class),
+                "Deserialization failed"
+        );
+        assertEquals(secret2.getId(), secret.getId());
+        assertEquals(secret2.getMetadata(), secret.getMetadata());
+        assertEquals(secret2.getCidrList(), secret.getCidrList());

-        /* Test fields, that should not be written to JSON */
+        // Test fields, that should not be written to JSON.
        setPrivateField(secret, "accessor", "TEST_ACCESSOR");
-        assumeThat(secret.getAccessor(), is("TEST_ACCESSOR"));
+        assumeTrue("TEST_ACCESSOR".equals(secret.getAccessor()));
        setPrivateField(secret, "creationTime", "TEST_CREATION");
-        assumeThat(secret.getCreationTime(), is("TEST_CREATION"));
+        assumeTrue("TEST_CREATION".equals(secret.getCreationTime()));
        setPrivateField(secret, "expirationTime", "TEST_EXPIRATION");
-        assumeThat(secret.getExpirationTime(), is("TEST_EXPIRATION"));
+        assumeTrue("TEST_EXPIRATION".equals(secret.getExpirationTime()));
        setPrivateField(secret, "lastUpdatedTime", "TEST_UPDATETIME");
-        assumeThat(secret.getLastUpdatedTime(), is("TEST_UPDATETIME"));
+        assumeTrue("TEST_UPDATETIME".equals(secret.getLastUpdatedTime()));
        setPrivateField(secret, "numUses", 678);
-        assumeThat(secret.getNumUses(), is(678));
+        assumeTrue(secret.getNumUses() == 678);
        setPrivateField(secret, "ttl", 12345);
-        assumeThat(secret.getTtl(), is(12345));
-        try {
-            secretJson = mapper.writeValueAsString(secret);
-        } catch (JsonProcessingException e) {
-            e.printStackTrace();
-            fail("Serialization failed");
-        }
-        try {
-            secret2 = mapper.readValue(commaSeparatedToList(secretJson), AppRoleSecret.class);
-            assertThat(secret.getId(), is(secret2.getId()));
-            assertThat(secret.getMetadata(), is(secret2.getMetadata()));
-            assertThat(secret.getCidrList(), is(secret2.getCidrList()));
-            assertThat(secret2.getAccessor(), is(nullValue()));
-            assertThat(secret2.getCreationTime(), is(nullValue()));
-            assertThat(secret2.getExpirationTime(), is(nullValue()));
-            assertThat(secret2.getLastUpdatedTime(), is(nullValue()));
-            assertThat(secret2.getNumUses(), is(nullValue()));
-            assertThat(secret2.getTtl(), is(nullValue()));
-        } catch (IOException e) {
-            e.printStackTrace();
-            fail("Deserialization failed");
-        }
+        assumeTrue(secret.getTtl() == 12345);
+        String secretJson3 = assertDoesNotThrow(() -> objectMapper.writeValueAsString(secret), "Serialization failed");
+        secret2 = assertDoesNotThrow(
+                () -> objectMapper.readValue(commaSeparatedToList(secretJson3), AppRoleSecret.class),
+                "Deserialization failed"
+        );
+        assertEquals(secret2.getId(), secret.getId());
+        assertEquals(secret2.getMetadata(), secret.getMetadata());
+        assertEquals(secret2.getCidrList(), secret.getCidrList());
+        assertNull(secret2.getAccessor());
+        assertNull(secret2.getCreationTime());
+        assertNull(secret2.getExpirationTime());
+        assertNull(secret2.getLastUpdatedTime());
+        assertNull(secret2.getNumUses());
+        assertNull(secret2.getTtl());

-        /* Those fields should be deserialized from JSON though */
-        secretJson = "{\"secret_id\":\"abc123\",\"metadata\":{\"number\":1337,\"foo\":\"bar\"}," +
+        // Those fields should be deserialized from JSON though.
+        String secretJson4 = "{\"secret_id\":\"abc123\",\"metadata\":{\"number\":1337,\"foo\":\"bar\"}," +
                "\"cidr_list\":[\"203.0.113.0/24\",\"198.51.100.0/24\"],\"secret_id_accessor\":\"TEST_ACCESSOR\"," +
                "\"creation_time\":\"TEST_CREATION\",\"expiration_time\":\"TEST_EXPIRATION\"," +
                "\"last_updated_time\":\"TEST_LASTUPDATE\",\"secret_id_num_uses\":678,\"secret_id_ttl\":12345}";
-        try {
-            secret2 = mapper.readValue(secretJson, AppRoleSecret.class);
-            assertThat(secret2.getAccessor(), is("TEST_ACCESSOR"));
-            assertThat(secret2.getCreationTime(), is("TEST_CREATION"));
-            assertThat(secret2.getExpirationTime(), is("TEST_EXPIRATION"));
-            assertThat(secret2.getLastUpdatedTime(), is("TEST_LASTUPDATE"));
-            assertThat(secret2.getNumUses(), is(678));
-            assertThat(secret2.getTtl(), is(12345));
-        } catch (IOException e) {
-            e.printStackTrace();
-            fail("Deserialization failed");
-        }
-
+        secret2 = assertDoesNotThrow(() -> objectMapper.readValue(secretJson4, AppRoleSecret.class), "Deserialization failed");
+        assertEquals("TEST_ACCESSOR", secret2.getAccessor());
+        assertEquals("TEST_CREATION", secret2.getCreationTime());
+        assertEquals("TEST_EXPIRATION", secret2.getExpirationTime());
+        assertEquals("TEST_LASTUPDATE", secret2.getLastUpdatedTime());
+        assertEquals(678, secret2.getNumUses());
+        assertEquals(12345, secret2.getTtl());
    }

    private static void setPrivateField(Object object, String fieldName, Object value) throws NoSuchFieldException, IllegalAccessException {
@ -208,5 +183,4 @@ public class AppRoleSecretTest {
        return json.replaceAll("\"cidr_list\":\"([^\"]*)\"", "\"cidr_list\":\\[$1\\]")
                .replaceAll("(\\d+\\.\\d+\\.\\d+\\.\\d+/\\d+)", "\"$1\"");
    }
-
 }
--- a/src/test/java/de/stklcode/jvault/connector/model/AppRoleTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/AppRoleTest.java
@ -0,0 +1,183 @@
+/*
+ * Copyright 2016-2023 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+/**
+ * JUnit Test for {@link AppRole} and {@link AppRole.Builder}.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.4.0
+ */
+class AppRoleTest extends AbstractModelTest<AppRole> {
+    private static final String NAME = "TestRole";
+    private static final String ID = "test-id";
+    private static final Boolean BIND_SECRET_ID = true;
+    private static final List<String> BOUND_CIDR_LIST = new ArrayList<>();
+    private static final String CIDR_1 = "192.168.1.0/24";
+    private static final String CIDR_2 = "172.16.0.0/16";
+    private static final List<String> POLICIES = new ArrayList<>();
+    private static final String POLICY = "policy";
+    private static final String POLICY_2 = "policy2";
+    private static final Integer SECRET_ID_NUM_USES = 10;
+    private static final Integer SECRET_ID_TTL = 7200;
+    private static final Boolean ENABLE_LOCAL_SECRET_IDS = false;
+    private static final Integer TOKEN_TTL = 4800;
+    private static final Integer TOKEN_MAX_TTL = 9600;
+    private static final Integer TOKEN_EXPLICIT_MAX_TTL = 14400;
+    private static final Boolean TOKEN_NO_DEFAULT_POLICY = false;
+    private static final Integer TOKEN_NUM_USES = 42;
+    private static final Integer TOKEN_PERIOD = 1234;
+    private static final Token.Type TOKEN_TYPE = Token.Type.DEFAULT_SERVICE;
+    private static final String JSON_MIN = "{\"role_name\":\"" + NAME + "\"}";
+    private static final String JSON_FULL = String.format("{\"role_name\":\"%s\",\"role_id\":\"%s\",\"bind_secret_id\":%s,\"secret_id_bound_cidrs\":\"%s\",\"secret_id_num_uses\":%d,\"secret_id_ttl\":%d,\"enable_local_secret_ids\":%s,\"token_ttl\":%d,\"token_max_ttl\":%d,\"token_policies\":\"%s\",\"token_bound_cidrs\":\"%s\",\"token_explicit_max_ttl\":%d,\"token_no_default_policy\":%s,\"token_num_uses\":%d,\"token_period\":%d,\"token_type\":\"%s\"}",
+            NAME, ID, BIND_SECRET_ID, CIDR_1, SECRET_ID_NUM_USES, SECRET_ID_TTL, ENABLE_LOCAL_SECRET_IDS, TOKEN_TTL, TOKEN_MAX_TTL, POLICY, CIDR_1, TOKEN_EXPLICIT_MAX_TTL, TOKEN_NO_DEFAULT_POLICY, TOKEN_NUM_USES, TOKEN_PERIOD, TOKEN_TYPE.value());
+
+    AppRoleTest() {
+        super(AppRole.class);
+    }
+
+    @Override
+    protected AppRole createFull() {
+        return AppRole.builder(NAME)
+                .withId(ID)
+                .withBindSecretID(BIND_SECRET_ID)
+                .withSecretIdBoundCidrs(BOUND_CIDR_LIST)
+                .withTokenPolicies(POLICIES)
+                .withSecretIdNumUses(SECRET_ID_NUM_USES)
+                .withSecretIdTtl(SECRET_ID_TTL)
+                .withEnableLocalSecretIds(ENABLE_LOCAL_SECRET_IDS)
+                .withTokenTtl(TOKEN_TTL)
+                .withTokenMaxTtl(TOKEN_MAX_TTL)
+                .withTokenBoundCidrs(BOUND_CIDR_LIST)
+                .withTokenExplicitMaxTtl(TOKEN_EXPLICIT_MAX_TTL)
+                .withTokenNoDefaultPolicy(TOKEN_NO_DEFAULT_POLICY)
+                .withTokenNumUses(TOKEN_NUM_USES)
+                .withTokenPeriod(TOKEN_PERIOD)
+                .withTokenType(TOKEN_TYPE)
+                .build();
+    }
+
+    @BeforeAll
+    static void init() {
+        BOUND_CIDR_LIST.add(CIDR_1);
+        POLICIES.add(POLICY);
+    }
+
+    /**
+     * Build role with only a name.
+     */
+    @Test
+    void buildDefaultTest() throws JsonProcessingException {
+        AppRole role = AppRole.builder(NAME).build();
+        assertNull(role.getId());
+        assertNull(role.getBindSecretId());
+        assertNull(role.getSecretIdBoundCidrs());
+        assertNull(role.getTokenPolicies());
+        assertNull(role.getSecretIdNumUses());
+        assertNull(role.getSecretIdTtl());
+        assertNull(role.getEnableLocalSecretIds());
+        assertNull(role.getTokenTtl());
+        assertNull(role.getTokenMaxTtl());
+        assertNull(role.getTokenBoundCidrs());
+        assertNull(role.getTokenExplicitMaxTtl());
+        assertNull(role.getTokenNoDefaultPolicy());
+        assertNull(role.getTokenNumUses());
+        assertNull(role.getTokenPeriod());
+        assertNull(role.getTokenType());
+
+        // Optional fields should be ignored, so JSON string should only contain role_name.
+        assertEquals(JSON_MIN, objectMapper.writeValueAsString(role));
+    }
+
+    /**
+     * Build token without all parameters set.
+     */
+    @Test
+    void buildFullTest() throws JsonProcessingException {
+        AppRole role = createFull();
+        assertEquals(NAME, role.getName());
+        assertEquals(ID, role.getId());
+        assertEquals(BIND_SECRET_ID, role.getBindSecretId());
+        assertEquals(BOUND_CIDR_LIST, role.getSecretIdBoundCidrs());
+        assertEquals(POLICIES, role.getTokenPolicies());
+        assertEquals(SECRET_ID_NUM_USES, role.getSecretIdNumUses());
+        assertEquals(SECRET_ID_TTL, role.getSecretIdTtl());
+        assertEquals(ENABLE_LOCAL_SECRET_IDS, role.getEnableLocalSecretIds());
+        assertEquals(TOKEN_TTL, role.getTokenTtl());
+        assertEquals(TOKEN_MAX_TTL, role.getTokenMaxTtl());
+        assertEquals(BOUND_CIDR_LIST, role.getTokenBoundCidrs());
+        assertEquals(TOKEN_EXPLICIT_MAX_TTL, role.getTokenExplicitMaxTtl());
+        assertEquals(TOKEN_NO_DEFAULT_POLICY, role.getTokenNoDefaultPolicy());
+        assertEquals(TOKEN_NUM_USES, role.getTokenNumUses());
+        assertEquals(TOKEN_PERIOD, role.getTokenPeriod());
+        assertEquals(TOKEN_TYPE.value(), role.getTokenType());
+
+        // Verify that all parameters are included in JSON string.
+        assertEquals(JSON_FULL, objectMapper.writeValueAsString(role));
+    }
+
+    /**
+     * Test convenience methods
+     */
+    @Test
+    void convenienceMethodsTest() {
+        // bind_secret_id.
+        AppRole role = AppRole.builder(NAME).build();
+        assertNull(role.getBindSecretId());
+        role = AppRole.builder(NAME).withBindSecretID().build();
+        assertEquals(true, role.getBindSecretId());
+        role = AppRole.builder(NAME).withoutBindSecretID().build();
+        assertEquals(false, role.getBindSecretId());
+
+        // Add single CIDR subnet.
+        role = AppRole.builder(NAME).withSecretBoundCidr(CIDR_2).withTokenBoundCidr(CIDR_2).build();
+        assertEquals(1, role.getSecretIdBoundCidrs().size());
+        assertEquals(CIDR_2, role.getSecretIdBoundCidrs().get(0));
+        assertEquals(1, role.getTokenBoundCidrs().size());
+        assertEquals(CIDR_2, role.getTokenBoundCidrs().get(0));
+        role = AppRole.builder(NAME)
+                .withSecretIdBoundCidrs(BOUND_CIDR_LIST)
+                .withSecretBoundCidr(CIDR_2)
+                .withTokenBoundCidrs(BOUND_CIDR_LIST)
+                .withTokenBoundCidr(CIDR_2)
+                .build();
+        assertEquals(2, role.getSecretIdBoundCidrs().size());
+        assertTrue(role.getSecretIdBoundCidrs().containsAll(List.of(CIDR_1, CIDR_2)));
+        assertEquals(2, role.getTokenBoundCidrs().size());
+        assertTrue(role.getSecretIdBoundCidrs().containsAll(List.of(CIDR_1, CIDR_2)));
+
+        // Add single policy.
+        role = AppRole.builder(NAME).withTokenPolicy(POLICY_2).build();
+        assertEquals(1, role.getTokenPolicies().size());
+        assertEquals(POLICY_2, role.getTokenPolicies().get(0));
+        role = AppRole.builder(NAME)
+                .withTokenPolicies(POLICIES)
+                .withTokenPolicy(POLICY_2)
+                .build();
+        assertEquals(2, role.getTokenPolicies().size());
+        assertTrue(role.getTokenPolicies().containsAll(List.of(POLICY, POLICY_2)));
+    }
+}
--- a/src/test/java/de/stklcode/jvault/connector/model/AuthBackendTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/AuthBackendTest.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2018 Stefan Kalscheuer
+ * Copyright 2016-2023 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -18,8 +18,8 @@ package de.stklcode.jvault.connector.model;

 import org.junit.jupiter.api.Test;

-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.is;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+

 /**
 * JUnit Test for AuthBackend model.
@ -27,19 +27,19 @@ import static org.hamcrest.Matchers.is;
 * @author Stefan Kalscheuer
 * @since 0.4.0
 */
-public class AuthBackendTest {
+class AuthBackendTest {

    /**
     * Test forType() method.
     */
    @Test
-    public void forTypeTest() {
-        assertThat(AuthBackend.forType("token"), is(AuthBackend.TOKEN));
-        assertThat(AuthBackend.forType("app-id"), is(AuthBackend.APPID));
-        assertThat(AuthBackend.forType("userpass"), is(AuthBackend.USERPASS));
-        assertThat(AuthBackend.forType("github"), is(AuthBackend.GITHUB));
-        assertThat(AuthBackend.forType(""), is(AuthBackend.UNKNOWN));
-        assertThat(AuthBackend.forType("foobar"), is(AuthBackend.UNKNOWN));
+    @SuppressWarnings("deprecation")
+    void forTypeTest() {
+        assertEquals(AuthBackend.TOKEN, AuthBackend.forType("token"));
+        assertEquals(AuthBackend.APPID, AuthBackend.forType("app-id"));
+        assertEquals(AuthBackend.USERPASS, AuthBackend.forType("userpass"));
+        assertEquals(AuthBackend.GITHUB, AuthBackend.forType("github"));
+        assertEquals(AuthBackend.UNKNOWN, AuthBackend.forType(""));
+        assertEquals(AuthBackend.UNKNOWN, AuthBackend.forType("foobar"));
    }
-
 }
--- a/src/test/java/de/stklcode/jvault/connector/model/TokenBuilderTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/TokenBuilderTest.java
@ -1,161 +0,0 @@
-/*
- * Copyright 2016-2018 Stefan Kalscheuer
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package de.stklcode.jvault.connector.model;
-
-import com.fasterxml.jackson.core.JsonProcessingException;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import org.junit.jupiter.api.BeforeAll;
-import org.junit.jupiter.api.Test;
-
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.*;
-
-/**
- * JUnit Test for Token Builder.
- *
- * @author Stefan Kalscheuer
- * @since 0.4.0
- */
-public class TokenBuilderTest {
-
-    private static final String ID = "test-id";
-    private static final String DISPLAY_NAME = "display-name";
-    private static final Boolean NO_PARENT = false;
-    private static final Boolean NO_DEFAULT_POLICY = false;
-    private static final Integer TTL = 123;
-    private static final Integer NUM_USES = 4;
-    private static final List<String> POLICIES = new ArrayList<>();
-    private static final String POLICY = "policy";
-    private static final String POLICY_2 = "policy2";
-    private static final String POLICY_3 = "policy3";
-    private static final Map<String, String> META = new HashMap<>();
-    private static final String META_KEY = "key";
-    private static final String META_VALUE = "value";
-    private static final String META_KEY_2 = "key2";
-    private static final String META_VALUE_2 = "value2";
-    private static final Boolean RENEWABLE = true;
-    private static final String JSON_FULL = "{\"id\":\"test-id\",\"display_name\":\"display-name\",\"no_parent\":false,\"no_default_policy\":false,\"ttl\":123,\"num_uses\":4,\"policies\":[\"policy\"],\"meta\":{\"key\":\"value\"},\"renewable\":true}";
-
-    @BeforeAll
-    public static void init() {
-        POLICIES.add(POLICY);
-        META.put(META_KEY, META_VALUE);
-    }
-
-    /**
-     * Build token without any parameters.
-     */
-    @Test
-    public void buildDefaultTest() throws JsonProcessingException {
-        Token token = new TokenBuilder().build();
-        assertThat(token.getId(), is(nullValue()));
-        assertThat(token.getDisplayName(), is(nullValue()));
-        assertThat(token.getNoParent(), is(nullValue()));
-        assertThat(token.getNoDefaultPolicy(), is(nullValue()));
-        assertThat(token.getTtl(), is(nullValue()));
-        assertThat(token.getNumUses(), is(nullValue()));
-        assertThat(token.getPolicies(), is(nullValue()));
-        assertThat(token.getMeta(), is(nullValue()));
-        assertThat(token.isRenewable(), is(nullValue()));
-
-        /* optional fields should be ignored, so JSON string should be empty */
-        assertThat(new ObjectMapper().writeValueAsString(token), is("{}"));
-    }
-
-    /**
-     * Build token without all parameters set.
-     */
-    @Test
-    public void buildFullTest() throws JsonProcessingException {
-        Token token = new TokenBuilder()
-                .withId(ID)
-                .withDisplayName(DISPLAY_NAME)
-                .withNoParent(NO_PARENT)
-                .withNoDefaultPolicy(NO_DEFAULT_POLICY)
-                .withTtl(TTL)
-                .withNumUses(NUM_USES)
-                .withPolicies(POLICIES)
-                .withMeta(META)
-                .withRenewable(RENEWABLE)
-                .build();
-        assertThat(token.getId(), is(ID));
-        assertThat(token.getDisplayName(), is(DISPLAY_NAME));
-        assertThat(token.getNoParent(), is(NO_PARENT));
-        assertThat(token.getNoDefaultPolicy(), is(NO_DEFAULT_POLICY));
-        assertThat(token.getTtl(), is(TTL));
-        assertThat(token.getNumUses(), is(NUM_USES));
-        assertThat(token.getPolicies(), is(POLICIES));
-        assertThat(token.getMeta(), is(META));
-        assertThat(token.isRenewable(), is(RENEWABLE));
-
-        /* Verify that all parameters are included in JSON string */
-        assertThat(new ObjectMapper().writeValueAsString(token), is(JSON_FULL));
-    }
-
-    /**
-     * Test convenience methods
-     */
-    @Test
-    public void convenienceMethodsTest() {
-        /* Parent */
-        Token token = new TokenBuilder().asOrphan().build();
-        assertThat(token.getNoParent(), is(true));
-        token = new TokenBuilder().withParent().build();
-        assertThat(token.getNoParent(), is(false));
-
-        /* Default policy */
-        token = new TokenBuilder().withDefaultPolicy().build();
-        assertThat(token.getNoDefaultPolicy(), is(false));
-        token = new TokenBuilder().withoutDefaultPolicy().build();
-        assertThat(token.getNoDefaultPolicy(), is(true));
-
-        /* Renewability */
-        token = new TokenBuilder().renewable().build();
-        assertThat(token.isRenewable(), is(true));
-        token = new TokenBuilder().notRenewable().build();
-        assertThat(token.isRenewable(), is(false));
-
-        /* Add single policy */
-        token = new TokenBuilder().withPolicy(POLICY_2).build();
-        assertThat(token.getPolicies(), hasSize(1));
-        assertThat(token.getPolicies(), contains(POLICY_2));
-        token = new TokenBuilder()
-                .withPolicies(POLICY, POLICY_2)
-                .withPolicy(POLICY_3)
-                .build();
-        assertThat(token.getPolicies(), hasSize(3));
-        assertThat(token.getPolicies(), contains(POLICY, POLICY_2, POLICY_3));
-
-        /* Add single metadata */
-        token = new TokenBuilder().withMeta(META_KEY_2, META_VALUE_2).build();
-        assertThat(token.getMeta().size(), is(1));
-        assertThat(token.getMeta().keySet(), contains(META_KEY_2));
-        assertThat(token.getMeta().get(META_KEY_2), is(META_VALUE_2));
-        token = new TokenBuilder()
-                .withMeta(META)
-                .withMeta(META_KEY_2, META_VALUE_2)
-                .build();
-        assertThat(token.getMeta().size(), is(2));
-        assertThat(token.getMeta().get(META_KEY), is(META_VALUE));
-        assertThat(token.getMeta().get(META_KEY_2), is(META_VALUE_2));
-    }
-}
--- a/src/test/java/de/stklcode/jvault/connector/model/TokenRoleTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/TokenRoleTest.java
@ -0,0 +1,212 @@
+/*
+ * Copyright 2016-2023 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import org.junit.jupiter.api.Test;
+
+import java.util.Arrays;
+import java.util.List;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+/**
+ * Unit Test for {@link TokenRole} and {@link TokenRole.Builder}.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.9
+ */
+class TokenRoleTest extends AbstractModelTest<TokenRole> {
+    private static final String NAME = "test-role";
+    private static final String ALLOWED_POLICY_1 = "apol-1";
+    private static final String ALLOWED_POLICY_2 = "apol-2";
+    private static final String ALLOWED_POLICY_3 = "apol-3";
+    private static final List<String> ALLOWED_POLICIES = Arrays.asList(ALLOWED_POLICY_1, ALLOWED_POLICY_2);
+    private static final String ALLOWED_POLICY_GLOB_1 = "apol-g1*";
+    private static final String ALLOWED_POLICY_GLOB_2 = "apol-g2*";
+    private static final String ALLOWED_POLICY_GLOB_3 = "apol-g3*";
+    private static final List<String> ALLOWED_POLICIES_GLOB = Arrays.asList(ALLOWED_POLICY_GLOB_2, ALLOWED_POLICY_GLOB_3);
+    private static final String DISALLOWED_POLICY_1 = "dpol-1";
+    private static final String DISALLOWED_POLICY_2 = "dpol-2";
+    private static final String DISALLOWED_POLICY_3 = "dpol-3";
+    private static final List<String> DISALLOWED_POLICIES = Arrays.asList(DISALLOWED_POLICY_2, DISALLOWED_POLICY_3);
+    private static final String DISALLOWED_POLICY_GLOB_1 = "dpol-g1*";
+    private static final String DISALLOWED_POLICY_GLOB_2 = "dpol-g2*";
+    private static final String DISALLOWED_POLICY_GLOB_3 = "dpol-g3*";
+    private static final List<String> DISALLOWED_POLICIES_GLOB = Arrays.asList(DISALLOWED_POLICY_GLOB_1, DISALLOWED_POLICY_GLOB_2);
+    private static final Boolean ORPHAN = false;
+    private static final Boolean RENEWABLE = true;
+    private static final String PATH_SUFFIX = "ps";
+    private static final String ALLOWED_ENTITY_ALIAS_1 = "alias-1";
+    private static final String ALLOWED_ENTITY_ALIAS_2 = "alias-2";
+    private static final String ALLOWED_ENTITY_ALIAS_3 = "alias-3";
+    private static final List<String> ALLOWED_ENTITY_ALIASES = Arrays.asList(ALLOWED_ENTITY_ALIAS_1, ALLOWED_ENTITY_ALIAS_3);
+    private static final String TOKEN_BOUND_CIDR_1 = "192.0.2.0/24";
+    private static final String TOKEN_BOUND_CIDR_2 = "198.51.100.0/24";
+    private static final String TOKEN_BOUND_CIDR_3 = "203.0.113.0/24";
+    private static final List<String> TOKEN_BOUND_CIDRS = Arrays.asList(TOKEN_BOUND_CIDR_2, TOKEN_BOUND_CIDR_1);
+    private static final Integer TOKEN_EXPLICIT_MAX_TTL = 1234;
+    private static final Boolean TOKEN_NO_DEFAULT_POLICY = false;
+    private static final Integer TOKEN_NUM_USES = 5;
+    private static final Integer TOKEN_PERIOD = 2345;
+    private static final Token.Type TOKEN_TYPE = Token.Type.SERVICE;
+
+    private static final String JSON_FULL = "{" +
+            "\"name\":\"" + NAME + "\"," +
+            "\"allowed_policies\":[\"" + ALLOWED_POLICY_1 + "\",\"" + ALLOWED_POLICY_2 + "\",\"" + ALLOWED_POLICY_3 + "\"]," +
+            "\"allowed_policies_glob\":[\"" + ALLOWED_POLICY_GLOB_1 + "\",\"" + ALLOWED_POLICY_GLOB_2 + "\",\"" + ALLOWED_POLICY_GLOB_3 + "\"]," +
+            "\"disallowed_policies\":[\"" + DISALLOWED_POLICY_1 + "\",\"" + DISALLOWED_POLICY_2 + "\",\"" + DISALLOWED_POLICY_3 + "\"]," +
+            "\"disallowed_policies_glob\":[\"" + DISALLOWED_POLICY_GLOB_1 + "\",\"" + DISALLOWED_POLICY_GLOB_2 + "\",\"" + DISALLOWED_POLICY_GLOB_3 + "\"]," +
+            "\"orphan\":" + ORPHAN + "," +
+            "\"renewable\":" + RENEWABLE + "," +
+            "\"path_suffix\":\"" + PATH_SUFFIX + "\"," +
+            "\"allowed_entity_aliases\":[\"" + ALLOWED_ENTITY_ALIAS_1 + "\",\"" + ALLOWED_ENTITY_ALIAS_3 + "\",\"" + ALLOWED_ENTITY_ALIAS_2 + "\"]," +
+            "\"token_bound_cidrs\":[\"" + TOKEN_BOUND_CIDR_3 + "\",\"" + TOKEN_BOUND_CIDR_2 + "\",\"" + TOKEN_BOUND_CIDR_1 + "\"]," +
+            "\"token_explicit_max_ttl\":" + TOKEN_EXPLICIT_MAX_TTL + "," +
+            "\"token_no_default_policy\":" + TOKEN_NO_DEFAULT_POLICY + "," +
+            "\"token_num_uses\":" + TOKEN_NUM_USES + "," +
+            "\"token_period\":" + TOKEN_PERIOD + "," +
+            "\"token_type\":\"" + TOKEN_TYPE.value() + "\"}";
+
+    TokenRoleTest() {
+        super(TokenRole.class);
+    }
+
+    @Override
+    protected TokenRole createFull() {
+        return TokenRole.builder()
+                .forName(NAME)
+                .withAllowedPolicies(ALLOWED_POLICIES)
+                .withAllowedPolicy(ALLOWED_POLICY_3)
+                .withAllowedPolicyGlob(ALLOWED_POLICY_GLOB_1)
+                .withAllowedPoliciesGlob(ALLOWED_POLICIES_GLOB)
+                .withDisallowedPolicy(DISALLOWED_POLICY_1)
+                .withDisallowedPolicies(DISALLOWED_POLICIES)
+                .withDisallowedPoliciesGlob(DISALLOWED_POLICIES_GLOB)
+                .withDisallowedPolicyGlob(DISALLOWED_POLICY_GLOB_3)
+                .orphan(ORPHAN)
+                .renewable(RENEWABLE)
+                .withPathSuffix(PATH_SUFFIX)
+                .withAllowedEntityAliases(ALLOWED_ENTITY_ALIASES)
+                .withAllowedEntityAlias(ALLOWED_ENTITY_ALIAS_2)
+                .withTokenBoundCidr(TOKEN_BOUND_CIDR_3)
+                .withTokenBoundCidrs(TOKEN_BOUND_CIDRS)
+                .withTokenExplicitMaxTtl(TOKEN_EXPLICIT_MAX_TTL)
+                .withTokenNoDefaultPolicy(TOKEN_NO_DEFAULT_POLICY)
+                .withTokenNumUses(TOKEN_NUM_USES)
+                .withTokenPeriod(TOKEN_PERIOD)
+                .withTokenType(TOKEN_TYPE)
+                .build();
+    }
+
+    /**
+     * Build token without any parameters.
+     */
+    @Test
+    void buildDefaultTest() throws JsonProcessingException {
+        TokenRole role = TokenRole.builder().build();
+        assertNull(role.getAllowedPolicies());
+        assertNull(role.getDisallowedPolicies());
+        assertNull(role.getOrphan());
+        assertNull(role.getRenewable());
+        assertNull(role.getAllowedEntityAliases());
+        assertNull(role.getTokenBoundCidrs());
+        assertNull(role.getTokenExplicitMaxTtl());
+        assertNull(role.getTokenNoDefaultPolicy());
+        assertNull(role.getTokenNumUses());
+        assertNull(role.getTokenPeriod());
+        assertNull(role.getTokenType());
+
+        // Optional fields should be ignored, so JSON string should be empty.
+        assertEquals("{}", objectMapper.writeValueAsString(role));
+    }
+
+    /**
+     * Build token without all parameters NULL.
+     */
+    @Test
+    void buildNullTest() throws JsonProcessingException {
+        TokenRole role = TokenRole.builder()
+                .forName(null)
+                .withAllowedPolicies(null)
+                .withAllowedPolicy(null)
+                .withDisallowedPolicy(null)
+                .withDisallowedPolicies(null)
+                .orphan(null)
+                .renewable(null)
+                .withPathSuffix(null)
+                .withAllowedEntityAliases(null)
+                .withAllowedEntityAlias(null)
+                .withTokenBoundCidr(null)
+                .withTokenBoundCidrs(null)
+                .withTokenExplicitMaxTtl(null)
+                .withTokenNoDefaultPolicy(null)
+                .withTokenNumUses(null)
+                .withTokenPeriod(null)
+                .withTokenType(null)
+                .build();
+
+        assertNull(role.getAllowedPolicies());
+        assertNull(role.getDisallowedPolicies());
+        assertNull(role.getOrphan());
+        assertNull(role.getRenewable());
+        assertNull(role.getAllowedEntityAliases());
+        assertNull(role.getTokenBoundCidrs());
+        assertNull(role.getTokenExplicitMaxTtl());
+        assertNull(role.getTokenNoDefaultPolicy());
+        assertNull(role.getTokenNumUses());
+        assertNull(role.getTokenPeriod());
+        assertNull(role.getTokenType());
+
+        // Empty builder should be equal to no-arg construction.
+        assertEquals(role, new TokenRole());
+
+        // Optional fields should be ignored, so JSON string should be empty.
+        assertEquals("{}", objectMapper.writeValueAsString(role));
+    }
+
+    /**
+     * Build token without all parameters set.
+     */
+    @Test
+    void buildFullTest() throws JsonProcessingException {
+        TokenRole role = createFull();
+        assertEquals(NAME, role.getName());
+        assertEquals(ALLOWED_POLICIES.size() + 1, role.getAllowedPolicies().size());
+        assertTrue(role.getAllowedPolicies().containsAll(List.of(ALLOWED_POLICY_1, ALLOWED_POLICY_2, ALLOWED_POLICY_3)));
+        assertEquals(ALLOWED_POLICIES_GLOB.size() + 1, role.getAllowedPoliciesGlob().size());
+        assertTrue(role.getAllowedPoliciesGlob().containsAll(List.of(ALLOWED_POLICY_GLOB_1, ALLOWED_POLICY_GLOB_2, ALLOWED_POLICY_GLOB_3)));
+        assertEquals(DISALLOWED_POLICIES.size() + 1, role.getDisallowedPolicies().size());
+        assertTrue(role.getDisallowedPolicies().containsAll(List.of(DISALLOWED_POLICY_1, DISALLOWED_POLICY_2, DISALLOWED_POLICY_3)));
+        assertEquals(DISALLOWED_POLICIES_GLOB.size() + 1, role.getDisallowedPoliciesGlob().size());
+        assertTrue(role.getDisallowedPoliciesGlob().containsAll(List.of(DISALLOWED_POLICY_GLOB_1, DISALLOWED_POLICY_GLOB_2, DISALLOWED_POLICY_GLOB_3)));
+        assertEquals(ORPHAN, role.getOrphan());
+        assertEquals(RENEWABLE, role.getRenewable());
+        assertEquals(PATH_SUFFIX, role.getPathSuffix());
+        assertEquals(ALLOWED_ENTITY_ALIASES.size() + 1, role.getAllowedEntityAliases().size());
+        assertTrue(role.getAllowedEntityAliases().containsAll(List.of(ALLOWED_ENTITY_ALIAS_1, ALLOWED_ENTITY_ALIAS_2, ALLOWED_ENTITY_ALIAS_3)));
+        assertEquals(TOKEN_BOUND_CIDRS.size() + 1, role.getTokenBoundCidrs().size());
+        assertTrue(role.getTokenBoundCidrs().containsAll(List.of(TOKEN_BOUND_CIDR_1, TOKEN_BOUND_CIDR_2, TOKEN_BOUND_CIDR_3)));
+        assertEquals(TOKEN_NO_DEFAULT_POLICY, role.getTokenNoDefaultPolicy());
+        assertEquals(TOKEN_NUM_USES, role.getTokenNumUses());
+        assertEquals(TOKEN_PERIOD, role.getTokenPeriod());
+        assertEquals(TOKEN_TYPE.value(), role.getTokenType());
+
+        // Verify that all parameters are included in JSON string.
+        assertEquals(JSON_FULL, objectMapper.writeValueAsString(role));
+    }
+}
--- a/src/test/java/de/stklcode/jvault/connector/model/TokenTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/TokenTest.java
@ -0,0 +1,181 @@
+/*
+ * Copyright 2016-2023 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+
+import java.util.*;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+/**
+ * JUnit Test for {@link Token} and {@link Token.Builder}.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.4.0
+ */
+class TokenTest extends AbstractModelTest<Token> {
+    private static final String ID = "test-id";
+    private static final String DISPLAY_NAME = "display-name";
+    private static final Boolean NO_PARENT = false;
+    private static final Boolean NO_DEFAULT_POLICY = false;
+    private static final Integer TTL = 123;
+    private static final Integer EXPLICIT_MAX_TTL = 456;
+    private static final Integer NUM_USES = 4;
+    private static final List<String> POLICIES = new ArrayList<>();
+    private static final String POLICY = "policy";
+    private static final String POLICY_2 = "policy2";
+    private static final String POLICY_3 = "policy3";
+    private static final Map<String, String> META = new HashMap<>();
+    private static final String META_KEY = "key";
+    private static final String META_VALUE = "value";
+    private static final String META_KEY_2 = "key2";
+    private static final String META_VALUE_2 = "value2";
+    private static final Boolean RENEWABLE = true;
+    private static final Integer PERIOD = 3600;
+    private static final String ENTITY_ALIAS = "alias-value";
+    private static final String JSON_FULL = "{\"id\":\"test-id\",\"type\":\"service\",\"display_name\":\"display-name\",\"no_parent\":false,\"no_default_policy\":false,\"ttl\":123,\"explicit_max_ttl\":456,\"num_uses\":4,\"policies\":[\"policy\"],\"meta\":{\"key\":\"value\"},\"renewable\":true,\"period\":3600,\"entity_alias\":\"alias-value\"}";
+
+    TokenTest() {
+        super(Token.class);
+    }
+
+    @Override
+    protected Token createFull() {
+        return Token.builder()
+                .withId(ID)
+                .withType(Token.Type.SERVICE)
+                .withDisplayName(DISPLAY_NAME)
+                .withNoParent(NO_PARENT)
+                .withNoDefaultPolicy(NO_DEFAULT_POLICY)
+                .withTtl(TTL)
+                .withExplicitMaxTtl(EXPLICIT_MAX_TTL)
+                .withNumUses(NUM_USES)
+                .withPolicies(POLICIES)
+                .withMeta(META)
+                .withRenewable(RENEWABLE)
+                .withPeriod(PERIOD)
+                .withEntityAlias(ENTITY_ALIAS)
+                .build();
+    }
+
+    @BeforeAll
+    static void init() {
+        POLICIES.add(POLICY);
+        META.put(META_KEY, META_VALUE);
+    }
+
+    /**
+     * Build token without any parameters.
+     */
+    @Test
+    void buildDefaultTest() throws JsonProcessingException {
+        Token token = Token.builder().build();
+        assertNull(token.getId());
+        assertNull(token.getType());
+        assertNull(token.getDisplayName());
+        assertNull(token.getNoParent());
+        assertNull(token.getNoDefaultPolicy());
+        assertNull(token.getTtl());
+        assertNull(token.getExplicitMaxTtl());
+        assertNull(token.getNumUses());
+        assertNull(token.getPolicies());
+        assertNull(token.getMeta());
+        assertNull(token.isRenewable());
+        assertNull(token.getPeriod());
+        assertNull(token.getEntityAlias());
+
+        // Optional fields should be ignored, so JSON string should be empty.
+        assertEquals("{}", objectMapper.writeValueAsString(token));
+
+        // Empty builder should be equal to no-arg construction.
+        assertEquals(token, new Token());
+    }
+
+    /**
+     * Build token without all parameters set.
+     */
+    @Test
+    void buildFullTest() throws JsonProcessingException {
+        Token token = createFull();
+        assertEquals(ID, token.getId());
+        assertEquals(Token.Type.SERVICE.value(), token.getType());
+        assertEquals(DISPLAY_NAME, token.getDisplayName());
+        assertEquals(NO_PARENT, token.getNoParent());
+        assertEquals(NO_DEFAULT_POLICY, token.getNoDefaultPolicy());
+        assertEquals(TTL, token.getTtl());
+        assertEquals(EXPLICIT_MAX_TTL, token.getExplicitMaxTtl());
+        assertEquals(NUM_USES, token.getNumUses());
+        assertEquals(POLICIES, token.getPolicies());
+        assertEquals(META, token.getMeta());
+        assertEquals(RENEWABLE, token.isRenewable());
+        assertEquals(PERIOD, token.getPeriod());
+
+        // Verify that all parameters are included in JSON string.
+        assertEquals(JSON_FULL, objectMapper.writeValueAsString(token));
+    }
+
+    /**
+     * Test convenience methods
+     */
+    @Test
+    void convenienceMethodsTest() {
+        // Parent.
+        Token token = Token.builder().asOrphan().build();
+        assertEquals(true, token.getNoParent());
+        token = Token.builder().withParent().build();
+        assertEquals(false, token.getNoParent());
+
+        // Default policy.
+        token = Token.builder().withDefaultPolicy().build();
+        assertEquals(false, token.getNoDefaultPolicy());
+        token = Token.builder().withoutDefaultPolicy().build();
+        assertEquals(true, token.getNoDefaultPolicy());
+
+        // Renewability.
+        token = Token.builder().renewable().build();
+        assertEquals(true, token.isRenewable());
+        token = Token.builder().notRenewable().build();
+        assertEquals(false, token.isRenewable());
+
+        // Add single policy.
+        token = Token.builder().withPolicy(POLICY_2).build();
+        assertEquals(1, token.getPolicies().size());
+        assertEquals(List.of(POLICY_2), token.getPolicies());
+        token = Token.builder()
+                .withPolicies(POLICY, POLICY_2)
+                .withPolicy(POLICY_3)
+                .build();
+        assertEquals(3, token.getPolicies().size());
+        assertTrue(token.getPolicies().containsAll(List.of(POLICY, POLICY_2, POLICY_3)));
+
+        // Add single metadata.
+        token = Token.builder().withMeta(META_KEY_2, META_VALUE_2).build();
+        assertEquals(1, token.getMeta().size());
+        assertEquals(Set.of(META_KEY_2), token.getMeta().keySet());
+        assertEquals(META_VALUE_2, token.getMeta().get(META_KEY_2));
+        token = Token.builder()
+                .withMeta(META)
+                .withMeta(META_KEY_2, META_VALUE_2)
+                .build();
+        assertEquals(2, token.getMeta().size());
+        assertEquals(META_VALUE, token.getMeta().get(META_KEY));
+        assertEquals(META_VALUE_2, token.getMeta().get(META_KEY_2));
+    }
+}
--- a/src/test/java/de/stklcode/jvault/connector/model/response/AppRoleResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/AppRoleResponseTest.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2018 Stefan Kalscheuer
+ * Copyright 2016-2023 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -16,18 +16,14 @@

 package de.stklcode.jvault.connector.model.response;

-import com.fasterxml.jackson.databind.ObjectMapper;
-import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import com.fasterxml.jackson.core.JsonProcessingException;
+import de.stklcode.jvault.connector.model.AbstractModelTest;
 import de.stklcode.jvault.connector.model.AppRole;
 import org.junit.jupiter.api.Test;

-import java.io.IOException;
-import java.util.HashMap;
-import java.util.Map;
+import java.util.List;

-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.*;
-import static org.junit.jupiter.api.Assertions.fail;
+import static org.junit.jupiter.api.Assertions.*;

 /**
 * JUnit Test for {@link AppRoleResponse} model.
@ -35,7 +31,7 @@ import static org.junit.jupiter.api.Assertions.fail;
 * @author Stefan Kalscheuer
 * @since 0.6.2
 */
-public class AppRoleResponseTest {
+class AppRoleResponseTest extends AbstractModelTest<AppRoleResponse> {
    private static final Integer ROLE_TOKEN_TTL = 1200;
    private static final Integer ROLE_TOKEN_MAX_TTL = 1800;
    private static final Integer ROLE_SECRET_TTL = 600;
@ -53,10 +49,10 @@ public class AppRoleResponseTest {
            "    \"token_max_ttl\": " + ROLE_TOKEN_MAX_TTL + ",\n" +
            "    \"secret_id_ttl\": " + ROLE_SECRET_TTL + ",\n" +
            "    \"secret_id_num_uses\": " + ROLE_SECRET_NUM_USES + ",\n" +
-            "    \"policies\": [\n" +
+            "    \"token_policies\": [\n" +
            "      \"" + ROLE_POLICY + "\"\n" +
            "    ],\n" +
-            "    \"period\": " + ROLE_PERIOD + ",\n" +
+            "    \"token_period\": " + ROLE_PERIOD + ",\n" +
            "    \"bind_secret_id\": " + ROLE_BIND_SECRET + ",\n" +
            "    \"bound_cidr_list\": \"\"\n" +
            "  },\n" +
@ -65,53 +61,51 @@ public class AppRoleResponseTest {
            "  \"lease_id\": \"\"\n" +
            "}";

-    private static final Map<String, Object> INVALID_DATA = new HashMap<>();
+    AppRoleResponseTest() {
+        super(AppRoleResponse.class);
+    }

-    static {
-        INVALID_DATA.put("policies", "fancy-policy");
+    @Override
+    protected AppRoleResponse createFull() {
+        try {
+            return objectMapper.readValue(RES_JSON, AppRoleResponse.class);
+        } catch (JsonProcessingException e) {
+            fail("Creation of full model instance failed", e);
+            return null;
+        }
    }

    /**
     * Test getter, setter and get-methods for response data.
     */
    @Test
-    public void getDataRoundtrip() {
+    void getDataRoundtrip() {
        // Create empty Object.
        AppRoleResponse res = new AppRoleResponse();
-        assertThat("Initial data should be empty", res.getRole(), is(nullValue()));
-
-        // Parsing invalid auth data map should fail.
-        try {
-            res.setData(INVALID_DATA);
-            fail("Parsing invalid data succeeded");
-        } catch (Exception e) {
-            assertThat(e, is(instanceOf(InvalidResponseException.class)));
-        }
+        assertNull(res.getRole(), "Initial data should be empty");
    }

    /**
     * Test creation from JSON value as returned by Vault (JSON example copied from Vault documentation).
     */
    @Test
-    public void jsonRoundtrip() {
-        try {
-            AppRoleResponse res = new ObjectMapper().readValue(RES_JSON, AppRoleResponse.class);
-            assertThat("Parsed response is NULL", res, is(notNullValue()));
-            // Extract role data.
-            AppRole role = res.getRole();
-            assertThat("Role data is NULL", role, is(notNullValue()));
-            assertThat("Incorrect token TTL", role.getTokenTtl(), is(ROLE_TOKEN_TTL));
-            assertThat("Incorrect token max TTL", role.getTokenMaxTtl(), is(ROLE_TOKEN_MAX_TTL));
-            assertThat("Incorrect secret ID TTL", role.getSecretIdTtl(), is(ROLE_SECRET_TTL));
-            assertThat("Incorrect secret ID umber of uses", role.getSecretIdNumUses(), is(ROLE_SECRET_NUM_USES));
-            assertThat("Incorrect number of policies", role.getPolicies(), hasSize(1));
-            assertThat("Incorrect role policies", role.getPolicies(), contains(ROLE_POLICY));
-            assertThat("Incorrect role period", role.getPeriod(), is(ROLE_PERIOD));
-            assertThat("Incorrect role bind secret ID flag", role.getBindSecretId(), is(ROLE_BIND_SECRET));
-            assertThat("Incorrect biund CIDR list", role.getBoundCidrList(), is(nullValue()));
-            assertThat("Incorrect biund CIDR list string", role.getBoundCidrListString(), is(emptyString()));
-        } catch (IOException e) {
-            fail("AuthResponse deserialization failed: " + e.getMessage());
-        }
+    void jsonRoundtrip() {
+        AppRoleResponse res = assertDoesNotThrow(
+                () -> objectMapper.readValue(RES_JSON, AppRoleResponse.class),
+                "AuthResponse deserialization failed"
+        );
+        assertNotNull(res, "Parsed response is NULL");
+        // Extract role data.
+        AppRole role = res.getRole();
+        assertNotNull(role, "Role data is NULL");
+        assertEquals(ROLE_TOKEN_TTL, role.getTokenTtl(), "Incorrect token TTL");
+        assertEquals(ROLE_TOKEN_MAX_TTL, role.getTokenMaxTtl(), "Incorrect token max TTL");
+        assertEquals(ROLE_SECRET_TTL, role.getSecretIdTtl(), "Incorrect secret ID TTL");
+        assertEquals(ROLE_SECRET_NUM_USES, role.getSecretIdNumUses(), "Incorrect secret ID umber of uses");
+        assertEquals(List.of(ROLE_POLICY), role.getTokenPolicies(), "Incorrect policies");
+        assertEquals(ROLE_PERIOD, role.getTokenPeriod(), "Incorrect role period");
+        assertEquals(ROLE_BIND_SECRET, role.getBindSecretId(), "Incorrect role bind secret ID flag");
+        assertNull(role.getTokenBoundCidrs(), "Incorrect bound CIDR list");
+        assertEquals("", role.getTokenBoundCidrsString(), "Incorrect bound CIDR list string");
    }
 }
--- a/src/test/java/de/stklcode/jvault/connector/model/response/AuthMethodsResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/AuthMethodsResponseTest.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2018 Stefan Kalscheuer
+ * Copyright 2016-2023 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -16,19 +16,17 @@

 package de.stklcode.jvault.connector.model.response;

-import com.fasterxml.jackson.databind.ObjectMapper;
-import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import com.fasterxml.jackson.core.JsonProcessingException;
+import de.stklcode.jvault.connector.model.AbstractModelTest;
 import de.stklcode.jvault.connector.model.AuthBackend;
 import de.stklcode.jvault.connector.model.response.embedded.AuthMethod;
 import org.junit.jupiter.api.Test;

-import java.io.IOException;
-import java.util.HashMap;
+import java.util.Collections;
 import java.util.Map;
+import java.util.Set;

-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.*;
-import static org.junit.jupiter.api.Assertions.fail;
+import static org.junit.jupiter.api.Assertions.*;

 /**
 * JUnit Test for {@link AuthMethodsResponse} model.
@ -36,93 +34,128 @@ import static org.junit.jupiter.api.Assertions.fail;
 * @author Stefan Kalscheuer
 * @since 0.6.2
 */
-public class AuthMethodsResponseTest {
+class AuthMethodsResponseTest extends AbstractModelTest<AuthMethodsResponse> {
    private static final String GH_PATH = "github/";
    private static final String GH_TYPE = "github";
+    private static final String GH_UUID = "4b42d1a4-0a0d-3c88-ae90-997e0c8b41be";
+    private static final String GH_ACCESSOR = "auth_github_badd7fd0";
    private static final String GH_DESCR = "GitHub auth";
    private static final String TK_PATH = "token/";
    private static final String TK_TYPE = "token";
+    private static final String TK_UUID = "32ea9681-6bd6-6cec-eec3-d11260ba9741";
+    private static final String TK_ACCESSOR = "auth_token_ac0dd95a";
    private static final String TK_DESCR = "token based credentials";
    private static final Integer TK_LEASE_TTL = 0;
+    private static final Boolean TK_FORCE_NO_CACHE = false;
    private static final Integer TK_MAX_LEASE_TTL = 0;
+    private static final String TK_TOKEN_TYPE = "default-service";
+    private static final String TK_RUNNING_PLUGIN_VERSION = "v1.15.3+builtin.vault";

    private static final String RES_JSON = "{\n" +
            "  \"data\": {" +
            "    \"" + GH_PATH + "\": {\n" +
+            "      \"uuid\": \"" + GH_UUID + "\",\n" +
            "      \"type\": \"" + GH_TYPE + "\",\n" +
-            "      \"description\": \"" + GH_DESCR + "\"\n" +
+            "      \"accessor\": \"" + GH_ACCESSOR + "\",\n" +
+            "      \"description\": \"" + GH_DESCR + "\",\n" +
+            "      \"external_entropy_access\": false,\n" +
+            "      \"local\": false,\n" +
+            "      \"seal_wrap\": false\n" +
            "    },\n" +
            "    \"" + TK_PATH + "\": {\n" +
            "      \"config\": {\n" +
            "        \"default_lease_ttl\": " + TK_LEASE_TTL + ",\n" +
-            "        \"max_lease_ttl\": " + TK_MAX_LEASE_TTL + "\n" +
+            "        \"force_no_cache\": " + TK_FORCE_NO_CACHE + ",\n" +
+            "        \"max_lease_ttl\": " + TK_MAX_LEASE_TTL + ",\n" +
+            "        \"token_type\": \"" + TK_TOKEN_TYPE + "\"\n" +
            "      },\n" +
            "      \"description\": \"" + TK_DESCR + "\",\n" +
-            "      \"type\": \"" + TK_TYPE + "\"\n" +
+            "      \"options\": null,\n" +
+            "      \"plugin_version\": \"\",\n" +
+            "      \"running_plugin_version\": \"" + TK_RUNNING_PLUGIN_VERSION + "\",\n" +
+            "      \"running_sha256\": \"\",\n" +
+            "      \"type\": \"" + TK_TYPE + "\",\n" +
+            "      \"uuid\": \"" + TK_UUID + "\",\n" +
+            "      \"accessor\": \"" + TK_ACCESSOR + "\",\n" +
+            "      \"external_entropy_access\": false,\n" +
+            "      \"local\": true,\n" +
+            "      \"seal_wrap\": false\n" +
            "    }\n" +
            "  }\n" +
            "}";

-    private static final Map<String, Object> INVALID_DATA = new HashMap<>();
+    AuthMethodsResponseTest() {
+        super(AuthMethodsResponse.class);
+    }

-    static {
-        INVALID_DATA.put("dummy/", new Dummy());
+    @Override
+    protected AuthMethodsResponse createFull() {
+        try {
+            return objectMapper.readValue(RES_JSON, AuthMethodsResponse.class);
+        } catch (JsonProcessingException e) {
+            fail("Creation of full model instance failed", e);
+            return null;
+        }
    }

    /**
     * Test getter, setter and get-methods for response data.
     */
    @Test
-    public void getDataRoundtrip() {
+    void getDataRoundtrip() {
        // Create empty Object.
        AuthMethodsResponse res = new AuthMethodsResponse();
-        assertThat("Initial method map should be empty", res.getSupportedMethods(), is(anEmptyMap()));
-
-        // Parsing invalid data map should fail.
-        try {
-            res.setData(INVALID_DATA);
-            fail("Parsing invalid data succeeded");
-        } catch (Exception e) {
-            assertThat(e, is(instanceOf(InvalidResponseException.class)));
-        }
+        assertEquals(Collections.emptyMap(), res.getSupportedMethods(), "Initial method map should be empty");
    }

    /**
     * Test creation from JSON value as returned by Vault (JSON example copied from Vault documentation).
     */
    @Test
-    public void jsonRoundtrip() {
-        try {
-            AuthMethodsResponse res = new ObjectMapper().readValue(RES_JSON, AuthMethodsResponse.class);
-            assertThat("Parsed response is NULL", res, is(notNullValue()));
-            // Extract auth data.
-            Map<String, AuthMethod> supported = res.getSupportedMethods();
-            assertThat("Auth data is NULL", supported, is(notNullValue()));
-            assertThat("Incorrect number of supported methods", supported.entrySet(), hasSize(2));
-            assertThat("Incorrect method paths", supported.keySet(), containsInAnyOrder(GH_PATH, TK_PATH));
+    void jsonRoundtrip() {
+        AuthMethodsResponse res = assertDoesNotThrow(
+                () -> objectMapper.readValue(RES_JSON, AuthMethodsResponse.class),
+                "AuthResponse deserialization failed"
+        );
+        assertNotNull(res, "Parsed response is NULL");
+        // Extract auth data.
+        Map<String, AuthMethod> supported = res.getSupportedMethods();
+        assertNotNull(supported, "Auth data is NULL");
+        assertEquals(2, supported.size(), "Incorrect number of supported methods");
+        assertTrue(supported.keySet().containsAll(Set.of(GH_PATH, TK_PATH)), "Incorrect method paths");

-            // Verify first method.
-            AuthMethod method = supported.get(GH_PATH);
-            assertThat("Incorrect raw type for GitHub", method.getRawType(), is(GH_TYPE));
-            assertThat("Incorrect parsed type for GitHub", method.getType(), is(AuthBackend.GITHUB));
-            assertThat("Incorrect description for GitHub", method.getDescription(), is(GH_DESCR));
-            assertThat("Unexpected config for GitHub", method.getConfig(), is(nullValue()));
+        // Verify first method.
+        AuthMethod method = supported.get(GH_PATH);
+        assertEquals(GH_TYPE, method.getRawType(), "Incorrect raw type for GitHub");
+        assertEquals(AuthBackend.GITHUB, method.getType(), "Incorrect parsed type for GitHub");
+        assertEquals(GH_DESCR, method.getDescription(), "Incorrect description for GitHub");
+        assertNull(method.getConfig(), "Unexpected config for GitHub");
+        assertEquals(GH_UUID, method.getUuid(), "Unexpected UUID for GitHub");
+        assertEquals(GH_ACCESSOR, method.getAccessor(), "Unexpected accessor for GitHub");
+        assertFalse(method.isLocal(), "Unexpected local flag for GitHub");
+        assertFalse(method.isExternalEntropyAccess(), "Unexpected external entropy flag for GitHub");
+        assertFalse(method.isSealWrap(), "Unexpected seal wrap flag for GitHub");

-            // Verify first method.
-            method = supported.get(TK_PATH);
-            assertThat("Incorrect raw type for Token", method.getRawType(), is(TK_TYPE));
-            assertThat("Incorrect parsed type for Token", method.getType(), is(AuthBackend.TOKEN));
-            assertThat("Incorrect description for Token", method.getDescription(), is(TK_DESCR));
-            assertThat("Missing config for Token", method.getConfig(), is(notNullValue()));
-            assertThat("Unexpected config size for Token", method.getConfig().keySet(), hasSize(2));
-            assertThat("Incorrect lease TTL config", method.getConfig().get("default_lease_ttl"), is(TK_LEASE_TTL.toString()));
-            assertThat("Incorrect max lease TTL config", method.getConfig().get("max_lease_ttl"), is(TK_MAX_LEASE_TTL.toString()));
-        } catch (IOException e) {
-            fail("AuthResponse deserialization failed: " + e.getMessage());
-        }
-    }
+        // Verify second method.
+        method = supported.get(TK_PATH);
+        assertEquals(TK_TYPE, method.getRawType(), "Incorrect raw type for Token");
+        assertEquals(AuthBackend.TOKEN, method.getType(), "Incorrect parsed type for Token");
+        assertEquals(TK_DESCR, method.getDescription(), "Incorrect description for Token");
+        assertEquals(TK_UUID, method.getUuid(), "Unexpected UUID for Token");
+        assertEquals(TK_ACCESSOR, method.getAccessor(), "Unexpected accessor for Token");
+        assertTrue(method.isLocal(), "Unexpected local flag for Token");
+        assertFalse(method.isExternalEntropyAccess(), "Unexpected external entropy flag for Token");
+        assertFalse(method.isSealWrap(), "Unexpected seal wrap flag for GitHub");
+        assertEquals("", method.getPluginVersion(), "Unexpected plugin version");
+        assertEquals(TK_RUNNING_PLUGIN_VERSION, method.getRunningPluginVersion(), "Unexpected running plugin version");
+        assertEquals("", method.getRunningSha256(), "Unexpected running SHA256");

-    private static class Dummy {
+        assertNotNull(method.getConfig(), "Missing config for Token");
+        assertEquals(TK_LEASE_TTL, method.getConfig().getDefaultLeaseTtl(), "Unexpected default TTL");
+        assertEquals(TK_MAX_LEASE_TTL, method.getConfig().getMaxLeaseTtl(), "Unexpected max TTL");
+        assertEquals(TK_FORCE_NO_CACHE, method.getConfig().getForceNoCache(), "Unexpected force no cache flag");
+        assertEquals(TK_TOKEN_TYPE, method.getConfig().getTokenType(), "Unexpected token type");

+        assertNull(method.getOptions(), "Unexpected options");
    }
 }
--- a/src/test/java/de/stklcode/jvault/connector/model/response/AuthResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/AuthResponseTest.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2018 Stefan Kalscheuer
+ * Copyright 2016-2023 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -16,18 +16,19 @@

 package de.stklcode.jvault.connector.model.response;

-import com.fasterxml.jackson.databind.ObjectMapper;
-import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import com.fasterxml.jackson.core.JsonProcessingException;
+import de.stklcode.jvault.connector.model.AbstractModelTest;
 import de.stklcode.jvault.connector.model.response.embedded.AuthData;
+import de.stklcode.jvault.connector.model.response.embedded.MfaConstraintAny;
+import de.stklcode.jvault.connector.model.response.embedded.MfaMethodId;
+import de.stklcode.jvault.connector.model.response.embedded.MfaRequirement;
+import nl.jqno.equalsverifier.EqualsVerifier;
 import org.junit.jupiter.api.Test;

-import java.io.IOException;
-import java.util.HashMap;
 import java.util.Map;
+import java.util.Set;

-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.*;
-import static org.junit.jupiter.api.Assertions.fail;
+import static org.junit.jupiter.api.Assertions.*;

 /**
 * JUnit Test for {@link AuthResponse} model.
@ -35,7 +36,7 @@ import static org.junit.jupiter.api.Assertions.fail;
 * @author Stefan Kalscheuer
 * @since 0.6.2
 */
-public class AuthResponseTest {
+class AuthResponseTest extends AbstractModelTest<AuthResponse> {
    private static final String AUTH_ACCESSOR = "2c84f488-2133-4ced-87b0-570f93a76830";
    private static final String AUTH_CLIENT_TOKEN = "ABCD";
    private static final String AUTH_POLICY_1 = "web";
@ -44,70 +45,108 @@ public class AuthResponseTest {
    private static final String AUTH_META_VALUE = "armon";
    private static final Integer AUTH_LEASE_DURATION = 3600;
    private static final Boolean AUTH_RENEWABLE = true;
+    private static final String AUTH_ENTITY_ID = "";
+    private static final String AUTH_TOKEN_TYPE = "service";
+    private static final Boolean AUTH_ORPHAN = false;
+    private static final String MFA_REQUEST_ID = "d0c9eec7-6921-8cc0-be62-202b289ef163";
+    private static final String MFA_KEY = "enforcementConfigUserpass";
+    private static final String MFA_METHOD_TYPE = "totp";
+    private static final String MFA_METHOD_ID = "820997b3-110e-c251-7e8b-ff4aa428a6e1";
+    private static final Boolean MFA_METHOD_USES_PASSCODE = true;
+    private static final String MFA_METHOD_NAME = "sample_mfa_method_name";

    private static final String RES_JSON = "{\n" +
-            "  \"auth\": {\n" +
-            "    \"accessor\": \"" + AUTH_ACCESSOR + "\",\n" +
-            "    \"client_token\": \"" + AUTH_CLIENT_TOKEN + "\",\n" +
-            "    \"policies\": [\n" +
-            "      \"" + AUTH_POLICY_1 + "\", \n" +
-            "      \"" + AUTH_POLICY_2 + "\"\n" +
-            "    ],\n" +
-            "    \"metadata\": {\n" +
-            "      \"" + AUTH_META_KEY + "\": \"" + AUTH_META_VALUE + "\"\n" +
-            "    },\n" +
-            "    \"lease_duration\": " + AUTH_LEASE_DURATION + ",\n" +
-            "    \"renewable\": " + AUTH_RENEWABLE + "\n" +
-            "  }\n" +
-            "}";
+        "  \"auth\": {\n" +
+        "    \"accessor\": \"" + AUTH_ACCESSOR + "\",\n" +
+        "    \"client_token\": \"" + AUTH_CLIENT_TOKEN + "\",\n" +
+        "    \"policies\": [\n" +
+        "      \"" + AUTH_POLICY_1 + "\", \n" +
+        "      \"" + AUTH_POLICY_2 + "\"\n" +
+        "    ],\n" +
+        "    \"token_policies\": [\n" +
+        "      \"" + AUTH_POLICY_2 + "\",\n" +
+        "      \"" + AUTH_POLICY_1 + "\" \n" +
+        "    ],\n" +
+        "    \"metadata\": {\n" +
+        "      \"" + AUTH_META_KEY + "\": \"" + AUTH_META_VALUE + "\"\n" +
+        "    },\n" +
+        "    \"lease_duration\": " + AUTH_LEASE_DURATION + ",\n" +
+        "    \"renewable\": " + AUTH_RENEWABLE + ",\n" +
+        "    \"entity_id\": \"" + AUTH_ENTITY_ID + "\",\n" +
+        "    \"token_type\": \"" + AUTH_TOKEN_TYPE + "\",\n" +
+        "    \"orphan\": " + AUTH_ORPHAN + ",\n" +
+        "    \"mfa_requirement\": {\n" +
+        "      \"mfa_request_id\": \"" + MFA_REQUEST_ID + "\",\n" +
+        "      \"mfa_constraints\": {\n" +
+        "        \"" + MFA_KEY + "\": {\n" +
+        "          \"any\": [\n" +
+        "            {\n" +
+        "              \"type\": \"" + MFA_METHOD_TYPE + "\",\n" +
+        "              \"id\": \"" + MFA_METHOD_ID + "\",\n" +
+        "              \"uses_passcode\": " + MFA_METHOD_USES_PASSCODE + ",\n" +
+        "              \"name\": \"" + MFA_METHOD_NAME + "\"\n" +
+        "            }\n" +
+        "          ]\n" +
+        "        }\n" +
+        "      }\n" +
+        "    }\n" +
+        "  }\n" +
+        "}";

-    private static final Map<String, Object> INVALID_AUTH_DATA = new HashMap<>();
-
-    static {
-        INVALID_AUTH_DATA.put("policies", "fancy-policy");
+    AuthResponseTest() {
+        super(AuthResponse.class);
    }

-    /**
-     * Test getter, setter and get-methods for response data.
-     */
-    @Test
-    public void getDataRoundtrip() {
-        // Create empty Object.
-        AuthResponse res = new AuthResponse();
-        assertThat("Initial data should be empty", res.getData(), is(nullValue()));
-
-        // Parsing invalid auth data map should fail.
+    @Override
+    protected AuthResponse createFull() {
        try {
-            res.setAuth(INVALID_AUTH_DATA);
-            fail("Parsing invalid auth data succeeded");
-        } catch (Exception e) {
-            assertThat(e, is(instanceOf(InvalidResponseException.class)));
+            return objectMapper.readValue(RES_JSON, AuthResponse.class);
+        } catch (JsonProcessingException e) {
+            fail("Creation of full model instance failed", e);
+            return null;
        }
+    }

-        // Data method should be agnostic.
-        res.setData(INVALID_AUTH_DATA);
-        assertThat("Data not passed through", res.getData(), is(INVALID_AUTH_DATA));
+    @Test
+    void testEqualsHashcodeMfa() {
+        EqualsVerifier.simple().forClass(MfaRequirement.class).verify();
+        EqualsVerifier.simple().forClass(MfaConstraintAny.class).verify();
+        EqualsVerifier.simple().forClass(MfaMethodId.class).verify();
    }

    /**
     * Test creation from JSON value as returned by Vault (JSON example copied from Vault documentation).
     */
    @Test
-    public void jsonRoundtrip() {
-        try {
-            AuthResponse res = new ObjectMapper().readValue(RES_JSON, AuthResponse.class);
-            assertThat("Parsed response is NULL", res, is(notNullValue()));
-            // Extract auth data.
-            AuthData data = res.getAuth();
-            assertThat("Auth data is NULL", data, is(notNullValue()));
-            assertThat("Incorrect auth accessor", data.getAccessor(), is(AUTH_ACCESSOR));
-            assertThat("Incorrect auth client token", data.getClientToken(), is(AUTH_CLIENT_TOKEN));
-            assertThat("Incorrect auth lease duration", data.getLeaseDuration(), is(AUTH_LEASE_DURATION));
-            assertThat("Incorrect auth renewable flag", data.isRenewable(), is(AUTH_RENEWABLE));
-            assertThat("Incorrect number of policies", data.getPolicies(), hasSize(2));
-            assertThat("Incorrect auth policies", data.getPolicies(), containsInAnyOrder(AUTH_POLICY_1, AUTH_POLICY_2));
-        } catch (IOException e) {
-            fail("AuthResponse deserialization failed: " + e.getMessage());
-        }
+    void jsonRoundtrip() {
+        AuthResponse res = assertDoesNotThrow(
+                () -> objectMapper.readValue(RES_JSON, AuthResponse.class),
+                "AuthResponse deserialization failed"
+        );
+        assertNotNull(res, "Parsed response is NULL");
+        // Extract auth data.
+        AuthData data = res.getAuth();
+        assertNotNull(data, "Auth data is NULL");
+        assertEquals(AUTH_ACCESSOR, data.getAccessor(), "Incorrect auth accessor");
+        assertEquals(AUTH_CLIENT_TOKEN, data.getClientToken(), "Incorrect auth client token");
+        assertEquals(AUTH_LEASE_DURATION, data.getLeaseDuration(), "Incorrect auth lease duration");
+        assertEquals(AUTH_RENEWABLE, data.isRenewable(), "Incorrect auth renewable flag");
+        assertEquals(AUTH_ORPHAN, data.isOrphan(), "Incorrect auth orphan flag");
+        assertEquals(AUTH_TOKEN_TYPE, data.getTokenType(), "Incorrect auth token type");
+        assertEquals(AUTH_ENTITY_ID, data.getEntityId(), "Incorrect auth entity id");
+        assertEquals(2, data.getPolicies().size(), "Incorrect number of policies");
+        assertTrue(data.getPolicies().containsAll(Set.of(AUTH_POLICY_1, AUTH_POLICY_2)));
+        assertEquals(2, data.getTokenPolicies().size(), "Incorrect number of token policies");
+        assertTrue(data.getTokenPolicies().containsAll(Set.of(AUTH_POLICY_2, AUTH_POLICY_1)), "Incorrect token policies");
+        assertEquals(Map.of(AUTH_META_KEY, AUTH_META_VALUE), data.getMetadata(), "Incorrect auth metadata");
+
+        assertEquals(MFA_REQUEST_ID, data.getMfaRequirement().getMfaRequestId(), "Incorrect MFA request ID");
+        assertEquals(Set.of(MFA_KEY), data.getMfaRequirement().getMfaConstraints().keySet(), "Incorrect MFA constraint keys");
+        var mfaConstraint = data.getMfaRequirement().getMfaConstraints().get(MFA_KEY);
+        assertEquals(1, mfaConstraint.getAny().size(), "Incorrect number of any constraints");
+        assertEquals(MFA_METHOD_TYPE, mfaConstraint.getAny().get(0).getType(), "Incorrect MFA method type");
+        assertEquals(MFA_METHOD_ID, mfaConstraint.getAny().get(0).getId(), "Incorrect MFA method type");
+        assertEquals(MFA_METHOD_USES_PASSCODE, mfaConstraint.getAny().get(0).getUsesPasscode(), "Incorrect MFA method uses passcode");
+        assertEquals(MFA_METHOD_NAME, mfaConstraint.getAny().get(0).getName(), "Incorrect MFA method uses passcode");
    }
 }
--- a/src/test/java/de/stklcode/jvault/connector/model/response/CredentialsResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/CredentialsResponseTest.java
@ -0,0 +1,80 @@
+/*
+ * Copyright 2016-2023 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import de.stklcode.jvault.connector.model.AbstractModelTest;
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+/**
+ * JUnit Test for {@link CredentialsResponse} model.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.8
+ */
+class CredentialsResponseTest extends AbstractModelTest<CredentialsResponse> {
+    private static final String VAL_USER = "testUserName";
+    private static final String VAL_PASS = "5up3r5ecr3tP455";
+    private static final String JSON = "{\n" +
+            "    \"request_id\": \"68315073-6658-e3ff-2da7-67939fb91bbd\",\n" +
+            "    \"lease_id\": \"\",\n" +
+            "    \"lease_duration\": 2764800,\n" +
+            "    \"renewable\": false,\n" +
+            "    \"data\": {\n" +
+            "        \"username\": \"" + VAL_USER + "\",\n" +
+            "        \"password\": \"" + VAL_PASS + "\"\n" +
+            "    },\n" +
+            "    \"warnings\": null\n" +
+            "}";
+
+    CredentialsResponseTest() {
+        super(CredentialsResponse.class);
+    }
+
+    @Override
+    protected CredentialsResponse createFull() {
+        try {
+            return objectMapper.readValue(JSON, CredentialsResponse.class);
+        } catch (JsonProcessingException e) {
+            fail("Creation of full model instance failed", e);
+            return null;
+        }
+    }
+
+    /**
+     * Test getter, setter and get-methods for response data.
+     *
+     * @throws InvalidResponseException Should not occur
+     */
+    @Test
+    void getCredentialsTest() throws InvalidResponseException {
+        // Create empty Object.
+        CredentialsResponse res = new CredentialsResponse();
+        assertNull(res.getUsername(), "Username not present in data map should not return anything");
+        assertNull(res.getPassword(), "Password not present in data map should not return anything");
+
+        res = assertDoesNotThrow(
+                () -> objectMapper.readValue(JSON, CredentialsResponse.class),
+                "Deserialization of CredentialsResponse failed"
+        );
+        assertEquals(VAL_USER, res.getUsername(), "Incorrect username");
+        assertEquals(VAL_PASS, res.getPassword(), "Incorrect password");
+    }
+}
--- a/src/test/java/de/stklcode/jvault/connector/model/response/ErrorResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/ErrorResponseTest.java
@ -0,0 +1,88 @@
+/*
+ * Copyright 2016-2021 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import de.stklcode.jvault.connector.model.AbstractModelTest;
+import org.junit.jupiter.api.Test;
+
+import java.util.List;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+/**
+ * JUnit Test for {@link ErrorResponse} model.
+ *
+ * @author Stefan Kalscheuer
+ */
+class ErrorResponseTest extends AbstractModelTest<ErrorResponse> {
+    private static final String ERROR_1 = "Error #1";
+    private static final String ERROR_2 = "Error #2";
+
+    private static final String JSON = "{\"errors\":[\"" + ERROR_1 + "\",\"" + ERROR_2 + "\"]}";
+    private static final String JSON_EMPTY = "{\"errors\":[]}";
+
+    ErrorResponseTest() {
+        super(ErrorResponse.class);
+    }
+
+    @Override
+    protected ErrorResponse createFull() {
+        try {
+            return objectMapper.readValue(JSON, ErrorResponse.class);
+        } catch (JsonProcessingException e) {
+            fail("Creation of full model instance failed", e);
+            return null;
+        }
+    }
+
+    /**
+     * Test creation from JSON value as returned by Vault.
+     */
+    @Test
+    void jsonRoundtrip() {
+        ErrorResponse res = assertDoesNotThrow(
+                () -> objectMapper.readValue(JSON, ErrorResponse.class),
+                "ErrorResponse deserialization failed"
+        );
+        assertNotNull(res, "Parsed response is NULL");
+        assertEquals(List.of(ERROR_1, ERROR_2), res.getErrors(), "Unexpected error messages");
+        assertEquals(
+                JSON,
+                assertDoesNotThrow(() -> objectMapper.writeValueAsString(res), "ErrorResponse serialization failed"),
+                "Unexpected JSON string after serialization"
+        );
+    }
+
+
+    @Test
+    void testToString() {
+        ErrorResponse res = assertDoesNotThrow(
+                () -> objectMapper.readValue(JSON, ErrorResponse.class),
+                "ErrorResponse deserialization failed"
+        );
+        assertEquals(ERROR_1, res.toString());
+
+        res = assertDoesNotThrow(
+                () -> objectMapper.readValue(JSON_EMPTY, ErrorResponse.class),
+                "ErrorResponse deserialization failed with empty list"
+        );
+        assertEquals("error response", res.toString());
+
+        assertEquals("error response", new ErrorResponse().toString());
+    }
+}
--- a/src/test/java/de/stklcode/jvault/connector/model/response/HealthResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/HealthResponseTest.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2018 Stefan Kalscheuer
+ * Copyright 2016-2023 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -16,15 +16,11 @@

 package de.stklcode.jvault.connector.model.response;

-import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.core.JsonProcessingException;
+import de.stklcode.jvault.connector.model.AbstractModelTest;
 import org.junit.jupiter.api.Test;

-import java.io.IOException;
-
-import static org.hamcrest.CoreMatchers.is;
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.notNullValue;
-import static org.junit.jupiter.api.Assertions.fail;
+import static org.junit.jupiter.api.Assertions.*;

 /**
 * JUnit Test for {@link AuthResponse} model.
@ -32,14 +28,17 @@ import static org.junit.jupiter.api.Assertions.fail;
 * @author Stefan Kalscheuer
 * @since 0.7.0
 */
-public class HealthResponseTest {
+class HealthResponseTest extends AbstractModelTest<HealthResponse> {
    private static final String CLUSTER_ID = "c9abceea-4f46-4dab-a688-5ce55f89e228";
    private static final String CLUSTER_NAME = "vault-cluster-5515c810";
-    private static final String VERSION = "0.6.2";
+    private static final String VERSION = "0.9.2";
    private static final Long SERVER_TIME_UTC = 1469555798L;
    private static final Boolean STANDBY = false;
    private static final Boolean SEALED = false;
    private static final Boolean INITIALIZED = true;
+    private static final Boolean PERF_STANDBY = false;
+    private static final String REPL_PERF_MODE = "disabled";
+    private static final String REPL_DR_MODE = "disabled";

    private static final String RES_JSON = "{\n" +
            "  \"cluster_id\": \"" + CLUSTER_ID + "\",\n" +
@ -48,25 +47,45 @@ public class HealthResponseTest {
            "  \"server_time_utc\": " + SERVER_TIME_UTC + ",\n" +
            "  \"standby\": " + STANDBY + ",\n" +
            "  \"sealed\": " + SEALED + ",\n" +
-            "  \"initialized\": " + INITIALIZED + "\n" +
+            "  \"initialized\": " + INITIALIZED + ",\n" +
+            "  \"replication_performance_mode\": \"" + REPL_PERF_MODE + "\",\n" +
+            "  \"replication_dr_mode\": \"" + REPL_DR_MODE + "\",\n" +
+            "  \"performance_standby\": " + PERF_STANDBY + "\n" +
            "}";
+
+    HealthResponseTest() {
+        super(HealthResponse.class);
+    }
+
+    @Override
+    protected HealthResponse createFull() {
+        try {
+            return objectMapper.readValue(RES_JSON, HealthResponse.class);
+        } catch (JsonProcessingException e) {
+            fail("Creation of full model instance failed", e);
+            return null;
+        }
+    }
+
    /**
     * Test creation from JSON value as returned by Vault (JSON example copied from Vault documentation).
     */
    @Test
-    public void jsonRoundtrip() {
-        try {
-            HealthResponse res = new ObjectMapper().readValue(RES_JSON, HealthResponse.class);
-            assertThat("Parsed response is NULL", res, is(notNullValue()));
-            assertThat("Incorrect cluster ID", res.getClusterID(), is(CLUSTER_ID));
-            assertThat("Incorrect cluster name", res.getClusterName(), is(CLUSTER_NAME));
-            assertThat("Incorrect version", res.getVersion(), is(VERSION));
-            assertThat("Incorrect server time", res.getServerTimeUTC(), is(SERVER_TIME_UTC));
-            assertThat("Incorrect standby state", res.isStandby(), is(STANDBY));
-            assertThat("Incorrect seal state", res.isSealed(), is(SEALED));
-            assertThat("Incorrect initialization state", res.isInitialized(), is(INITIALIZED));
-        } catch (IOException e) {
-            fail("Health deserialization failed: " + e.getMessage());
-        }
+    void jsonRoundtrip() {
+        HealthResponse res = assertDoesNotThrow(
+                () -> objectMapper.readValue(RES_JSON, HealthResponse.class),
+                "Health deserialization failed"
+        );
+        assertNotNull(res, "Parsed response is NULL");
+        assertEquals(CLUSTER_ID, res.getClusterID(), "Incorrect cluster ID");
+        assertEquals(CLUSTER_NAME, res.getClusterName(), "Incorrect cluster name");
+        assertEquals(VERSION, res.getVersion(), "Incorrect version");
+        assertEquals(SERVER_TIME_UTC, res.getServerTimeUTC(), "Incorrect server time");
+        assertEquals(STANDBY, res.isStandby(), "Incorrect standby state");
+        assertEquals(SEALED, res.isSealed(), "Incorrect seal state");
+        assertEquals(INITIALIZED, res.isInitialized(), "Incorrect initialization state");
+        assertEquals(PERF_STANDBY, res.isPerformanceStandby(), "Incorrect performance standby state");
+        assertEquals(REPL_PERF_MODE, res.getReplicationPerfMode(), "Incorrect replication perf mode");
+        assertEquals(REPL_DR_MODE, res.getReplicationDrMode(), "Incorrect replication DR mode");
    }
 }
--- a/src/test/java/de/stklcode/jvault/connector/model/response/HelpResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/HelpResponseTest.java
@ -0,0 +1,66 @@
+/*
+ * Copyright 2016-2021 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import de.stklcode.jvault.connector.model.AbstractModelTest;
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+/**
+ * JUnit Test for {@link HelpResponse} model.
+ *
+ * @author Stefan Kalscheuer
+ */
+class HelpResponseTest extends AbstractModelTest<HelpResponse> {
+    private static final String HELP = "Help Text.";
+
+    private static final String JSON = "{\"help\":\"" + HELP + "\"}";
+
+    HelpResponseTest() {
+        super(HelpResponse.class);
+    }
+
+    @Override
+    protected HelpResponse createFull() {
+        try {
+            return objectMapper.readValue(JSON, HelpResponse.class);
+        } catch (JsonProcessingException e) {
+            fail("Creation of full model instance failed", e);
+            return null;
+        }
+    }
+
+    /**
+     * Test creation from JSON value as returned by Vault.
+     */
+    @Test
+    void jsonRoundtrip() {
+        HelpResponse res = assertDoesNotThrow(
+                () -> objectMapper.readValue(JSON, HelpResponse.class),
+                "HelpResponse deserialization failed"
+        );
+        assertNotNull(res, "Parsed response is NULL");
+        assertEquals(HELP, res.getHelp(), "Unexpected help text");
+        assertEquals(
+                JSON,
+                assertDoesNotThrow(() -> objectMapper.writeValueAsString(res), "HelpResponse serialization failed"),
+                "Unexpected JSON string after serialization"
+        );
+    }
+}
--- a/src/test/java/de/stklcode/jvault/connector/model/response/MetaSecretResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/MetaSecretResponseTest.java
@ -0,0 +1,142 @@
+/*
+ * Copyright 2016-2023 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import de.stklcode.jvault.connector.model.AbstractModelTest;
+import org.junit.jupiter.api.Test;
+
+import java.util.List;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+/**
+ * JUnit Test for {@link MetaSecretResponse} model.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.6.2
+ */
+class MetaSecretResponseTest extends AbstractModelTest<MetaSecretResponse> {
+    private static final String SECRET_REQUEST_ID = "68315073-6658-e3ff-2da7-67939fb91bbd";
+    private static final String SECRET_LEASE_ID = "";
+    private static final Integer SECRET_LEASE_DURATION = 2764800;
+    private static final boolean SECRET_RENEWABLE = false;
+    private static final String SECRET_DATA_K1 = "excited";
+    private static final String SECRET_DATA_V1 = "yes";
+    private static final String SECRET_DATA_K2 = "value";
+    private static final String SECRET_DATA_V2 = "world";
+    private static final String SECRET_META_CREATED = "2018-03-22T02:24:06.945319214Z";
+    private static final String SECRET_META_DELETED = "2018-03-23T03:25:07.056420325Z";
+    private static final List<String> SECRET_WARNINGS = null;
+    private static final String SECRET_JSON_V2 = "{\n" +
+            "    \"request_id\": \"" + SECRET_REQUEST_ID + "\",\n" +
+            "    \"lease_id\": \"" + SECRET_LEASE_ID + "\",\n" +
+            "    \"lease_duration\": " + SECRET_LEASE_DURATION + ",\n" +
+            "    \"renewable\": " + SECRET_RENEWABLE + ",\n" +
+            "    \"data\": {\n" +
+            "      \"data\": {\n" +
+            "          \"" + SECRET_DATA_K1 + "\": \"" + SECRET_DATA_V1 + "\",\n" +
+            "          \"" + SECRET_DATA_K2 + "\": \"" + SECRET_DATA_V2 + "\"\n" +
+            "      },\n" +
+            "      \"metadata\": {\n" +
+            "          \"created_time\": \"" + SECRET_META_CREATED + "\",\n" +
+            "          \"deletion_time\": \"\",\n" +
+            "          \"destroyed\": false,\n" +
+            "          \"version\": 1\n" +
+            "      }\n" +
+            "    },\n" +
+            "    \"warnings\": " + SECRET_WARNINGS + "\n" +
+            "}";
+    private static final String SECRET_JSON_V2_2 = "{\n" +
+            "    \"request_id\": \"" + SECRET_REQUEST_ID + "\",\n" +
+            "    \"lease_id\": \"" + SECRET_LEASE_ID + "\",\n" +
+            "    \"lease_duration\": " + SECRET_LEASE_DURATION + ",\n" +
+            "    \"renewable\": " + SECRET_RENEWABLE + ",\n" +
+            "    \"data\": {\n" +
+            "      \"data\": {\n" +
+            "          \"" + SECRET_DATA_K1 + "\": \"" + SECRET_DATA_V1 + "\",\n" +
+            "          \"" + SECRET_DATA_K2 + "\": \"" + SECRET_DATA_V2 + "\"\n" +
+            "      },\n" +
+            "      \"metadata\": {\n" +
+            "          \"created_time\": \"" + SECRET_META_CREATED + "\",\n" +
+            "          \"deletion_time\": \"" + SECRET_META_DELETED + "\",\n" +
+            "          \"destroyed\": true,\n" +
+            "          \"version\": 2\n" +
+            "      }\n" +
+            "    },\n" +
+            "    \"warnings\": " + SECRET_WARNINGS + "\n" +
+            "}";
+
+    MetaSecretResponseTest() {
+        super(MetaSecretResponse.class);
+    }
+
+    @Override
+    protected MetaSecretResponse createFull() {
+        try {
+            return objectMapper.readValue(SECRET_JSON_V2, MetaSecretResponse.class);
+        } catch (JsonProcessingException e) {
+            fail("Creation of full model instance failed", e);
+            return null;
+        }
+    }
+
+    /**
+     * Test creation from JSON value as returned by Vault (JSON example copied from Vault documentation).
+     */
+    @Test
+    void jsonRoundtrip() {
+        // KV v2 secret.
+        MetaSecretResponse res = assertDoesNotThrow(
+                () -> objectMapper.readValue(SECRET_JSON_V2, MetaSecretResponse.class),
+                "SecretResponse deserialization failed"
+        );
+        assertSecretData(res);
+        assertNotNull(res.getMetadata(), "SecretResponse does not contain metadata");
+        assertEquals(SECRET_META_CREATED, res.getMetadata().getCreatedTimeString(), "Incorrect creation date string");
+        assertNotNull(res.getMetadata().getCreatedTime(), "Creation date parsing failed");
+        assertNull(res.getMetadata().getDeletionTimeString(), "Incorrect deletion date string");
+        assertNull(res.getMetadata().getDeletionTime(), "Incorrect deletion date");
+        assertFalse(res.getMetadata().isDestroyed(), "Secret destroyed when not expected");
+        assertEquals(1, res.getMetadata().getVersion(), "Incorrect secret version");
+
+        // Deleted KV v2 secret.
+        res = assertDoesNotThrow(
+                () -> objectMapper.readValue(SECRET_JSON_V2_2, MetaSecretResponse.class),
+                "SecretResponse deserialization failed"
+        );
+        assertSecretData(res);
+        assertNotNull(res.getMetadata(), "SecretResponse does not contain metadata");
+        assertEquals(SECRET_META_CREATED, res.getMetadata().getCreatedTimeString(), "Incorrect creation date string");
+        assertNotNull(res.getMetadata().getCreatedTime(), "Creation date parsing failed");
+        assertEquals(SECRET_META_DELETED, res.getMetadata().getDeletionTimeString(), "Incorrect deletion date string");
+        assertNotNull(res.getMetadata().getDeletionTime(), "Incorrect deletion date");
+        assertTrue(res.getMetadata().isDestroyed(), "Secret destroyed when not expected");
+        assertEquals(2, res.getMetadata().getVersion(), "Incorrect secret version");
+    }
+
+    private void assertSecretData(SecretResponse res) {
+        assertNotNull(res, "Parsed response is NULL");
+        assertEquals(SECRET_REQUEST_ID, res.getRequestId(), "Incorrect request ID");
+        assertEquals(SECRET_LEASE_ID, res.getLeaseId(), "Incorrect lease ID");
+        assertEquals(SECRET_LEASE_DURATION, res.getLeaseDuration(), "Incorrect lease duration");
+        assertEquals(SECRET_RENEWABLE, res.isRenewable(), "Incorrect renewable status");
+        assertEquals(SECRET_WARNINGS, res.getWarnings(), "Incorrect warnings");
+        assertEquals(SECRET_DATA_V1, res.get(SECRET_DATA_K1), "Response does not contain correct data");
+        assertEquals(SECRET_DATA_V2, res.get(SECRET_DATA_K2), "Response does not contain correct data");
+    }
+}
--- a/src/test/java/de/stklcode/jvault/connector/model/response/MetadataResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/MetadataResponseTest.java
@ -0,0 +1,106 @@
+/*
+ * Copyright 2016-2023 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import de.stklcode.jvault.connector.model.AbstractModelTest;
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+/**
+ * JUnit Test for {@link MetadataResponse} model.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.8
+ */
+class MetadataResponseTest extends AbstractModelTest<MetadataResponse> {
+    private static final String V1_TIME = "2018-03-22T02:24:06.945319214Z";
+    private static final String V3_TIME = "2018-03-22T02:36:43.986212308Z";
+    private static final String V2_TIME = "2018-03-22T02:36:33.954880664Z";
+    private static final Integer CURRENT_VERSION = 3;
+    private static final Integer MAX_VERSIONS = 0;
+    private static final Integer OLDEST_VERSION = 1;
+
+    private static final String META_JSON = "{\n" +
+            "  \"data\": {\n" +
+            "    \"created_time\": \"" + V1_TIME + "\",\n" +
+            "    \"current_version\": " + CURRENT_VERSION + ",\n" +
+            "    \"max_versions\": " + MAX_VERSIONS + ",\n" +
+            "    \"oldest_version\": " + OLDEST_VERSION + ",\n" +
+            "    \"updated_time\": \"" + V3_TIME + "\",\n" +
+            "    \"versions\": {\n" +
+            "      \"1\": {\n" +
+            "        \"created_time\": \"" + V1_TIME + "\",\n" +
+            "        \"deletion_time\": \"" + V2_TIME + "\",\n" +
+            "        \"destroyed\": true\n" +
+            "      },\n" +
+            "      \"2\": {\n" +
+            "        \"created_time\": \"" + V2_TIME + "\",\n" +
+            "        \"deletion_time\": \"\",\n" +
+            "        \"destroyed\": false\n" +
+            "      },\n" +
+            "      \"3\": {\n" +
+            "        \"created_time\": \"" + V3_TIME + "\",\n" +
+            "        \"deletion_time\": \"\",\n" +
+            "        \"destroyed\": false\n" +
+            "      }\n" +
+            "    }\n" +
+            "  }\n" +
+            "}";
+
+    MetadataResponseTest() {
+        super(MetadataResponse.class);
+    }
+
+    @Override
+    protected MetadataResponse createFull() {
+        try {
+            return objectMapper.readValue(META_JSON, MetadataResponse.class);
+        } catch (JsonProcessingException e) {
+            fail("Creation of full model instance failed", e);
+            return null;
+        }
+    }
+
+    /**
+     * Test creation from JSON value as returned by Vault (JSON example copied from Vault documentation).
+     */
+    @Test
+    void jsonRoundtrip() {
+        MetadataResponse res = assertDoesNotThrow(
+                () -> objectMapper.readValue(META_JSON, MetadataResponse.class),
+                "MetadataResponse deserialization failed"
+        );
+        assertNotNull(res, "Parsed response is NULL");
+        assertNotNull(res.getMetadata(), "Parsed metadata is NULL");
+        assertEquals(V1_TIME, res.getMetadata().getCreatedTimeString(), "Incorrect created time");
+        assertNotNull(res.getMetadata().getCreatedTime(), "Parting created time failed");
+        assertEquals(CURRENT_VERSION, res.getMetadata().getCurrentVersion(), "Incorrect current version");
+        assertEquals(MAX_VERSIONS, res.getMetadata().getMaxVersions(), "Incorrect max versions");
+        assertEquals(OLDEST_VERSION, res.getMetadata().getOldestVersion(), "Incorrect oldest version");
+        assertEquals(V3_TIME, res.getMetadata().getUpdatedTimeString(), "Incorrect updated time");
+        assertNotNull(res.getMetadata().getUpdatedTime(), "Parting updated time failed");
+        assertEquals(3, res.getMetadata().getVersions().size(), "Incorrect number of versions");
+        assertEquals(V2_TIME, res.getMetadata().getVersions().get(1).getDeletionTimeString(), "Incorrect version 1 delete time");
+        assertNotNull(res.getMetadata().getVersions().get(1).getDeletionTime(), "Parsing version delete time failed");
+        assertTrue(res.getMetadata().getVersions().get(1).isDestroyed(), "Incorrect version 1 destroyed state");
+        assertEquals(V2_TIME, res.getMetadata().getVersions().get(2).getCreatedTimeString(), "Incorrect version 2 created time");
+        assertNotNull(res.getMetadata().getVersions().get(2).getCreatedTime(), "Parsing version created failed");
+        assertFalse(res.getMetadata().getVersions().get(3).isDestroyed(), "Incorrect version 3 destroyed state");
+    }
+}
--- a/src/test/java/de/stklcode/jvault/connector/model/response/PlainSecretResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/PlainSecretResponseTest.java
@ -0,0 +1,223 @@
+/*
+ * Copyright 2016-2021 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.core.JsonProcessingException;
+import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import de.stklcode.jvault.connector.model.AbstractModelTest;
+import org.junit.jupiter.api.Test;
+
+import java.util.*;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+/**
+ * JUnit Test for {@link PlainSecretResponse} model.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.6.2
+ */
+class PlainSecretResponseTest extends AbstractModelTest<PlainSecretResponse> {
+    private static final String SECRET_REQUEST_ID = "68315073-6658-e3ff-2da7-67939fb91bbd";
+    private static final String SECRET_LEASE_ID = "";
+    private static final Integer SECRET_LEASE_DURATION = 2764800;
+    private static final boolean SECRET_RENEWABLE = false;
+    private static final String SECRET_DATA_K1 = "excited";
+    private static final String SECRET_DATA_V1 = "yes";
+    private static final String SECRET_DATA_K2 = "value";
+    private static final String SECRET_DATA_V2 = "world";
+    private static final List<String> SECRET_WARNINGS = null;
+    private static final String SECRET_JSON = "{\n" +
+            "    \"request_id\": \"" + SECRET_REQUEST_ID + "\",\n" +
+            "    \"lease_id\": \"" + SECRET_LEASE_ID + "\",\n" +
+            "    \"lease_duration\": " + SECRET_LEASE_DURATION + ",\n" +
+            "    \"renewable\": " + SECRET_RENEWABLE + ",\n" +
+            "    \"data\": {\n" +
+            "        \"" + SECRET_DATA_K1 + "\": \"" + SECRET_DATA_V1 + "\",\n" +
+            "        \"" + SECRET_DATA_K2 + "\": \"" + SECRET_DATA_V2 + "\"\n" +
+            "    },\n" +
+            "    \"warnings\": " + SECRET_WARNINGS + "\n" +
+            "}";
+
+    PlainSecretResponseTest() {
+        super(PlainSecretResponse.class);
+    }
+
+    @Override
+    protected PlainSecretResponse createFull() {
+        try {
+            return objectMapper.readValue(SECRET_JSON, PlainSecretResponse.class);
+        } catch (JsonProcessingException e) {
+            fail("Creation of full model instance failed", e);
+            return null;
+        }
+    }
+
+    /**
+     * Test creation from JSON value as returned by Vault (JSON example copied from Vault documentation).
+     */
+    @Test
+    void jsonRoundtrip() {
+        SecretResponse res = assertDoesNotThrow(
+                () -> objectMapper.readValue(SECRET_JSON, PlainSecretResponse.class),
+                "SecretResponse deserialization failed"
+        );
+
+        assertNotNull(res, "Parsed response is NULL");
+        assertEquals(SECRET_REQUEST_ID, res.getRequestId(), "Incorrect request ID");
+        assertEquals(SECRET_LEASE_ID, res.getLeaseId(), "Incorrect lease ID");
+        assertEquals(SECRET_LEASE_DURATION, res.getLeaseDuration(), "Incorrect lease duration");
+        assertEquals(SECRET_RENEWABLE, res.isRenewable(), "Incorrect renewable status");
+        assertEquals(SECRET_WARNINGS, res.getWarnings(), "Incorrect warnings");
+        assertEquals(SECRET_DATA_V1, res.get(SECRET_DATA_K1), "Response does not contain correct data");
+        assertEquals(SECRET_DATA_V2, res.get(SECRET_DATA_K2), "Response does not contain correct data");
+    }
+
+    /**
+     * Test creation from JSON value as returned by Vault (JSON example copied from Vault documentation).
+     */
+    @Test
+    void testGetter() {
+        final var stringKey = "string";
+        final var stringVal = "test";
+
+        final var numberKey = "number";
+        final var numberVal = 123.45;
+
+        final var listKey = "list";
+        final var listVal = List.of("foo", "bar");
+
+        final var complexKey = "complex";
+        final var complexVal = new ComplexType("val1", 678);
+
+        SecretResponse res = assertDoesNotThrow(
+                () -> objectMapper.readValue(
+                        "{\n" +
+                                "  \"request_id\": \"req-id\",\n" +
+                                "  \"lease_id\": \"lea-id\",\n" +
+                                "  \"lease_duration\": " + 123456 + ",\n" +
+                                "  \"renewable\": true,\n" +
+                                "  \"data\": {\n" +
+                                "    \"" + stringKey + "\": \"" + stringVal + "\",\n" +
+                                "    \"" + numberKey + "\": \"" + numberVal + "\",\n" +
+                                "    \"" + listKey + "\": [\"" + String.join("\", \"", listVal) + "\"],\n" +
+                                "    \"" + complexKey + "\": {" +
+                                "      \"field1\": \"" + complexVal.field1 + "\",\n" +
+                                "      \"field2\": " + complexVal.field2 + "\n" +
+                                "    },\n" +
+                                "    \"" + complexKey + "Json\": \"" + objectMapper.writeValueAsString(complexVal).replace("\"", "\\\"") + "\"\n" +
+                                "  }\n" +
+                                "}",
+                        PlainSecretResponse.class
+                ),
+                "SecretResponse deserialization failed"
+        );
+
+        assertEquals(stringVal, res.get(stringKey), "unexpected value for string (implicit)");
+        assertEquals(
+                stringVal,
+                assertDoesNotThrow(() -> res.get(stringKey, String.class), "getting string failed"),
+                "unexpected value for string (explicit)"
+        );
+
+        assertEquals(String.valueOf(numberVal), res.get(numberKey), "unexpected value for number (implicit)");
+        assertEquals(
+                numberVal,
+                assertDoesNotThrow(() -> res.get(numberKey, Double.class), "getting number failed"),
+                "unexpected value for number (explicit)"
+        );
+        assertEquals(
+                String.valueOf(numberVal),
+                assertDoesNotThrow(() -> res.get(numberKey, String.class), "getting number as string failed"),
+                "unexpected value for number as string (explicit)"
+        );
+
+        assertEquals(listVal, res.get(listKey), "unexpected value for list (implicit)");
+        assertEquals(
+                listVal,
+                assertDoesNotThrow(() -> res.get(listKey, ArrayList.class), "getting list failed"),
+                "unexpected value for list (explicit)"
+        );
+
+        assertEquals(complexVal.toMap(), res.get(complexKey), "unexpected value for complex type (implicit)");
+        assertEquals(
+                complexVal.toMap(),
+                assertDoesNotThrow(() -> res.get(complexKey, HashMap.class), "getting complex type as map failed"),
+                "unexpected value for complex type as map (explicit)"
+        );
+        assertEquals(
+                complexVal,
+                assertDoesNotThrow(() -> res.get(complexKey, ComplexType.class), "getting complex type failed"),
+                "unexpected value for complex type (explicit)"
+        );
+        assertThrows(
+                InvalidResponseException.class,
+                () -> res.get(complexKey, Integer.class),
+                "getting complex type as integer should fail"
+        );
+        assertEquals(
+                complexVal,
+                assertDoesNotThrow(() -> res.get(complexKey + "Json", ComplexType.class), "getting complex type from JSON string failed"),
+                "unexpected value for complex type from JSON string"
+        );
+    }
+
+
+    /**
+     * Test class for complex field mapping.
+     */
+    private static class ComplexType {
+        @JsonProperty("field1")
+        private String field1;
+
+        @JsonProperty("field2")
+        private Integer field2;
+
+        private ComplexType() {
+            // Required for JSON deserialization.
+        }
+
+        private ComplexType(String field1, Integer field2) {
+            this.field1 = field1;
+            this.field2 = field2;
+        }
+
+        private Map<String, Object> toMap() {
+            return Map.of(
+                    "field1", field1,
+                    "field2", field2
+            );
+        }
+
+        @Override
+        public boolean equals(Object o) {
+            if (this == o) {
+                return true;
+            } else if (o == null || getClass() != o.getClass()) {
+                return false;
+            }
+            ComplexType that = (ComplexType) o;
+            return Objects.equals(field1, that.field1) && Objects.equals(field2, that.field2);
+        }
+
+        @Override
+        public int hashCode() {
+            return Objects.hash(field1, field2);
+        }
+    }
+}
--- a/src/test/java/de/stklcode/jvault/connector/model/response/SealResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/SealResponseTest.java
@ -0,0 +1,143 @@
+/*
+ * Copyright 2016-2023 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import de.stklcode.jvault.connector.model.AbstractModelTest;
+import org.junit.jupiter.api.Test;
+
+import java.time.ZonedDateTime;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+/**
+ * JUnit Test for {@link SealResponse} model.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.8
+ */
+class SealResponseTest extends AbstractModelTest<SealResponse> {
+    private static final String TYPE = "shamir";
+    private static final Integer THRESHOLD = 3;
+    private static final Integer SHARES = 5;
+    private static final Integer PROGRESS_SEALED = 2;
+    private static final Integer PROGRESS_UNSEALED = 0;
+    private static final String VERSION = "1.15.4";
+    private static final String BUILD_DATE = "2023-11-22T20:59:54Z";
+    private static final String CLUSTER_NAME = "vault-cluster-d6ec3c7f";
+    private static final String CLUSTER_ID = "3e8b3fec-3749-e056-ba41-b62a63b997e8";
+    private static final String NONCE = "ef05d55d-4d2c-c594-a5e8-55bc88604c24";
+    private static final Boolean MIGRATION = false;
+    private static final Boolean RECOVERY_SEAL = false;
+    private static final String STORAGE_TYPE = "file";
+
+    private static final String RES_SEALED = "{\n" +
+            "  \"type\": \"" + TYPE + "\",\n" +
+            "  \"sealed\": true,\n" +
+            "  \"initialized\": true,\n" +
+            "  \"t\": " + THRESHOLD + ",\n" +
+            "  \"n\": " + SHARES + ",\n" +
+            "  \"progress\": " + PROGRESS_SEALED + ",\n" +
+            "  \"nonce\": \"\",\n" +
+            "  \"version\": \"" + VERSION + "\",\n" +
+            "  \"build_date\": \"" + BUILD_DATE + "\",\n" +
+            "  \"migration\": \"" + MIGRATION + "\",\n" +
+            "  \"recovery_seal\": \"" + RECOVERY_SEAL + "\",\n" +
+            "  \"storage_type\": \"" + STORAGE_TYPE + "\"\n" +
+            "}";
+
+    private static final String RES_UNSEALED = "{\n" +
+            "  \"type\": \"" + TYPE + "\",\n" +
+            "  \"sealed\": false,\n" +
+            "  \"initialized\": true,\n" +
+            "  \"t\": " + THRESHOLD + ",\n" +
+            "  \"n\": " + SHARES + ",\n" +
+            "  \"progress\": " + PROGRESS_UNSEALED + ",\n" +
+            "  \"version\": \"" + VERSION + "\",\n" +
+            "  \"build_date\": \"" + BUILD_DATE + "\",\n" +
+            "  \"cluster_name\": \"" + CLUSTER_NAME + "\",\n" +
+            "  \"cluster_id\": \"" + CLUSTER_ID + "\",\n" +
+            "  \"nonce\": \"" + NONCE + "\",\n" +
+            "  \"migration\": \"" + MIGRATION + "\",\n" +
+            "  \"recovery_seal\": \"" + RECOVERY_SEAL + "\",\n" +
+            "  \"storage_type\": \"" + STORAGE_TYPE + "\"\n" +
+            "}";
+
+    SealResponseTest() {
+        super(SealResponse.class);
+    }
+
+    @Override
+    protected SealResponse createFull() {
+        try {
+            return objectMapper.readValue(RES_UNSEALED, SealResponse.class);
+        } catch (JsonProcessingException e) {
+            fail("Creation of full model instance failed", e);
+            return null;
+        }
+    }
+
+    /**
+     * Test creation from JSON value as returned by Vault when sealed (JSON example close to Vault documentation).
+     */
+    @Test
+    void jsonRoundtripSealed() {
+        // First test sealed Vault's response.
+        SealResponse res = assertDoesNotThrow(
+                () -> objectMapper.readValue(RES_SEALED, SealResponse.class),
+                "SealResponse deserialization failed"
+        );
+        assertNotNull(res, "Parsed response is NULL");
+        assertEquals(TYPE, res.getType(), "Incorrect seal type");
+        assertTrue(res.isSealed(), "Incorrect seal status");
+        assertTrue(res.isInitialized(), "Incorrect initialization status");
+        assertEquals(THRESHOLD, res.getThreshold(), "Incorrect threshold");
+        assertEquals(SHARES, res.getNumberOfShares(), "Incorrect number of shares");
+        assertEquals(PROGRESS_SEALED, res.getProgress(), "Incorrect progress");
+        assertEquals("", res.getNonce(), "Nonce not empty");
+        assertEquals(VERSION, res.getVersion(), "Incorrect version");
+        assertEquals(ZonedDateTime.parse(BUILD_DATE), res.getBuildDate(), "Incorrect build date");
+        assertEquals(MIGRATION, res.getMigration(), "Incorrect migration");
+        assertEquals(RECOVERY_SEAL, res.getRecoverySeal(), "Incorrect recovery seal");
+        assertEquals(STORAGE_TYPE, res.getStorageType(), "Incorrect storage type");
+        // And the fields, that should not be filled.
+        assertNull(res.getClusterName(), "Cluster name should not be populated");
+        assertNull(res.getClusterId(), "Cluster ID should not be populated");
+
+
+        // Not test unsealed Vault's response.
+        res = assertDoesNotThrow(
+                () -> objectMapper.readValue(RES_UNSEALED, SealResponse.class),
+                "SealResponse deserialization failed"
+        );
+        assertNotNull(res, "Parsed response is NULL");
+        assertEquals(TYPE, res.getType(), "Incorrect seal type");
+        assertFalse(res.isSealed(), "Incorrect seal status");
+        assertTrue(res.isInitialized(), "Incorrect initialization status");
+        assertEquals(THRESHOLD, res.getThreshold(), "Incorrect threshold");
+        assertEquals(SHARES, res.getNumberOfShares(), "Incorrect number of shares");
+        assertEquals(PROGRESS_UNSEALED, res.getProgress(), "Incorrect progress");
+        assertEquals(NONCE, res.getNonce(), "Incorrect nonce");
+        assertEquals(VERSION, res.getVersion(), "Incorrect version");
+        assertEquals(ZonedDateTime.parse(BUILD_DATE), res.getBuildDate(), "Incorrect build date");
+        assertEquals(CLUSTER_NAME, res.getClusterName(), "Incorrect cluster name");
+        assertEquals(CLUSTER_ID, res.getClusterId(), "Incorrect cluster ID");
+        assertEquals(MIGRATION, res.getMigration(), "Incorrect migration");
+        assertEquals(RECOVERY_SEAL, res.getRecoverySeal(), "Incorrect recovery seal");
+        assertEquals(STORAGE_TYPE, res.getStorageType(), "Incorrect storage type");
+    }
+}
--- a/src/test/java/de/stklcode/jvault/connector/model/response/SecretListResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/SecretListResponseTest.java
@ -0,0 +1,75 @@
+/*
+ * Copyright 2016-2023 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import de.stklcode.jvault.connector.model.AbstractModelTest;
+import org.junit.jupiter.api.Test;
+
+import java.util.List;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+/**
+ * JUnit Test for {@link SecretListResponse} model.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.8
+ */
+class SecretListResponseTest extends AbstractModelTest<SecretListResponse> {
+    private static final String KEY1 = "key1";
+    private static final String KEY2 = "key-2";
+    private static final String JSON = "{\n" +
+            "  \"auth\": null,\n" +
+            "  \"data\": {\n" +
+            "    \"keys\": [" +
+            "      \"" + KEY1 + "\",\n" +
+            "      \"" + KEY2 + "\"\n" +
+            "    ]\n" +
+            "  },\n" +
+            "  \"lease_duration\": 2764800,\n" +
+            "  \"lease_id\": \"\",\n" +
+            "  \"renewable\": false\n" +
+            "}";
+
+    SecretListResponseTest() {
+        super(SecretListResponse.class);
+    }
+
+    @Override
+    protected SecretListResponse createFull() {
+        try {
+            return objectMapper.readValue(JSON, SecretListResponse.class);
+        } catch (JsonProcessingException e) {
+            fail("Creation of full model instance failed", e);
+            return null;
+        }
+    }
+
+    /**
+     * Test JSON deserialization and key getter.
+     */
+    @Test
+    void getKeysTest() {
+        SecretListResponse res = assertDoesNotThrow(
+                () -> objectMapper.readValue(JSON, SecretListResponse.class),
+                "SecretListResponse deserialization failed"
+        );
+
+        assertEquals(List.of(KEY1, KEY2), res.getKeys(), "Unexpected secret keys");
+    }
+}
--- a/src/test/java/de/stklcode/jvault/connector/model/response/SecretResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/SecretResponseTest.java
@ -1,133 +0,0 @@
-/*
- * Copyright 2016-2018 Stefan Kalscheuer
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package de.stklcode.jvault.connector.model.response;
-
-import com.fasterxml.jackson.databind.ObjectMapper;
-import de.stklcode.jvault.connector.exception.InvalidResponseException;
-import org.junit.jupiter.api.Test;
-
-import java.io.IOException;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.*;
-import static org.junit.jupiter.api.Assertions.fail;
-
-/**
- * JUnit Test for {@link SecretResponse} model.
- *
- * @author Stefan Kalscheuer
- * @since 0.6.2
- */
-public class SecretResponseTest {
-    private static final Map<String, Object> DATA = new HashMap<>();
-    private static final String KEY_UNKNOWN = "unknown";
-    private static final String KEY_STRING = "test1";
-    private static final String VAL_STRING = "testvalue";
-    private static final String KEY_INTEGER = "test2";
-    private static final Integer VAL_INTEGER = 42;
-    private static final String KEY_LIST = "list";
-    private static final String VAL_LIST = "[\"first\",\"second\"]";
-
-    private static final String SECRET_REQUEST_ID = "68315073-6658-e3ff-2da7-67939fb91bbd";
-    private static final String SECRET_LEASE_ID = "";
-    private static final Integer SECRET_LEASE_DURATION = 2764800;
-    private static final boolean SECRET_RENEWABLE = false;
-    private static final String SECRET_DATA_K1 = "excited";
-    private static final String SECRET_DATA_V1 = "yes";
-    private static final String SECRET_DATA_K2 = "value";
-    private static final String SECRET_DATA_V2 = "world";
-    private static final List<String> SECRET_WARNINGS = null;
-    private static final String SECRET_JSON = "{\n" +
-            "    \"request_id\": \"" + SECRET_REQUEST_ID + "\",\n" +
-            "    \"lease_id\": \"" + SECRET_LEASE_ID + "\",\n" +
-            "    \"lease_duration\": " + SECRET_LEASE_DURATION + ",\n" +
-            "    \"renewable\": " + SECRET_RENEWABLE + ",\n" +
-            "    \"data\": {\n" +
-            "        \"" + SECRET_DATA_K1 + "\": \"" + SECRET_DATA_V1 + "\",\n" +
-            "        \"" + SECRET_DATA_K2 + "\": \"" + SECRET_DATA_V2 + "\"\n" +
-            "    },\n" +
-            "    \"warnings\": " + SECRET_WARNINGS + "\n" +
-            "}";
-
-
-    static {
-        DATA.put(KEY_STRING, VAL_STRING);
-        DATA.put(KEY_INTEGER, VAL_INTEGER);
-        DATA.put(KEY_LIST, VAL_LIST);
-    }
-
-    /**
-     * Test getter, setter and get-methods for response data.
-     *
-     * @throws InvalidResponseException Should not occur
-     */
-    @Test
-    @SuppressWarnings("unchecked")
-    public void getDataRoundtrip() throws InvalidResponseException {
-        // Create empty Object.
-        SecretResponse res = new SecretResponse();
-        assertThat("Initial data should be Map", res.getData(), is(instanceOf(Map.class)));
-        assertThat("Initial data should be empty", res.getData().entrySet(), empty());
-        assertThat("Getter should return NULL on empty data map", res.get(KEY_STRING), is(nullValue()));
-
-        // Fill data map.
-        res.setData(DATA);
-        assertThat("Data setter/getter not transparent", res.getData(), is(DATA));
-        assertThat("Data size modified", res.getData().keySet(), hasSize(DATA.size()));
-        assertThat("Data keys not passed correctly", res.getData().keySet(), containsInAnyOrder(KEY_STRING, KEY_INTEGER, KEY_LIST));
-        assertThat("Data values not passed correctly", res.get(KEY_STRING), is(VAL_STRING));
-        assertThat("Data values not passed correctly", res.get(KEY_INTEGER), is(VAL_INTEGER));
-        assertThat("Non-Null returned on unknown key", res.get(KEY_UNKNOWN), is(nullValue()));
-
-        // Try explicit JSON conversion.
-        final List list = res.get(KEY_LIST, List.class);
-        assertThat("JSON parsing of list failed", list, is(notNullValue()));
-        assertThat("JSON parsing of list returned incorrect size", list.size(), is(2));
-        assertThat("JSON parsing of list returned incorrect elements", (List<Object>)list, contains("first", "second"));
-        assertThat("Non-Null returned on unknown key", res.get(KEY_UNKNOWN, Object.class), is(nullValue()));
-
-        // Requesting invalid class should result in Exception.
-        try {
-            res.get(KEY_LIST, Double.class);
-            fail("JSON parsing to incorrect type succeeded.");
-        } catch (Exception e) {
-            assertThat(e, is(instanceOf(InvalidResponseException.class)));
-        }
-    }
-
-    /**
-     * Test creation from JSON value as returned by Vault (JSON example copied from Vault documentation).
-     */
-    @Test
-    public void jsonRoundtrip() {
-        try {
-            SecretResponse res = new ObjectMapper().readValue(SECRET_JSON, SecretResponse.class);
-            assertThat("Parsed response is NULL", res, is(notNullValue()));
-            assertThat("Incorrect lease ID", res.getLeaseId(), is(SECRET_LEASE_ID));
-            assertThat("Incorrect lease duration", res.getLeaseDuration(), is(SECRET_LEASE_DURATION));
-            assertThat("Incorrect renewable status", res.isRenewable(), is(SECRET_RENEWABLE));
-            assertThat("Incorrect warnings", res.getWarnings(), is(SECRET_WARNINGS));
-            assertThat("Response does not contain correct data", res.get(SECRET_DATA_K1), is(SECRET_DATA_V1));
-            assertThat("Response does not contain correct data", res.get(SECRET_DATA_K2), is(SECRET_DATA_V2));
-        } catch (IOException e) {
-            fail("SecretResponse deserialization failed: " + e.getMessage());
-        }
-    }
-}
--- a/src/test/java/de/stklcode/jvault/connector/model/response/SecretVersionResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/SecretVersionResponseTest.java
@ -0,0 +1,75 @@
+/*
+ * Copyright 2016-2023 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import de.stklcode.jvault.connector.model.AbstractModelTest;
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+/**
+ * JUnit Test for {@link SecretVersionResponse} model.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.8
+ */
+class SecretVersionResponseTest extends AbstractModelTest<SecretVersionResponse> {
+    private static final String CREATION_TIME = "2018-03-22T02:24:06.945319214Z";
+    private static final String DELETION_TIME = "2018-03-22T02:36:43.986212308Z";
+    private static final Integer VERSION = 42;
+
+    private static final String META_JSON = "{\n" +
+            "  \"data\": {\n" +
+            "    \"created_time\": \"" + CREATION_TIME + "\",\n" +
+            "    \"deletion_time\": \"" + DELETION_TIME + "\",\n" +
+            "    \"destroyed\": false,\n" +
+            "    \"version\": " + VERSION + "\n" +
+            "  }\n" +
+            "}";
+
+    SecretVersionResponseTest() {
+        super(SecretVersionResponse.class);
+    }
+
+    @Override
+    protected SecretVersionResponse createFull() {
+        try {
+            return objectMapper.readValue(META_JSON, SecretVersionResponse.class);
+        } catch (JsonProcessingException e) {
+            fail("Creation of full model instance failed", e);
+            return null;
+        }
+    }
+
+    /**
+     * Test creation from JSON value as returned by Vault (JSON example copied from Vault documentation).
+     */
+    @Test
+    void jsonRoundtrip() {
+        SecretVersionResponse res = assertDoesNotThrow(
+                () -> objectMapper.readValue(META_JSON, SecretVersionResponse.class),
+                "SecretVersionResponse deserialization failed"
+        );
+        assertNotNull(res, "Parsed response is NULL");
+        assertNotNull(res.getMetadata(), "Parsed metadata is NULL");
+        assertEquals(CREATION_TIME, res.getMetadata().getCreatedTimeString(), "Incorrect created time");
+        assertEquals(DELETION_TIME, res.getMetadata().getDeletionTimeString(), "Incorrect deletion time");
+        assertFalse(res.getMetadata().isDestroyed(), "Incorrect destroyed state");
+        assertEquals(VERSION, res.getMetadata().getVersion(), "Incorrect version");
+    }
+}
--- a/src/test/java/de/stklcode/jvault/connector/model/response/TokenResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/TokenResponseTest.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2018 Stefan Kalscheuer
+ * Copyright 2016-2023 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -16,18 +16,16 @@

 package de.stklcode.jvault.connector.model.response;

-import com.fasterxml.jackson.databind.ObjectMapper;
-import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import com.fasterxml.jackson.core.JsonProcessingException;
+import de.stklcode.jvault.connector.model.AbstractModelTest;
 import de.stklcode.jvault.connector.model.response.embedded.TokenData;
 import org.junit.jupiter.api.Test;

-import java.io.IOException;
-import java.util.HashMap;
+import java.time.ZonedDateTime;
+import java.util.List;
 import java.util.Map;

-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.*;
-import static org.junit.jupiter.api.Assertions.fail;
+import static org.junit.jupiter.api.Assertions.*;

 /**
 * JUnit Test for {@link TokenResponse} model.
@ -35,28 +33,46 @@ import static org.junit.jupiter.api.Assertions.fail;
 * @author Stefan Kalscheuer
 * @since 0.6.2
 */
-public class TokenResponseTest {
+class TokenResponseTest extends AbstractModelTest<TokenResponse> {
    private static final Integer TOKEN_CREATION_TIME = 1457533232;
    private static final Integer TOKEN_TTL = 2764800;
+    private static final Integer TOKEN_EXPLICIT_MAX_TTL = 0;
    private static final String TOKEN_DISPLAY_NAME = "token";
+    private static final String TOKEN_META_KEY = "foo";
+    private static final String TOKEN_META_VALUE = "bar";
    private static final Integer TOKEN_NUM_USES = 0;
    private static final Boolean TOKEN_ORPHAN = false;
+    private static final Boolean TOKEN_RENEWABLE = true;
    private static final String TOKEN_PATH = "auth/token/create";
    private static final String TOKEN_POLICY_1 = "default";
    private static final String TOKEN_POLICY_2 = "web";
    private static final Boolean RES_RENEWABLE = false;
    private static final Integer RES_TTL = 2591976;
    private static final Integer RES_LEASE_DURATION = 0;
+    private static final String TOKEN_ACCESSOR = "VKvzT2fKHFsZFUus9LyoXCvu";
+    private static final String TOKEN_ENTITY_ID = "7d2e3179-f69b-450c-7179-ac8ee8bd8ca9";
+    private static final String TOKEN_EXPIRE_TIME = "2018-05-19T11:35:54.466476215-04:00";
+    private static final String TOKEN_ID = "my-token";
+    private static final String TOKEN_ISSUE_TIME = "2018-04-17T11:35:54.466476078-04:00";
+    private static final String TOKEN_TYPE = "service";

    private static final String RES_JSON = "{\n" +
            "  \"lease_id\": \"\",\n" +
            "  \"renewable\": " + RES_RENEWABLE + ",\n" +
            "  \"lease_duration\": " + RES_LEASE_DURATION + ",\n" +
            "  \"data\": {\n" +
+            "    \"accessor\": \"" + TOKEN_ACCESSOR + "\",\n" +
            "    \"creation_time\": " + TOKEN_CREATION_TIME + ",\n" +
            "    \"creation_ttl\": " + TOKEN_TTL + ",\n" +
            "    \"display_name\": \"" + TOKEN_DISPLAY_NAME + "\",\n" +
-            "    \"meta\": null,\n" +
+            "    \"entity_id\": \"" + TOKEN_ENTITY_ID + "\",\n" +
+            "    \"expire_time\": \"" + TOKEN_EXPIRE_TIME + "\",\n" +
+            "    \"explicit_max_ttl\": \"" + TOKEN_EXPLICIT_MAX_TTL + "\",\n" +
+            "    \"id\": \"" + TOKEN_ID + "\",\n" +
+            "    \"issue_time\": \"" + TOKEN_ISSUE_TIME + "\",\n" +
+            "    \"meta\": {\n" +
+            "      \"" + TOKEN_META_KEY + "\": \"" + TOKEN_META_VALUE + "\"\n" +
+            "    },\n" +
            "    \"num_uses\": " + TOKEN_NUM_USES + ",\n" +
            "    \"orphan\": " + TOKEN_ORPHAN + ",\n" +
            "    \"path\": \"" + TOKEN_PATH + "\",\n" +
@ -64,60 +80,73 @@ public class TokenResponseTest {
            "      \"" + TOKEN_POLICY_1 + "\", \n" +
            "      \"" + TOKEN_POLICY_2 + "\"\n" +
            "    ],\n" +
-            "    \"ttl\": " + RES_TTL + "\n" +
+            "    \"renewable\": " + TOKEN_RENEWABLE + ",\n" +
+            "    \"ttl\": " + RES_TTL + ",\n" +
+            "    \"type\": \"" + TOKEN_TYPE + "\"\n" +
            "  },\n" +
            "  \"warnings\": null,\n" +
            "  \"auth\": null\n" +
            "}";

-    private static final Map<String, Object> INVALID_TOKEN_DATA = new HashMap<>();
+    TokenResponseTest() {
+        super(TokenResponse.class);
+    }

-    static {
-        INVALID_TOKEN_DATA.put("num_uses", "fourtytwo");
+    @Override
+    protected TokenResponse createFull() {
+        try {
+            return objectMapper.readValue(RES_JSON, TokenResponse.class);
+        } catch (JsonProcessingException e) {
+            fail("Creation of full model instance failed", e);
+            return null;
+        }
    }

    /**
     * Test getter, setter and get-methods for response data.
     */
    @Test
-    public void getDataRoundtrip() {
+    void getDataRoundtrip() {
        // Create empty Object.
        TokenResponse res = new TokenResponse();
-        assertThat("Initial data should be empty", res.getData(), is(nullValue()));
-
-        // Parsing invalid data map should fail.
-        try {
-            res.setData(INVALID_TOKEN_DATA);
-            fail("Parsing invalid token data succeeded");
-        } catch (Exception e) {
-            assertThat(e, is(instanceOf(InvalidResponseException.class)));
-        }
+        assertNull(res.getData(), "Initial data should be empty");
    }

    /**
     * Test creation from JSON value as returned by Vault (JSON example copied from Vault documentation).
     */
    @Test
-    public void jsonRoundtrip() {
-        try {
-            TokenResponse res = new ObjectMapper().readValue(RES_JSON, TokenResponse.class);
-            assertThat("Parsed response is NULL", res, is(notNullValue()));
-            assertThat("Incorrect lease duration", res.getLeaseDuration(), is(RES_LEASE_DURATION));
-            assertThat("Incorrect renewable status", res.isRenewable(), is(RES_RENEWABLE));
-            // Extract token data.
-            TokenData data = res.getData();
-            assertThat("Token data is NULL", data, is(notNullValue()));
-            assertThat("Incorrect token creation time", data.getCreationTime(), is(TOKEN_CREATION_TIME));
-            assertThat("Incorrect token creation TTL", data.getCreationTtl(), is(TOKEN_TTL));
-            assertThat("Incorrect token display name", data.getName(), is(TOKEN_DISPLAY_NAME));
-            assertThat("Incorrect token number of uses", data.getNumUses(), is(TOKEN_NUM_USES));
-            assertThat("Incorrect token orphan flag", data.isOrphan(), is(TOKEN_ORPHAN));
-            assertThat("Incorrect token path", data.getPath(), is(TOKEN_PATH));
-            assertThat("Incorrect response renewable flag", res.isRenewable(), is(RES_RENEWABLE));
-            assertThat("Incorrect response TTL", data.getTtl(), is(RES_TTL));
-            assertThat("Incorrect response lease duration", res.getLeaseDuration(), is(RES_LEASE_DURATION));
-        } catch (IOException e) {
-            fail("TokenResponse deserialization failed: " + e.getMessage());
-        }
+    void jsonRoundtrip() {
+        TokenResponse res = assertDoesNotThrow(
+                () -> objectMapper.readValue(RES_JSON, TokenResponse.class),
+                "TokenResponse deserialization failed"
+        );
+        assertNotNull(res, "Parsed response is NULL");
+        assertEquals(RES_LEASE_DURATION, res.getLeaseDuration(), "Incorrect lease duration");
+        assertEquals(RES_RENEWABLE, res.isRenewable(), "Incorrect response renewable flag");
+        assertEquals(RES_LEASE_DURATION, res.getLeaseDuration(), "Incorrect response lease duration");
+        // Extract token data.
+        TokenData data = res.getData();
+        assertNotNull(data, "Token data is NULL");
+        assertEquals(TOKEN_ACCESSOR, data.getAccessor(), "Incorrect token accessor");
+        assertEquals(TOKEN_CREATION_TIME, data.getCreationTime(), "Incorrect token creation time");
+        assertEquals(TOKEN_TTL, data.getCreationTtl(), "Incorrect token creation TTL");
+        assertEquals(TOKEN_DISPLAY_NAME, data.getName(), "Incorrect token display name");
+        assertEquals(TOKEN_ENTITY_ID, data.getEntityId(), "Incorrect token entity ID");
+        assertEquals(TOKEN_EXPIRE_TIME, data.getExpireTimeString(), "Incorrect token expire time");
+        assertEquals(ZonedDateTime.parse(TOKEN_EXPIRE_TIME), data.getExpireTime(), "Incorrect parsed token expire time");
+        assertEquals(TOKEN_EXPLICIT_MAX_TTL, data.getExplicitMaxTtl(), "Incorrect token explicit max TTL");
+        assertEquals(TOKEN_ID, data.getId(), "Incorrect token ID");
+        assertEquals(TOKEN_ISSUE_TIME, data.getIssueTimeString(), "Incorrect token issue time");
+        assertEquals(ZonedDateTime.parse(TOKEN_ISSUE_TIME), data.getIssueTime(), "Incorrect parsed token issue time");
+        assertEquals(Map.of(TOKEN_META_KEY, TOKEN_META_VALUE), data.getMeta(), "Incorrect token metadata");
+        assertEquals(TOKEN_NUM_USES, data.getNumUses(), "Incorrect token number of uses");
+        assertEquals(TOKEN_ORPHAN, data.isOrphan(), "Incorrect token orphan flag");
+        assertEquals(TOKEN_PATH, data.getPath(), "Incorrect token path");
+        assertEquals(2, data.getPolicies().size(), "Incorrect number of token policies");
+        assertTrue(data.getPolicies().containsAll(List.of(TOKEN_POLICY_1, TOKEN_POLICY_2)), "Incorrect token policies");
+        assertEquals(TOKEN_RENEWABLE, data.isRenewable(), "Incorrect token renewable flag");
+        assertEquals(RES_TTL, data.getTtl(), "Incorrect token TTL");
+        assertEquals(TOKEN_TYPE, data.getType(), "Incorrect token type");
    }
 }
--- a/Show More
+++ b/Show More