docs: update version and features in README

test: use WireMockTest annotation
test: update wiremock to 3.13.0
2025-04-24 18:36:36 +02:00 · 2025-04-24 18:30:32 +02:00 · 2025-04-24 18:30:04 +02:00 · 2025-04-13 12:25:18 +02:00 · 2025-04-13 11:25:49 +02:00 · 2025-04-13 10:49:42 +02:00
124 changed files with 7813 additions and 5965 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -1,39 +0,0 @@
 kind: pipeline
 name: default
 steps:
  - name: compile
    image: maven:3-jdk-11
    commands:
      - mvn -B clean compile
    when:
      branch:
        - master
        - develop
        - feature/*
        - fix/*
        - release/*
  - name: unit-tests
    image: maven:3-jdk-11
    commands:
      - mvn -B resources:testResources compiler:testCompile surefire:test -P offline-tests
    when:
      branch:
        - develop
        - feature/*
        - fix/*
  - name: unit-integration-tests
    image: maven:3-jdk-11
    environment:
      VAULT_VERSION: 1.7.0
    commands:
      - curl -s -o vault_1.7.0_linux_amd64.zip https://releases.hashicorp.com/vault/1.7.0/vault_1.7.0_linux_amd64.zip
      - curl -s https://releases.hashicorp.com/vault/1.7.0/vault_1.7.0_SHA256SUMS | grep linux_amd64 | sha256sum -c
      - unzip vault_1.7.0_linux_amd64.zip
      - rm vault_1.7.0_linux_amd64.zip
      - mv vault /bin/
      - mvn -B resources:testResources compiler:testCompile surefire:test
    when:
      branch:
        - master
        - release/*
--- a/.editorconfig
+++ b/.editorconfig
@ -0,0 +1,14 @@
 root = true
 [*]
 charset = utf-8
 end_of_line = lf
 indent_size = 4
 indent_style = space
 insert_final_newline = true
 max_line_length = 120
 tab_width = 4
 trim_trailing_whitespace = true
 [{*.yaml,*.yml}]
 indent_size = 2
--- a/.github/workflows/ci-it.yml
+++ b/.github/workflows/ci-it.yml
@ -0,0 +1,56 @@
 name: CI
 on:
  push:
    branches:
      - 'main'
  pull_request:
    branches:
      - 'main'
 jobs:
  build-with-it:
    if: github.ref_name == 'main' || github.base_ref == 'main' || startsWith(github.ref_name, 'release/')
    runs-on: ubuntu-latest
    strategy:
      matrix:
        jdk: [ 11, 17, 21 ]
        vault: [ '1.2.0', '1.19.0' ]
        include:
          - jdk: 21
            vault: '1.19.0'
            analysis: true
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Set up Java
        uses: actions/setup-java@v4
        with:
          java-version: ${{ matrix.jdk }}
          distribution: 'temurin'
      - name: Compile
        run: ./mvnw -B clean compile
      - name: Set up Vault
        run: |
          wget -q "https://releases.hashicorp.com/vault/${{ matrix.vault }}/vault_${{ matrix.vault }}_linux_amd64.zip"
          wget -q -O - "https://releases.hashicorp.com/vault/${{ matrix.vault }}/vault_${{ matrix.vault }}_SHA256SUMS" | grep linux_amd64 | sha256sum -c
          tmp="$(mktemp -d)"
          unzip "vault_${{ matrix.vault }}_linux_amd64.zip" -d "$tmp"
          rm "vault_${{ matrix.vault }}_linux_amd64.zip"
          sudo mv "$tmp/vault" /usr/bin/vault
          rm -rf "$tmp"
      - name: Test (Unit & Integration)
        env:
          VAULT_VERSION: ${{ matrix.vault }}
        run: ./mvnw -B -P coverage -P integration-test verify
      - name: Analysis
        if: matrix.analysis && env.SONAR_TOKEN != ''
        run: >
          ./mvnw -B sonar:sonar
          -Dsonar.host.url=https://sonarcloud.io
          -Dsonar.organization=stklcode-github
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -0,0 +1,44 @@
 name: CI
 on:
  push:
    branches:
      - '**'
      - '!main'
  pull_request:
    branches:
      - '**'
      - '!main'
 jobs:
  build:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        jdk: [ 11, 17, 21 ]
        include:
          - jdk: 21
            analysis: true
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Set up Java
        uses: actions/setup-java@v4
        with:
          java-version: ${{ matrix.jdk }}
          distribution: 'temurin'
      - name: Compile
        run: ./mvnw -B clean compile
      - name: Test (Unit)
        run: ./mvnw -B -P coverage verify
      - name: Analysis
        if: matrix.analysis && env.SONAR_TOKEN != ''
        run: >
          ./mvnw -B sonar:sonar
          -Dsonar.host.url=https://sonarcloud.io
          -Dsonar.organization=stklcode-github
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
--- a/.gitignore
+++ b/.gitignore
@ -1,5 +1,17 @@
-/target/
+target/
-/*.iml
+pom.xml.tag
-/.idea/
+pom.xml.releaseBackup
-/*.project
+pom.xml.versionsBackup
-*~
+pom.xml.next
 release.properties
 dependency-reduced-pom.xml
 buildNumber.properties
 .mvn/timing.properties
 .mvn/wrapper/maven-wrapper.jar
 .idea
 *.iml
 .bin
 *~
--- a/.mvn/wrapper/maven-wrapper.properties
+++ b/.mvn/wrapper/maven-wrapper.properties
@ -0,0 +1,2 @@
 distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.9/apache-maven-3.9.9-bin.zip
 wrapperUrl=https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.3.2/maven-wrapper-3.3.2.jar
--- a/.travis.yml
+++ b/.travis.yml
@ -1,47 +0,0 @@
 language: java
 install: true
 addons:
  sonarcloud:
    organization: "stklcode-github"
    token:
      secure: "sM9OfX5jW764pn9cb2LSXArnXucKMws+eGeg5NnZxHRcGYt4hpBKLSregBSsBNzUoWVj0zNzPCpnh+UQvgxQzUerOqwEdjTBpy3SNPaxSn7UpoSg+Wz3aUmL9ugmx01b51/wMG4UCHEwTZt2tpgTPVtw8K6uSO78e0dSICCBHDnRcdQwOjMEQHIJJ/qHVRwuy/MzLCAP3W1JPZlsphZg9QsFyhB4hW97dE90joZezfocQIv2xI/r6k+BLz0pY6MxYCul0RiDumaiaej0CPvEJI/uSu//BAQjUdHw+mQgnKUYIbrn2ONOviwNfwdr94JyoZEN2B6zASUmNLjPf4AbIojDeyS+CrpQpm17EVm/Qk/Ds+Xra4PPPIcsZhiWzV0KoDUz9xLfXuRJ526VT5tDPiaeI7oETf0+8l+JIS1b399FyqHi7smzjpvC6GuKflQrbuHK4MuKzDh7WTHiqokGG4SS0wOQIaaHB3dfdwwQzPh6IM24e8CETxh3DjMeqUTU4DWmv5po55jZ934TtxVQvVN78bTG9O0zS9u+JmRY04OZ+OaXuFam6MfMUFQi0EPZzdGul/oWSibGUu3bNfVEBp60CnJwYNM/dKG6U7pJthLHvSwiQFOdKzHZ+l1jZJ4gPaXaIGqpwqVGr28ntqA/El1rytPixr2driE6bYMt5jw="
 env:
  - PATH=$PATH:. VAULT_VERSION=1.7.0 ANALYSIS=false
 cache:
  directories:
    - '$HOME/.m2/repository'
    - '$HOME/.sonar/cache'
 jobs:
  include:
    - jdk: openjdk8
    - jdk: openjdk11
      env: PATH=$PATH:. VAULT_VERSION=1.7.0 ANALYSIS=true
    - jdk: openjdk16
 before_script:
  - |
    if [[ "$TRAVIS_BRANCH" =~ ^master|(release\/.+)$ ]]; then
      wget -q https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip
      wget -q -O - https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_SHA256SUMS | grep linux_amd64 | sha256sum -c
      unzip vault_${VAULT_VERSION}_linux_amd64.zip
      rm vault_${VAULT_VERSION}_linux_amd64.zip
    fi
 script:
  - mvn -B clean compile
  - |
    if [[ "$TRAVIS_BRANCH" =~ ^master|(release\/.+)$ ]]; then
      mvn -B resources:testResources compiler:testCompile surefire:test -P coverage
    else
      mvn -B resources:testResources compiler:testCompile surefire:test -P coverage -P offline-tests
    fi
 after_success:
  - if [ "$ANALYSIS" == "true" ]; then mvn sonar:sonar; fi
 notifications:
  slack:
    secure: "YyE5GePOLkCVTtCy8j507BRmQrtrWhtvmUt4kY0Z2/ptf0LzfuDEJQ4ZbCxO5ri5IDJrrvyPAedjft818+bMzdFfxvi1oviIL+LZNhyev8gfeIBF/U2pvSLGKCRX4g4aZ6NKN3Untjdm8lmiVTltOyZ59JizQVwXzAl3LiOpnJugyBqbhOx4EIqBzwW3gaYAofMqY2LczW5W/M+99HJCst8Mb8H06GstCPEHCizAq7VRaUS68PstlxQMV0Q6bsSYMLFbLWmhuXs96WHqOrT+nNsl07ikr3N8c4HafhFutt2Jyc1+8gXO417+eSvVM0iBpHGwTmfGFfCqx/4Pf62DTJuvh8dR4fLgLDiqEeDrBEcRRDOs9cvXVOO22NN1HuBBJY8VRiFcwNAvuVMXCtnC+1RJRAZB2zubsANiFe+ygk/ywj37cVXY+NpqlBwcSph6jPHo2hD6cIl2rTWn1EnZH519Rh38xTSv6MRzAO9kWNVrAlX+UtvYS8Sk7Owrc0tET9Lc4zj6aI5tsA1wYbN3Jk6EbMhsF6K/XF2npt2qg09pxkj8wmxoUoR6/rGuSv55aSxTdLDmH+en4ahEm3uc4h1lYoVCk0yrZoTAas3zS4WpBCKnl+mweuKNxaejyy0Wv6NR9ZCTaS3yFgibNOjvDpxZxTAPdNBL7hn+k4LwgN4="
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,227 @@
 ## 1.5.0 (2025-04-13)
 ### Deprecations
 * `read...Credentials()` methods for specific database mounts (#92)
 ### Features
 * Support Vault transit API (#89)
 * Support PEM certificate string from `VAULT_CACERT` environment variable (#93)
 ### Improvements
 * Replace deprecated `java.net.URL` usage with `java.net.URI` (#94)
 ### Fix
 * Fix initialization from environment without explicit port
 ### Dependencies
 * Updated Jackson to 2.18.3 (#90)
 ### Test
 * Tested against Vault 1.2 to 1.19
 ## 1.4.0 (2024-12-07)
 ### Removal
 * Remove deprecated `get...TimeString()` on model classes (#77)
 * Drop support for deprecated `App-ID` auth backend (#61) (#78)
 ### Fix
 * Add jackson-annotations requirement to module-info (#84)
 ### Dependencies
 * Updated Jackson to 2.18.2 (#85)
 ### Test
 * Tested against Vault 1.2 to 1.18
 ## 1.3.1 (2024-10-03)
 ### Dependencies
 * Updated Jackson to 2.18.0 (#80)
 ### Fix
 * Remove `Automatic-Module-Name` from JAR manifest (#79)
 ## 1.3.0 (2024-06-29)
 ### Improvements
 * Simplify JSON parsing in error handler
 * Add new fields from Vault 1.16 and 1.17 to `HealthResponse`
  * `echo_duration_ms`
  * `clock_skew_ms`
  * `replication_primary_canary_age_ms`
  * `enterprise`
 * Add missing `num_uses` field to `AuthData`
 * Add `mount_type` attribute to common response model
 * Add `auth` attribute to common response model
 * Add `custom_metadata`, `cas_required` and `delete_version_after` fields for KVv2 metadata
 * Generate and attach CycloneDX SBOM
 ### Fix
 * Rename `enable_local_secret_id` to `local_secret_ids` in `AppRole` model
 ### Dependencies
 * Updated Jackson to 2.17.1
 ### Test
 * Tested against Vault 1.2 to 1.17
 ## 1.2.0 (2023-12-11)
 ### Deprecations
 * `get...TimeString()` methods on various model classes are now deprecated
 ### Improvements
 * Parse timestamps as `ZonedDateTime` instead of `String` representation
 * Remove redundant `java.base` requirement from _module-info.java_ (#69)
 * Close Java HTTP Client when running on Java 21 or later (#70)
 * Add MFA requirements tu `AuthResponse` (#71)
 * Extend `AuthMethod` data model (#72)
 ### Dependencies
 * Updated Jackson to 2.16.0
 ## 1.1.5 (2023-08-19)
 ### Fix
 * Fixed JSON type conversion in `SecretResponse#get(String, Class)` (#67)
 ### Test
 * Tested against Vault 1.2 to 1.15
 ## 1.1.4 (2023-06-15)
 ### Fix
 * Use `[+-]XX:XX` notation for timezone in date/time parsing
 ### Improvements
 * Use explicit UTF-8 encoding for parsing responses
 ### Dependencies
 * Updated Jackson to 2.15.2
 ### Test
 * Tested against Vault 1.2.0 to 1.13.3
 ## 1.1.3 (2023-01-31)
 ### Deprecations
 * AppID components (deprecated since 0.4) are marked for removal with the next major release
 ### Dependencies
 * Updated Jackson to 2.14.2
 ### Improvements
 * Minor internal refactoring
 ### Test
 * Tested against Vault 1.2.0 to 1.12.2
 ## 1.1.2 (2022-10-26)
 ### Dependencies
 * Updated Jackson to 2.13.4.2
 ### Test
 * Tested against Vault 1.2.0 to 1.12.0
 * Disable AppID tests for Vault 1.12 and above (auth method removed)
 * Tested with Java 19
 ## 1.1.1 (2022-08-29)
 ### Dependencies
 * Updated Jackson to 2.13.3
 ### Test
 * Tested against Vault 1.11.2
 * Tested with Java 18
 ## 1.1.0 (2022-04-24)
 ### Fix
 * Use `replication_performance_mode`  instead of `replication_perf_mode` in health response.
 ### Improvements
 * Add `migration`, `recovery_seal` and `storage_type` fields to `SealReponse` model
 * Add support for `wrap_info` in data response models
 * Dependency updates
 * Model and response classes implement `Serializable` (#57)
 * Split `SercretResponse`  into `PlainSecretResponse` and `MetaSecretResponse` subclasses (common API unchanged)
 * Add missing fields to `AuthMethod` model
 * Add support for (dis)allowed policy glob patterns in `TokenRole`
 * Add request ID to data response models
 ### Test
 * Tested against Vault 1.10.1
 ## 1.0.1 (2021-11-21)
 ### Fix
 * Make `HTTPVaultConnectorBuilder#withPort(Integer)` null-safe (#56)
 * Make system-lambda dependency test-only (#58)
 ### Test
 * Tested against Vault 1.9.0
 ## 1.0.0 (2021-10-02)
 ### Breaking
 * Requires Java 11 or later
 * Builder invocation has changed, use `HTTPVaultConnector.builder()....build()`
 ### Removal
 * Remove deprecated `VaultConnectorFactory` in favor of `VaultConnectorBuilder` with identical API
 * Remove deprecated `AppRoleBuilder` and `TokenBuilder` in favor of `AppRole.Builder` and `Token.Builder`
 * Remove deprecated `Period`, `Policy` and `Policies` methods from `AppRole` in favor of `Token`-prefixed versions
 * Remove deprecated `SecretResponse#getValue()` method, use `get("value")` instead
 * Remove deprecated convenience methods for interaction with "secret" mount
 ### Improvements
 * Use pre-sized map objects for fixed-size payloads
 * Remove Apache HTTP Client dependency in favor of Java 11 HTTP
 * Introduce Java module descriptor
 ### Test
 * Tested against Vault 1.8.3
 ## 0.9.5 (2021-07-28)
 ### Deprecations
 * Deprecate ` {read,write,delete}Secret()` convenience methods. Use `{read,write,delete}("secret/...")` instead (#52)
 * Deprecated builder invocation `VaultConnectorBuilder.http()` in favor of `HTTPVaultConnector.builder()` (#51)
 * Deprecated `de.stklcode.jvault.connector.builder.HTTPVaultConnectorBuilder` in favor of `de.stklcode.jvault.connector.HTTPVaultConnectorBuilder` (only package changed) (#51)
 Old builders will be removed in 1.0
 ### Improvements
 * Minor dependency updates
 ### Test
 * Tested against Vault 1.8.0
 ## 0.9.4 (2021-06-06)
 ### Deprecations
 * `AppRole.Builder#wit0hTokenPeriod()` is deprecated in favor of `#withTokenPeriod()` (#49)
 ### Improvements
 * Minor dependency updates
 ### Test
 * Tested against Vault 1.7.2
 ## 0.9.3 (2021-04-02)
 ### Improvements
@ -38,7 +262,7 @@
 * Added `entity_id`, `token_policies`, `token_type` and `orphan` flags to auth response
 * Added `entity_id`, `expire_time`, `explicit_max_ttl`, `issue_time`, `renewable` and `type` flags to token data
 * Added `explicit_max_ttl`, `period` and `entity_alias` flags to _Token_ model (#41)
-* Added `enable_local_secret_ids`, `token_bound_cidrs`, `token_explicit_max_ttl`, `token_no_default_policy`, 
+* Added `enable_local_secret_ids`, `token_bound_cidrs`, `token_explicit_max_ttl`, `token_no_default_policy`,
  `token_num_uses`, `token_period` and `token_type` flags to _AppRole_ model
 * Minor dependency updates
@ -58,14 +282,14 @@
 ## 0.8.2 (2019-10-20)
 ### Fixes
-* Fixed token lookup (#31) 
+* Fixed token lookup (#31)
 ### Improvements
 * Updated dependencies
 ## 0.8.1 (2019-08-16)
 ### Fixes
-* Removed compile dependency to JUnit library (#30) 
+* Removed compile dependency to JUnit library (#30)
 ### Improvements
 * Updated dependencies
@ -157,7 +381,7 @@
 ### Fixes
 * `SecretResponse` does not throw NPE on `get(key)` and `getData()`
-### Test 
+### Test
 * Tested against Vault 0.7.2
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -0,0 +1,112 @@
 # How to contribute
 As for all great Open Source projects, contributions in form of bug reports and code are welcome and important to keep the project alive.
 In general, this project follows the [GitHub Flow](https://guides.github.com/introduction/flow/).
 Fork the project, commit your changes to your branch, open a pull request and it will probably be merged.
 However, to ensure maintainability and quality of the code, there are some guidelines you might be more or less familiar with.
 For that purpose, this document describes the important points.
 ## Opening an Issue
 If you experience any issues with the library or the code, don't hesitate to file an issue.
 ### Bug Reports
 Think you found a bug?
 Please clearly state what happens and describe your environment to help tracking down the issue.
 * Which version of the connector are you running?
 * Which version of Java (architecture and OS if relevant)?
 * Which version of Vault?
 ### Feature Requests
 Missing a feature or like to have certain functionality enhanced?
 No problem, please open an issue and describe what and why you think this change is required.
 ## Pull Requests
 If you want to contribute your code to solve an issue or implement a desired feature yourself, you might open a pull request.
 If the changes introduce new functionality or affect major parts of existing code, please consider opening an issue for discussion first.
 Extending or adapting JUnit test cases would be nice (no hard criterion though).
 The `main` branch also be target for most pull requests.
 However, if it features new functionality you might want to target the `develop` branch instead (see next section for details on branches).
 ### Branches
 The `main` branch represents the current, more or less stable state of development.
 Please ensure your initial code is up to date with it at the time you start development.
 In addition, this project features a `develop` branch, which holds bleeding edge developments, not necessarily considered stable or even compatible.
 Do not expect this code to run smoothly, but you might have a look into the history to see if some work on an issue has already been started there.
 For fixes and features, there might be additional branches, likely prefixed by `fix/` or `feature/` followed by an issue number (if applicable) and/or a title.
 Feel free to adapt this naming scheme to your forks.
 ### Merge Requirements
 To be merged into the main branch, your code has to pass the automated continuous integration tests, to ensure compatibility.
 In addition, your code has to be approved by a project member.
 #### What if my code fails the tests?
 Don't worry, you can submit your PR anyway.
 The reviewing process might help you to solve remaining issues.
 ### Commit messages
 Please use speaking titles and messages for your commits, to ensure a transparent history.
 If your patch fixes an issue, reference the ID in the first line.
 If you feel like you have to _briefly_ explain your changes, do it (for long explanations and discussion, consider opening an issue or describe in the PR).
 **Example commit:**
 ```text
 Fix nasty bug from #1337
 This example commit fixes the issue that some people write non-speaking commit messages like 'done magic'.
 A short description is helpful sometimes.
 ```
 You might sign your work, although that's no must.
 ### When will it be merged?
 Short answer: When it makes sense.
 Bugfixes should be merged in time - assuming they pass the above criteria.
 New features might be assigned to a certain milestone and as a result of this be scheduled according to the planned release cycle.
 ## Compatibility
 To ensure usability for a wide range of users, please take note on the software requirements stated in the `README`.
 This includes especially Java versions and a minimum version of _Vault_.
 If you are unsure if your code matches these versions, the test will probably tell you.
 In case you think, your change is more important than maintaining backwards compatibility, please start a discussion to see,
 if we might increase the minimum version or find a workaround for legacy systems.
 ## Build Environment
 All you need to start off - besides your favorite IDE and a JDK of course - is [Maven](https://maven.apache.org/).
 ## Unit Tests
 The code is tested by JUnit tests.
 For standalone testing against mocked APIs the _Maven_ profile `offline-test` should be used.
 Otherwise, there is a test suite that requires an actual _Vault_ binary in the executable path to start a real server instance. 
 ## Continuous Integration
 Automated tests are run using [GitHub Actions](https://github.com/features/actions) for every commit including pull requests.
 Tests usually run against the minimal supported version, all supported LTS versions and the latest version of Java.
 There is an automated code quality analysis pushing results to [SonarCloud](https://sonarcloud.io/dashboard?id=de.stklcode.jvault%3Ajvault-connector).
 ## Still Open Questions?
 If anything is still left unanswered and you're unsure if you got it right, don't hesitate to contact a team member.
 In any case you might submit your request/issue anyway, we won't refuse good code only for formal reasons.
--- a/README.md
+++ b/README.md
@ -1,24 +1,23 @@
-# Java Vault Connector 
+# Java Vault Connector
-[![Build Status](https://travis-ci.com/stklcode/jvaultconnector.svg?branch=master)](https://travis-ci.com/stklcode/jvaultconnector)
+[![CI](https://github.com/stklcode/jvaultconnector/actions/workflows/ci.yml/badge.svg)](https://github.com/stklcode/jvaultconnector/actions/workflows/ci.yml)
-[![Quality Gate](https://sonarcloud.io/api/project_badges/measure?project=de.stklcode.jvault%3Ajvault-connector&metric=alert_status)](https://sonarcloud.io/dashboard?id=de.stklcode.jvault%3Ajvault-connector)
+[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=de.stklcode.jvault%3Ajvault-connector&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=de.stklcode.jvault%3Ajvault-connector)
-[![License](https://img.shields.io/badge/license-Apache%202.0-blue.svg)](https://github.com/stklcode/jvaultconnector/blob/master/LICENSE.txt) 
+[![License](https://img.shields.io/badge/license-Apache%202.0-blue.svg)](https://github.com/stklcode/jvaultconnector/blob/main/LICENSE.txt)
-[![Maven Central](https://img.shields.io/maven-central/v/de.stklcode.jvault/jvault-connector.svg)](https://search.maven.org/#search%7Cga%7C1%7Cg%3A%22de.stklcode.jvault%22%20AND%20a%3A%22jvault-connector%22)
+[![Maven Central Version](https://img.shields.io/maven-central/v/de.stklcode.jvault/jvault-connector)](https://central.sonatype.com/artifact/de.stklcode.jvault/jvault-connector)
-![Logo](https://raw.githubusercontent.com/stklcode/jvaultconnector/master/assets/logo.png)
+![Logo](assets/logo.png)
 Java Vault Connector is a connector library for [Vault](https://www.vaultproject.io) by [Hashicorp](https://www.hashicorp.com) written in Java. The connector allows simple usage of Vault's secret store in own applications.
 ## Features:
 * HTTP(S) backend connector
-    *  Ability to provide or enforce custom CA certificate
+    * Ability to provide or enforce custom CA certificate
    * Optional initialization from environment variables
 * Authorization methods
    * Token
    * Username/Password
    * AppRole (register and authenticate)
    * AppID (register and authenticate) [_deprecated_]
 * Tokens
    * Creation and lookup of tokens and token roles
    * TokenBuilder for speaking creation of complex configurations
@ -29,10 +28,11 @@ Java Vault Connector is a connector library for [Vault](https://www.vaultproject
    * Delete secrets
    * Renew/revoke leases
    * Raw secret content or JSON decoding
    * SQL secret handling
    * KV v1 and v2 support
    * Database secret handling
 * Transit API support
 * Connector Factory with builder pattern
-* Tested against Vault 1.7.0
+* Tested against Vault 1.2 to 1.19
 ## Maven Artifact
@ -40,7 +40,7 @@ Java Vault Connector is a connector library for [Vault](https://www.vaultproject
 <dependency>
    <groupId>de.stklcode.jvault</groupId>
    <artifactId>jvault-connector</artifactId>
-    <version>0.9.3</version>
+    <version>1.5.0</version>
 </dependency>
 ```
@ -50,21 +50,19 @@ Java Vault Connector is a connector library for [Vault](https://www.vaultproject
 ```java
 // Instantiate using builder pattern style factory (TLS enabled by default)
-VaultConnector vault = VaultConnectorBuilder.http()
+VaultConnector vault = HTTPVaultConnector.builder()
 .withHost("127.0.0.1")
 .withPort(8200)
 .withTLS()
 .build();
 // Instantiate with custom SSL context
-VaultConnector vault = VaultConnectorBuilder.http()
+VaultConnector vault = HTTPVaultConnector.builder("https://example.com:8200/v1/")
 .withHost("example.com")
 .withPort(8200)
 .withTrustedCA(Paths.get("/path/to/CA.pem"))
 .build();
-// Initialization from environment variables 
+// Initialization from environment variables
-VaultConnector vault = VaultConnectorBuilder.http()
+VaultConnector vault = HTTPVaultConnector.builder()
 .fromEnv()
 .build();
 ```
@ -120,10 +118,10 @@ AppRoleSecretResponse secret = vault.createAppRoleSecret("testrole");
 ## Links
-[Project Page](http://jvault.stklcode.de)
+[Project Page](https://jvault.stklcode.de)
-[JavaDoc API](http://jvault.stklcode.de/apidocs/)
+[JavaDoc API](https://jvault.stklcode.de/apidocs/)
 ## License
-The project is licensed under [Apache License 2.0](http://www.apache.org/licenses/LICENSE-2.0).
+The project is licensed under [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0).
--- a/332
+++ b/332
@ -0,0 +1,332 @@
 #!/bin/sh
 # ----------------------------------------------------------------------------
 # Licensed to the Apache Software Foundation (ASF) under one
 # or more contributor license agreements.  See the NOTICE file
 # distributed with this work for additional information
 # regarding copyright ownership.  The ASF licenses this file
 # to you under the Apache License, Version 2.0 (the
 # "License"); you may not use this file except in compliance
 # with the License.  You may obtain a copy of the License at
 #
 #    http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing,
 # software distributed under the License is distributed on an
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
 # ----------------------------------------------------------------------------
 # ----------------------------------------------------------------------------
 # Apache Maven Wrapper startup batch script, version 3.3.2
 #
 # Required ENV vars:
 # ------------------
 #   JAVA_HOME - location of a JDK home dir
 #
 # Optional ENV vars
 # -----------------
 #   MAVEN_OPTS - parameters passed to the Java VM when running Maven
 #     e.g. to debug Maven itself, use
 #       set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000
 #   MAVEN_SKIP_RC - flag to disable loading of mavenrc files
 # ----------------------------------------------------------------------------
 if [ -z "$MAVEN_SKIP_RC" ]; then
  if [ -f /usr/local/etc/mavenrc ]; then
    . /usr/local/etc/mavenrc
  fi
  if [ -f /etc/mavenrc ]; then
    . /etc/mavenrc
  fi
  if [ -f "$HOME/.mavenrc" ]; then
    . "$HOME/.mavenrc"
  fi
 fi
 # OS specific support.  $var _must_ be set to either true or false.
 cygwin=false
 darwin=false
 mingw=false
 case "$(uname)" in
 CYGWIN*) cygwin=true ;;
 MINGW*) mingw=true ;;
 Darwin*)
  darwin=true
  # Use /usr/libexec/java_home if available, otherwise fall back to /Library/Java/Home
  # See https://developer.apple.com/library/mac/qa/qa1170/_index.html
  if [ -z "$JAVA_HOME" ]; then
    if [ -x "/usr/libexec/java_home" ]; then
      JAVA_HOME="$(/usr/libexec/java_home)"
      export JAVA_HOME
    else
      JAVA_HOME="/Library/Java/Home"
      export JAVA_HOME
    fi
  fi
  ;;
 esac
 if [ -z "$JAVA_HOME" ]; then
  if [ -r /etc/gentoo-release ]; then
    JAVA_HOME=$(java-config --jre-home)
  fi
 fi
 # For Cygwin, ensure paths are in UNIX format before anything is touched
 if $cygwin; then
  [ -n "$JAVA_HOME" ] \
    && JAVA_HOME=$(cygpath --unix "$JAVA_HOME")
  [ -n "$CLASSPATH" ] \
    && CLASSPATH=$(cygpath --path --unix "$CLASSPATH")
 fi
 # For Mingw, ensure paths are in UNIX format before anything is touched
 if $mingw; then
  [ -n "$JAVA_HOME" ] && [ -d "$JAVA_HOME" ] \
    && JAVA_HOME="$(
      cd "$JAVA_HOME" || (
        echo "cannot cd into $JAVA_HOME." >&2
        exit 1
      )
      pwd
    )"
 fi
 if [ -z "$JAVA_HOME" ]; then
  javaExecutable="$(which javac)"
  if [ -n "$javaExecutable" ] && ! [ "$(expr "$javaExecutable" : '\([^ ]*\)')" = "no" ]; then
    # readlink(1) is not available as standard on Solaris 10.
    readLink=$(which readlink)
    if [ ! "$(expr "$readLink" : '\([^ ]*\)')" = "no" ]; then
      if $darwin; then
        javaHome="$(dirname "$javaExecutable")"
        javaExecutable="$(cd "$javaHome" && pwd -P)/javac"
      else
        javaExecutable="$(readlink -f "$javaExecutable")"
      fi
      javaHome="$(dirname "$javaExecutable")"
      javaHome=$(expr "$javaHome" : '\(.*\)/bin')
      JAVA_HOME="$javaHome"
      export JAVA_HOME
    fi
  fi
 fi
 if [ -z "$JAVACMD" ]; then
  if [ -n "$JAVA_HOME" ]; then
    if [ -x "$JAVA_HOME/jre/sh/java" ]; then
      # IBM's JDK on AIX uses strange locations for the executables
      JAVACMD="$JAVA_HOME/jre/sh/java"
    else
      JAVACMD="$JAVA_HOME/bin/java"
    fi
  else
    JAVACMD="$(
      \unset -f command 2>/dev/null
      \command -v java
    )"
  fi
 fi
 if [ ! -x "$JAVACMD" ]; then
  echo "Error: JAVA_HOME is not defined correctly." >&2
  echo "  We cannot execute $JAVACMD" >&2
  exit 1
 fi
 if [ -z "$JAVA_HOME" ]; then
  echo "Warning: JAVA_HOME environment variable is not set." >&2
 fi
 # traverses directory structure from process work directory to filesystem root
 # first directory with .mvn subdirectory is considered project base directory
 find_maven_basedir() {
  if [ -z "$1" ]; then
    echo "Path not specified to find_maven_basedir" >&2
    return 1
  fi
  basedir="$1"
  wdir="$1"
  while [ "$wdir" != '/' ]; do
    if [ -d "$wdir"/.mvn ]; then
      basedir=$wdir
      break
    fi
    # workaround for JBEAP-8937 (on Solaris 10/Sparc)
    if [ -d "${wdir}" ]; then
      wdir=$(
        cd "$wdir/.." || exit 1
        pwd
      )
    fi
    # end of workaround
  done
  printf '%s' "$(
    cd "$basedir" || exit 1
    pwd
  )"
 }
 # concatenates all lines of a file
 concat_lines() {
  if [ -f "$1" ]; then
    # Remove \r in case we run on Windows within Git Bash
    # and check out the repository with auto CRLF management
    # enabled. Otherwise, we may read lines that are delimited with
    # \r\n and produce $'-Xarg\r' rather than -Xarg due to word
    # splitting rules.
    tr -s '\r\n' ' ' <"$1"
  fi
 }
 log() {
  if [ "$MVNW_VERBOSE" = true ]; then
    printf '%s\n' "$1"
  fi
 }
 BASE_DIR=$(find_maven_basedir "$(dirname "$0")")
 if [ -z "$BASE_DIR" ]; then
  exit 1
 fi
 MAVEN_PROJECTBASEDIR=${MAVEN_BASEDIR:-"$BASE_DIR"}
 export MAVEN_PROJECTBASEDIR
 log "$MAVEN_PROJECTBASEDIR"
 ##########################################################################################
 # Extension to allow automatically downloading the maven-wrapper.jar from Maven-central
 # This allows using the maven wrapper in projects that prohibit checking in binary data.
 ##########################################################################################
 wrapperJarPath="$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.jar"
 if [ -r "$wrapperJarPath" ]; then
  log "Found $wrapperJarPath"
 else
  log "Couldn't find $wrapperJarPath, downloading it ..."
  if [ -n "$MVNW_REPOURL" ]; then
    wrapperUrl="$MVNW_REPOURL/org/apache/maven/wrapper/maven-wrapper/3.3.2/maven-wrapper-3.3.2.jar"
  else
    wrapperUrl="https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.3.2/maven-wrapper-3.3.2.jar"
  fi
  while IFS="=" read -r key value; do
    # Remove '\r' from value to allow usage on windows as IFS does not consider '\r' as a separator ( considers space, tab, new line ('\n'), and custom '=' )
    safeValue=$(echo "$value" | tr -d '\r')
    case "$key" in wrapperUrl)
      wrapperUrl="$safeValue"
      break
      ;;
    esac
  done <"$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.properties"
  log "Downloading from: $wrapperUrl"
  if $cygwin; then
    wrapperJarPath=$(cygpath --path --windows "$wrapperJarPath")
  fi
  if command -v wget >/dev/null; then
    log "Found wget ... using wget"
    [ "$MVNW_VERBOSE" = true ] && QUIET="" || QUIET="--quiet"
    if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then
      wget $QUIET "$wrapperUrl" -O "$wrapperJarPath" || rm -f "$wrapperJarPath"
    else
      wget $QUIET --http-user="$MVNW_USERNAME" --http-password="$MVNW_PASSWORD" "$wrapperUrl" -O "$wrapperJarPath" || rm -f "$wrapperJarPath"
    fi
  elif command -v curl >/dev/null; then
    log "Found curl ... using curl"
    [ "$MVNW_VERBOSE" = true ] && QUIET="" || QUIET="--silent"
    if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then
      curl $QUIET -o "$wrapperJarPath" "$wrapperUrl" -f -L || rm -f "$wrapperJarPath"
    else
      curl $QUIET --user "$MVNW_USERNAME:$MVNW_PASSWORD" -o "$wrapperJarPath" "$wrapperUrl" -f -L || rm -f "$wrapperJarPath"
    fi
  else
    log "Falling back to using Java to download"
    javaSource="$MAVEN_PROJECTBASEDIR/.mvn/wrapper/MavenWrapperDownloader.java"
    javaClass="$MAVEN_PROJECTBASEDIR/.mvn/wrapper/MavenWrapperDownloader.class"
    # For Cygwin, switch paths to Windows format before running javac
    if $cygwin; then
      javaSource=$(cygpath --path --windows "$javaSource")
      javaClass=$(cygpath --path --windows "$javaClass")
    fi
    if [ -e "$javaSource" ]; then
      if [ ! -e "$javaClass" ]; then
        log " - Compiling MavenWrapperDownloader.java ..."
        ("$JAVA_HOME/bin/javac" "$javaSource")
      fi
      if [ -e "$javaClass" ]; then
        log " - Running MavenWrapperDownloader.java ..."
        ("$JAVA_HOME/bin/java" -cp .mvn/wrapper MavenWrapperDownloader "$wrapperUrl" "$wrapperJarPath") || rm -f "$wrapperJarPath"
      fi
    fi
  fi
 fi
 ##########################################################################################
 # End of extension
 ##########################################################################################
 # If specified, validate the SHA-256 sum of the Maven wrapper jar file
 wrapperSha256Sum=""
 while IFS="=" read -r key value; do
  case "$key" in wrapperSha256Sum)
    wrapperSha256Sum=$value
    break
    ;;
  esac
 done <"$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.properties"
 if [ -n "$wrapperSha256Sum" ]; then
  wrapperSha256Result=false
  if command -v sha256sum >/dev/null; then
    if echo "$wrapperSha256Sum  $wrapperJarPath" | sha256sum -c >/dev/null 2>&1; then
      wrapperSha256Result=true
    fi
  elif command -v shasum >/dev/null; then
    if echo "$wrapperSha256Sum  $wrapperJarPath" | shasum -a 256 -c >/dev/null 2>&1; then
      wrapperSha256Result=true
    fi
  else
    echo "Checksum validation was requested but neither 'sha256sum' or 'shasum' are available." >&2
    echo "Please install either command, or disable validation by removing 'wrapperSha256Sum' from your maven-wrapper.properties." >&2
    exit 1
  fi
  if [ $wrapperSha256Result = false ]; then
    echo "Error: Failed to validate Maven wrapper SHA-256, your Maven wrapper might be compromised." >&2
    echo "Investigate or delete $wrapperJarPath to attempt a clean download." >&2
    echo "If you updated your Maven version, you need to update the specified wrapperSha256Sum property." >&2
    exit 1
  fi
 fi
 MAVEN_OPTS="$(concat_lines "$MAVEN_PROJECTBASEDIR/.mvn/jvm.config") $MAVEN_OPTS"
 # For Cygwin, switch paths to Windows format before running java
 if $cygwin; then
  [ -n "$JAVA_HOME" ] \
    && JAVA_HOME=$(cygpath --path --windows "$JAVA_HOME")
  [ -n "$CLASSPATH" ] \
    && CLASSPATH=$(cygpath --path --windows "$CLASSPATH")
  [ -n "$MAVEN_PROJECTBASEDIR" ] \
    && MAVEN_PROJECTBASEDIR=$(cygpath --path --windows "$MAVEN_PROJECTBASEDIR")
 fi
 # Provide a "standardized" way to retrieve the CLI args that will
 # work with both Windows and non-Windows executions.
 MAVEN_CMD_LINE_ARGS="$MAVEN_CONFIG $*"
 export MAVEN_CMD_LINE_ARGS
 WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain
 # shellcheck disable=SC2086 # safe args
 exec "$JAVACMD" \
  $MAVEN_OPTS \
  $MAVEN_DEBUG_OPTS \
  -classpath "$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.jar" \
  "-Dmaven.multiModuleProjectDirectory=${MAVEN_PROJECTBASEDIR}" \
  ${WRAPPER_LAUNCHER} $MAVEN_CONFIG "$@"
--- a/mvnw.cmd
+++ b/mvnw.cmd
@ -0,0 +1,206 @@
@REM ----------------------------------------------------------------------------
@REM Licensed to the Apache Software Foundation (ASF) under one
@REM or more contributor license agreements.  See the NOTICE file
@REM distributed with this work for additional information
@REM regarding copyright ownership.  The ASF licenses this file
@REM to you under the Apache License, Version 2.0 (the
@REM "License"); you may not use this file except in compliance
@REM with the License.  You may obtain a copy of the License at
@REM
@REM    http://www.apache.org/licenses/LICENSE-2.0
@REM
@REM Unless required by applicable law or agreed to in writing,
@REM software distributed under the License is distributed on an
@REM "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
@REM KIND, either express or implied.  See the License for the
@REM specific language governing permissions and limitations
@REM under the License.
@REM ----------------------------------------------------------------------------
@REM ----------------------------------------------------------------------------
@REM Apache Maven Wrapper startup batch script, version 3.3.2
@REM
@REM Required ENV vars:
@REM JAVA_HOME - location of a JDK home dir
@REM
@REM Optional ENV vars
@REM MAVEN_BATCH_ECHO - set to 'on' to enable the echoing of the batch commands
@REM MAVEN_BATCH_PAUSE - set to 'on' to wait for a keystroke before ending
@REM MAVEN_OPTS - parameters passed to the Java VM when running Maven
@REM     e.g. to debug Maven itself, use
@REM set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000
@REM MAVEN_SKIP_RC - flag to disable loading of mavenrc files
@REM ----------------------------------------------------------------------------
@REM Begin all REM lines with '@' in case MAVEN_BATCH_ECHO is 'on'
@echo off
@REM set title of command window
 title %0
@REM enable echoing by setting MAVEN_BATCH_ECHO to 'on'
@if "%MAVEN_BATCH_ECHO%" == "on"  echo %MAVEN_BATCH_ECHO%
@REM set %HOME% to equivalent of $HOME
 if "%HOME%" == "" (set "HOME=%HOMEDRIVE%%HOMEPATH%")
@REM Execute a user defined script before this one
 if not "%MAVEN_SKIP_RC%" == "" goto skipRcPre
@REM check for pre script, once with legacy .bat ending and once with .cmd ending
 if exist "%USERPROFILE%\mavenrc_pre.bat" call "%USERPROFILE%\mavenrc_pre.bat" %*
 if exist "%USERPROFILE%\mavenrc_pre.cmd" call "%USERPROFILE%\mavenrc_pre.cmd" %*
 :skipRcPre
@setlocal
 set ERROR_CODE=0
@REM To isolate internal variables from possible post scripts, we use another setlocal
@setlocal
@REM ==== START VALIDATION ====
 if not "%JAVA_HOME%" == "" goto OkJHome
 echo. >&2
 echo Error: JAVA_HOME not found in your environment. >&2
 echo Please set the JAVA_HOME variable in your environment to match the >&2
 echo location of your Java installation. >&2
 echo. >&2
 goto error
 :OkJHome
 if exist "%JAVA_HOME%\bin\java.exe" goto init
 echo. >&2
 echo Error: JAVA_HOME is set to an invalid directory. >&2
 echo JAVA_HOME = "%JAVA_HOME%" >&2
 echo Please set the JAVA_HOME variable in your environment to match the >&2
 echo location of your Java installation. >&2
 echo. >&2
 goto error
@REM ==== END VALIDATION ====
 :init
@REM Find the project base dir, i.e. the directory that contains the folder ".mvn".
@REM Fallback to current working directory if not found.
 set MAVEN_PROJECTBASEDIR=%MAVEN_BASEDIR%
 IF NOT "%MAVEN_PROJECTBASEDIR%"=="" goto endDetectBaseDir
 set EXEC_DIR=%CD%
 set WDIR=%EXEC_DIR%
 :findBaseDir
 IF EXIST "%WDIR%"\.mvn goto baseDirFound
 cd ..
 IF "%WDIR%"=="%CD%" goto baseDirNotFound
 set WDIR=%CD%
 goto findBaseDir
 :baseDirFound
 set MAVEN_PROJECTBASEDIR=%WDIR%
 cd "%EXEC_DIR%"
 goto endDetectBaseDir
 :baseDirNotFound
 set MAVEN_PROJECTBASEDIR=%EXEC_DIR%
 cd "%EXEC_DIR%"
 :endDetectBaseDir
 IF NOT EXIST "%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config" goto endReadAdditionalConfig
@setlocal EnableExtensions EnableDelayedExpansion
 for /F "usebackq delims=" %%a in ("%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config") do set JVM_CONFIG_MAVEN_PROPS=!JVM_CONFIG_MAVEN_PROPS! %%a
@endlocal & set JVM_CONFIG_MAVEN_PROPS=%JVM_CONFIG_MAVEN_PROPS%
 :endReadAdditionalConfig
 SET MAVEN_JAVA_EXE="%JAVA_HOME%\bin\java.exe"
 set WRAPPER_JAR="%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.jar"
 set WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain
 set WRAPPER_URL="https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.3.2/maven-wrapper-3.3.2.jar"
 FOR /F "usebackq tokens=1,2 delims==" %%A IN ("%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.properties") DO (
    IF "%%A"=="wrapperUrl" SET WRAPPER_URL=%%B
 )
@REM Extension to allow automatically downloading the maven-wrapper.jar from Maven-central
@REM This allows using the maven wrapper in projects that prohibit checking in binary data.
 if exist %WRAPPER_JAR% (
    if "%MVNW_VERBOSE%" == "true" (
        echo Found %WRAPPER_JAR%
    )
 ) else (
    if not "%MVNW_REPOURL%" == "" (
        SET WRAPPER_URL="%MVNW_REPOURL%/org/apache/maven/wrapper/maven-wrapper/3.3.2/maven-wrapper-3.3.2.jar"
    )
    if "%MVNW_VERBOSE%" == "true" (
        echo Couldn't find %WRAPPER_JAR%, downloading it ...
        echo Downloading from: %WRAPPER_URL%
    )
    powershell -Command "&{"^
 		"$webclient = new-object System.Net.WebClient;"^
 		"if (-not ([string]::IsNullOrEmpty('%MVNW_USERNAME%') -and [string]::IsNullOrEmpty('%MVNW_PASSWORD%'))) {"^
 		"$webclient.Credentials = new-object System.Net.NetworkCredential('%MVNW_USERNAME%', '%MVNW_PASSWORD%');"^
 		"}"^
 		"[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $webclient.DownloadFile('%WRAPPER_URL%', '%WRAPPER_JAR%')"^
 		"}"
    if "%MVNW_VERBOSE%" == "true" (
        echo Finished downloading %WRAPPER_JAR%
    )
 )
@REM End of extension
@REM If specified, validate the SHA-256 sum of the Maven wrapper jar file
 SET WRAPPER_SHA_256_SUM=""
 FOR /F "usebackq tokens=1,2 delims==" %%A IN ("%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.properties") DO (
    IF "%%A"=="wrapperSha256Sum" SET WRAPPER_SHA_256_SUM=%%B
 )
 IF NOT %WRAPPER_SHA_256_SUM%=="" (
    powershell -Command "&{"^
       "Import-Module $PSHOME\Modules\Microsoft.PowerShell.Utility -Function Get-FileHash;"^
       "$hash = (Get-FileHash \"%WRAPPER_JAR%\" -Algorithm SHA256).Hash.ToLower();"^
       "If('%WRAPPER_SHA_256_SUM%' -ne $hash){"^
       "  Write-Error 'Error: Failed to validate Maven wrapper SHA-256, your Maven wrapper might be compromised.';"^
       "  Write-Error 'Investigate or delete %WRAPPER_JAR% to attempt a clean download.';"^
       "  Write-Error 'If you updated your Maven version, you need to update the specified wrapperSha256Sum property.';"^
       "  exit 1;"^
       "}"^
       "}"
    if ERRORLEVEL 1 goto error
 )
@REM Provide a "standardized" way to retrieve the CLI args that will
@REM work with both Windows and non-Windows executions.
 set MAVEN_CMD_LINE_ARGS=%*
 %MAVEN_JAVA_EXE% ^
  %JVM_CONFIG_MAVEN_PROPS% ^
  %MAVEN_OPTS% ^
  %MAVEN_DEBUG_OPTS% ^
  -classpath %WRAPPER_JAR% ^
  "-Dmaven.multiModuleProjectDirectory=%MAVEN_PROJECTBASEDIR%" ^
  %WRAPPER_LAUNCHER% %MAVEN_CONFIG% %*
 if ERRORLEVEL 1 goto error
 goto end
 :error
 set ERROR_CODE=1
 :end
@endlocal & set ERROR_CODE=%ERROR_CODE%
 if not "%MAVEN_SKIP_RC%"=="" goto skipRcPost
@REM check for post script, once with legacy .bat ending and once with .cmd ending
 if exist "%USERPROFILE%\mavenrc_post.bat" call "%USERPROFILE%\mavenrc_post.bat"
 if exist "%USERPROFILE%\mavenrc_post.cmd" call "%USERPROFILE%\mavenrc_post.cmd"
 :skipRcPost
@REM pause the script if MAVEN_BATCH_PAUSE is set to 'on'
 if "%MAVEN_BATCH_PAUSE%"=="on" pause
 if "%MAVEN_TERMINATE_CMD%"=="on" exit %ERROR_CODE%
 cmd /C exit /B %ERROR_CODE%
--- a/pom.xml
+++ b/pom.xml
@ -4,7 +4,7 @@
    <groupId>de.stklcode.jvault</groupId>
    <artifactId>jvault-connector</artifactId>
-    <version>0.9.3</version>
+    <version>1.5.1-SNAPSHOT</version>
    <packaging>jar</packaging>
@ -16,21 +16,16 @@
    <licenses>
        <license>
            <name>Apache License 2.0</name>
-            <url>http://www.apache.org/licenses/LICENSE-2.0.html</url>
+            <url>https://www.apache.org/licenses/LICENSE-2.0.html</url>
            <distribution>repo</distribution>
        </license>
    </licenses>
    <properties>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
        <argLine></argLine>
    </properties>
    <developers>
        <developer>
            <name>Stefan Kalscheuer</name>
            <email>stefan@stklcode.de</email>
-            <timezone>+1</timezone>
+            <timezone>Europe/Berlin</timezone>
        </developer>
    </developers>
@ -38,6 +33,7 @@
        <connection>scm:git:git://github.com/stklcode/jvaultconnector.git</connection>
        <developerConnection>scm:git:git@github.com:stklcode/jvaultconnector.git</developerConnection>
        <url>https://github.com/stklcode/jvaultconnector</url>
        <tag>HEAD</tag>
    </scm>
    <issueManagement>
@ -45,125 +41,181 @@
        <url>https://github.com/stklcode/jvaultconnector/issues</url>
    </issueManagement>
-    <build>
+    <properties>
-        <plugins>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-            <plugin>
+        <argLine></argLine>
-                <groupId>org.apache.maven.plugins</groupId>
+    </properties>
                <artifactId>maven-compiler-plugin</artifactId>
                <version>3.8.1</version>
                <configuration>
                    <source>1.8</source>
                    <target>1.8</target>
                </configuration>
            </plugin>
        </plugins>
        <pluginManagement>
            <plugins>
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-clean-plugin</artifactId>
                    <version>3.1.0</version>
                </plugin>
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-resources-plugin</artifactId>
                    <version>3.2.0</version>
                </plugin>
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-jar-plugin</artifactId>
                    <version>3.2.0</version>
                    <configuration>
                        <archive>
                            <manifestEntries>
                                <Automatic-Module-Name>de.stklcode.jvault.connector</Automatic-Module-Name>
                            </manifestEntries>
                        </archive>
                    </configuration>
                </plugin>
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-install-plugin</artifactId>
                    <version>2.5.2</version>
                </plugin>
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-deploy-plugin</artifactId>
                    <version>2.8.2</version>
                </plugin>
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-surefire-plugin</artifactId>
                    <version>2.22.2</version>
                    <configuration>
                        <reuseForks>false</reuseForks>
                        <argLine>@{argLine} --illegal-access=permit</argLine>
                    </configuration>
                </plugin>
            </plugins>
        </pluginManagement>
    </build>
    <dependencies>
        <dependency>
            <groupId>org.apache.httpcomponents</groupId>
            <artifactId>httpclient</artifactId>
            <version>4.5.13</version>
        </dependency>
        <dependency>
            <groupId>com.fasterxml.jackson.core</groupId>
            <artifactId>jackson-databind</artifactId>
-            <version>2.12.2</version>
+             <version>2.18.3</version>
        </dependency>
        <dependency>
            <groupId>com.fasterxml.jackson.datatype</groupId>
            <artifactId>jackson-datatype-jsr310</artifactId>
            <version>2.18.3</version>
        </dependency>
        <dependency>
            <groupId>org.junit.jupiter</groupId>
            <artifactId>junit-jupiter</artifactId>
-            <version>5.7.1</version>
+            <version>5.12.1</version>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.hamcrest</groupId>
            <artifactId>hamcrest</artifactId>
            <version>2.2</version>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.mockito</groupId>
            <artifactId>mockito-core</artifactId>
-            <version>3.8.0</version>
+            <version>5.17.0</version>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.mockito</groupId>
            <artifactId>mockito-inline</artifactId>
            <version>3.8.0</version>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>com.github.stefanbirkner</groupId>
            <artifactId>system-lambda</artifactId>
-            <version>1.2.0</version>
+            <version>1.2.1</version>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.wiremock</groupId>
            <artifactId>wiremock</artifactId>
            <version>3.13.0</version>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>commons-io</groupId>
            <artifactId>commons-io</artifactId>
-            <version>2.8.0</version>
+            <version>2.19.0</version>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>nl.jqno.equalsverifier</groupId>
            <artifactId>equalsverifier</artifactId>
            <version>3.19.3</version>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.awaitility</groupId>
            <artifactId>awaitility</artifactId>
            <version>4.3.0</version>
            <scope>test</scope>
        </dependency>
    </dependencies>
-    <dependencyManagement>
+    <build>
-        <dependencies>
+        <pluginManagement>
-            <dependency>
+            <plugins>
-                <groupId>org.sonarsource.scanner.maven</groupId>
+                <plugin>
-                <artifactId>sonar-maven-plugin</artifactId>
+                    <groupId>org.apache.maven.plugins</groupId>
-                <version>3.8.0.2131</version>
+                    <artifactId>maven-compiler-plugin</artifactId>
-            </dependency>
+                    <version>3.14.0</version>
-        </dependencies>
+                    <configuration>
-    </dependencyManagement>
+                        <release>11</release>
                    </configuration>
                </plugin>
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-clean-plugin</artifactId>
                    <version>3.4.1</version>
                </plugin>
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-deploy-plugin</artifactId>
                    <version>3.1.4</version>
                </plugin>
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-failsafe-plugin</artifactId>
                    <version>3.5.3</version>
                    <configuration>
                        <argLine>
                            @{argLine}
                            --add-opens de.stklcode.jvault.connector/de.stklcode.jvault.connector.test=com.fasterxml.jackson.databind
                        </argLine>
                    </configuration>
                </plugin>
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-install-plugin</artifactId>
                    <version>3.1.4</version>
                </plugin>
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-jar-plugin</artifactId>
                    <version>3.4.2</version>
                </plugin>
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-resources-plugin</artifactId>
                    <version>3.3.1</version>
                </plugin>
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-source-plugin</artifactId>
                    <version>3.3.1</version>
                </plugin>
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-surefire-plugin</artifactId>
                    <version>3.5.3</version>
                    <configuration>
                        <argLine>
                            @{argLine}
                            --add-opens java.base/java.util=ALL-UNNAMED
                            --add-opens de.stklcode.jvault.connector/de.stklcode.jvault.connector=ALL-UNNAMED
                            --add-opens de.stklcode.jvault.connector/de.stklcode.jvault.connector.exception=ALL-UNNAMED
                            --add-opens de.stklcode.jvault.connector/de.stklcode.jvault.connector.model=ALL-UNNAMED
                            --add-opens de.stklcode.jvault.connector/de.stklcode.jvault.connector.model.response=ALL-UNNAMED
                            --add-opens de.stklcode.jvault.connector/de.stklcode.jvault.connector.model.response.embedded=ALL-UNNAMED
                            --add-opens de.stklcode.jvault.connector/de.stklcode.jvault.connector.test=com.fasterxml.jackson.databind
                            --add-opens de.stklcode.jvault.connector/de.stklcode.jvault.connector.test=com.fasterxml.jackson.datatype.jsr310
                        </argLine>
                    </configuration>
                </plugin>
                <plugin>
                    <groupId>org.cyclonedx</groupId>
                    <artifactId>cyclonedx-maven-plugin</artifactId>
                    <version>2.9.1</version>
                </plugin>
                <plugin>
                    <groupId>org.jacoco</groupId>
                    <artifactId>jacoco-maven-plugin</artifactId>
                    <version>0.8.13</version>
                </plugin>
                <plugin>
                    <groupId>org.sonarsource.scanner.maven</groupId>
                    <artifactId>sonar-maven-plugin</artifactId>
                    <version>5.1.0.4751</version>
                </plugin>
            </plugins>
        </pluginManagement>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-enforcer-plugin</artifactId>
                <version>3.5.0</version>
                <executions>
                    <execution>
                        <id>enforce-versions</id>
                        <goals>
                            <goal>enforce</goal>
                        </goals>
                        <configuration>
                            <rules>
                                <requireMavenVersion>
                                    <version>[3.6.3,)</version>
                                </requireMavenVersion>
                                <requireJavaVersion>
                                    <version>[11,)</version>
                                </requireJavaVersion>
                            </rules>
                        </configuration>
                    </execution>
                </executions>
            </plugin>
        </plugins>
    </build>
    <profiles>
        <profile>
@ -176,7 +228,6 @@
                    <plugin>
                        <groupId>org.apache.maven.plugins</groupId>
                        <artifactId>maven-source-plugin</artifactId>
                        <version>3.2.1</version>
                        <executions>
                            <execution>
                                <id>attach-sources</id>
@ -200,9 +251,9 @@
                    <plugin>
                        <groupId>org.apache.maven.plugins</groupId>
                        <artifactId>maven-javadoc-plugin</artifactId>
-                        <version>3.2.0</version>
+                        <version>3.11.2</version>
                        <configuration>
-                            <source>1.8</source>
+                            <source>11</source>
                        </configuration>
                        <executions>
                            <execution>
@ -217,6 +268,29 @@
            </build>
        </profile>
        <profile>
            <id>sbom</id>
            <build>
                <plugins>
                    <plugin>
                        <groupId>org.cyclonedx</groupId>
                        <artifactId>cyclonedx-maven-plugin</artifactId>
                        <executions>
                            <execution>
                                <phase>package</phase>
                                <goals>
                                    <goal>makeBom</goal>
                                </goals>
                                <configuration>
                                    <skipNotDeployed>false</skipNotDeployed>
                                </configuration>
                            </execution>
                        </executions>
                    </plugin>
                </plugins>
            </build>
        </profile>
        <profile>
            <id>sign</id>
            <build>
@ -224,7 +298,7 @@
                    <plugin>
                        <groupId>org.apache.maven.plugins</groupId>
                        <artifactId>maven-gpg-plugin</artifactId>
-                        <version>1.6</version>
+                        <version>3.2.7</version>
                        <executions>
                            <execution>
                                <id>sign-artifacts</id>
@ -249,17 +323,15 @@
                    <plugin>
                        <groupId>org.jacoco</groupId>
                        <artifactId>jacoco-maven-plugin</artifactId>
                        <version>0.8.6</version>
                        <executions>
                            <execution>
-                                <id>prepare-agent</id>
+                                <id>default-prepare-agent</id>
                                <goals>
                                    <goal>prepare-agent</goal>
                                </goals>
                            </execution>
                            <execution>
-                                <id>report</id>
+                                <id>default-report</id>
                                <phase>prepare-package</phase>
                                <goals>
                                    <goal>report</goal>
                                </goals>
@ -271,19 +343,22 @@
        </profile>
        <profile>
-            <id>offline-tests</id>
+            <id>integration-test</id>
            <build>
-                <pluginManagement>
+                <plugins>
-                    <plugins>
+                    <plugin>
-                        <plugin>
+                        <groupId>org.apache.maven.plugins</groupId>
-                            <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>maven-failsafe-plugin</artifactId>
-                            <artifactId>maven-surefire-plugin</artifactId>
+                        <executions>
-                            <configuration>
+                            <execution>
-                                <excludedGroups>online</excludedGroups>
+                                <goals>
-                            </configuration>
+                                    <goal>integration-test</goal>
-                        </plugin>
+                                    <goal>verify</goal>
-                    </plugins>
+                                </goals>
-                </pluginManagement>
+                            </execution>
                        </executions>
                    </plugin>
                </plugins>
            </build>
        </profile>
@ -294,7 +369,11 @@
                    <plugin>
                        <groupId>org.owasp</groupId>
                        <artifactId>dependency-check-maven</artifactId>
-                        <version>6.1.5</version>
+                        <version>12.1.1</version>
                        <configuration>
                            <nvdApiKey>${env.NVD_API_KEY}</nvdApiKey>
                            <nvdDatafeedUrl>${env.NVD_DATAFEED_URL}</nvdDatafeedUrl>
                        </configuration>
                        <executions>
                            <execution>
                                <goals>
@ -308,39 +387,22 @@
        </profile>
        <profile>
-            <id>jdk1.8</id>
+            <id>central</id>
            <activation>
                <jdk>1.8</jdk>
            </activation>
            <build>
-                <pluginManagement>
+                <plugins>
-                    <plugins>
+                    <plugin>
-                        <plugin>
+                        <groupId>org.sonatype.central</groupId>
-                            <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>central-publishing-maven-plugin</artifactId>
-                            <artifactId>maven-surefire-plugin</artifactId>
+                        <version>0.7.0</version>
-                            <configuration>
+                        <extensions>true</extensions>
-                                <argLine>@{argLine}</argLine>
+                        <configuration>
-                            </configuration>
+                            <publishingServerId>central</publishingServerId>
-                        </plugin>
+                        </configuration>
-                    </plugins>
+                    </plugin>
-                </pluginManagement>
+                </plugins>
            </build>
        </profile>
        <profile>
            <id>sonatype</id>
            <distributionManagement>
                <repository>
                    <id>ossrh</id>
                    <url>https://oss.sonatype.org/service/local/staging/deploy/maven2/</url>
                </repository>
                <snapshotRepository>
                    <id>ossrh</id>
                    <url>https://oss.sonatype.org/content/repositories/snapshots</url>
                </snapshotRepository>
            </distributionManagement>
        </profile>
        <profile>
            <id>local</id>
            <distributionManagement>
--- a/src/main/java/de/stklcode/jvault/connector/HTTPVaultConnector.java
+++ b/src/main/java/de/stklcode/jvault/connector/HTTPVaultConnector.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -24,7 +24,8 @@ import de.stklcode.jvault.connector.model.*;
 import de.stklcode.jvault.connector.model.response.*;
 import de.stklcode.jvault.connector.model.response.embedded.AuthMethod;
-import java.security.cert.X509Certificate;
+import java.net.URI;
 import java.net.URISyntaxException;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@ -40,30 +41,37 @@ import static java.util.Collections.singletonMap;
 * @since 0.1
 */
 public class HTTPVaultConnector implements VaultConnector {
-    private static final String PATH_PREFIX = "/v1/";
+    private static final String PATH_SYS = "sys";
-    private static final String PATH_SEAL_STATUS = "sys/seal-status";
+    private static final String PATH_SYS_AUTH = PATH_SYS + "/auth";
-    private static final String PATH_SEAL = "sys/seal";
+    private static final String PATH_RENEW = PATH_SYS + "/leases/renew";
-    private static final String PATH_UNSEAL = "sys/unseal";
+    private static final String PATH_REVOKE = PATH_SYS + "/leases/revoke/";
-    private static final String PATH_RENEW = "sys/leases/renew";
+    private static final String PATH_HEALTH = PATH_SYS + "/health";
-    private static final String PATH_AUTH = "sys/auth";
+    private static final String PATH_SEAL = PATH_SYS + "/seal";
-    private static final String PATH_TOKEN = "auth/token";
+    private static final String PATH_SEAL_STATUS = PATH_SYS + "/seal-status";
    private static final String PATH_UNSEAL = PATH_SYS + "/unseal";
    private static final String PATH_AUTH = "auth";
    private static final String PATH_AUTH_TOKEN = PATH_AUTH + "/token";
    private static final String PATH_LOOKUP = "/lookup";
    private static final String PATH_CREATE = "/create";
    private static final String PATH_ROLES = "/roles";
    private static final String PATH_CREATE_ORPHAN = "/create-orphan";
-    private static final String PATH_AUTH_USERPASS = "auth/userpass/login/";
+    private static final String PATH_AUTH_USERPASS = PATH_AUTH + "/userpass/login/";
-    private static final String PATH_AUTH_APPID = "auth/app-id/";
+    private static final String PATH_AUTH_APPROLE = PATH_AUTH + "/approle";
-    private static final String PATH_AUTH_APPROLE = "auth/approle/";
+    private static final String PATH_AUTH_APPROLE_ROLE = PATH_AUTH_APPROLE + "/role/%s%s";
-    private static final String PATH_AUTH_APPROLE_ROLE = "auth/approle/role/%s%s";
+
    private static final String PATH_REVOKE = "sys/leases/revoke/";
    private static final String PATH_HEALTH = "sys/health";
    private static final String PATH_DATA = "/data/";
    private static final String PATH_METADATA = "/metadata/";
    private static final String PATH_LOGIN = "/login";
    private static final String PATH_DELETE = "/delete/";
    private static final String PATH_UNDELETE = "/undelete/";
    private static final String PATH_DESTROY = "/destroy/";
-    public static final String DEFAULT_TLS_VERSION = "TLSv1.2";
+    private static final String PATH_TRANSIT = "transit";
    private static final String PATH_TRANSIT_ENCRYPT = PATH_TRANSIT + "/encrypt/";
    private static final String PATH_TRANSIT_DECRYPT = PATH_TRANSIT + "/decrypt/";
    private static final String PATH_TRANSIT_HASH = PATH_TRANSIT + "/hash/";
    private final RequestHelper request;
@ -72,148 +80,54 @@ public class HTTPVaultConnector implements VaultConnector {
    private long tokenTTL = 0;              // Expiration time for current token.
    /**
-     * Create connector using hostname and schema.
+     * Create connector using a {@link HTTPVaultConnectorBuilder}.
     *
-     * @param hostname The hostname
+     * @param builder The builder.
     * @param useTLS   If TRUE, use HTTPS, otherwise HTTP
     */
-    public HTTPVaultConnector(final String hostname, final boolean useTLS) {
+    HTTPVaultConnector(final HTTPVaultConnectorBuilder builder) {
-        this(hostname, useTLS, null);
+        this.request = new RequestHelper(
            ((builder.isWithTLS()) ? "https" : "http") + "://" +
                builder.getHost() +
                ((builder.getPort() != null) ? ":" + builder.getPort() : "") +
                builder.getPrefix(),
            builder.getNumberOfRetries(),
            builder.getTimeout(),
            builder.getTlsVersion(),
            builder.getTrustedCA()
        );
    }
    /**
-     * Create connector using hostname, schema and port.
+     * Get a new builder for a connector.
     *
-     * @param hostname The hostname
+     * @return Builder instance.
-     * @param useTLS   If TRUE, use HTTPS, otherwise HTTP
+     * @since 0.9.5
     * @param port     The port
     */
-    public HTTPVaultConnector(final String hostname, final boolean useTLS, final Integer port) {
+    public static HTTPVaultConnectorBuilder builder() {
-        this(hostname, useTLS, port, PATH_PREFIX);
+        return new HTTPVaultConnectorBuilder();
    }
    /**
-     * Create connector using hostname, schema, port and path.
+     * Get a new builder for a connector.
     *
-     * @param hostname The hostname
+     * @param baseURL Base URL.
-     * @param useTLS   If TRUE, use HTTPS, otherwise HTTP
+     * @return Builder instance.
-     * @param port     The port
+     * @throws URISyntaxException Invalid URI syntax.
-     * @param prefix   HTTP API prefix (default: /v1/)
+     * @since 1.0
     */
-    public HTTPVaultConnector(final String hostname, final boolean useTLS, final Integer port, final String prefix) {
+    public static HTTPVaultConnectorBuilder builder(String baseURL) throws URISyntaxException {
-        this(((useTLS) ? "https" : "http")
+        return new HTTPVaultConnectorBuilder().withBaseURL(baseURL);
                + "://" + hostname
                + ((port != null) ? ":" + port : "")
                + prefix);
    }
    /**
-     * Create connector using hostname, schema, port, path and trusted certificate.
+     * Get a new builder for a connector.
     *
-     * @param hostname      The hostname
+     * @param baseURL Base URL.
-     * @param useTLS        If TRUE, use HTTPS, otherwise HTTP
+     * @return Builder instance.
-     * @param port          The port
+     * @since 1.0
     * @param prefix        HTTP API prefix (default: /v1/)
     * @param trustedCaCert Trusted CA certificate
     */
-    public HTTPVaultConnector(final String hostname,
+    public static HTTPVaultConnectorBuilder builder(URI baseURL) {
-                              final boolean useTLS,
+        return new HTTPVaultConnectorBuilder().withBaseURL(baseURL);
                              final Integer port,
                              final String prefix,
                              final X509Certificate trustedCaCert) {
        this(hostname, useTLS, DEFAULT_TLS_VERSION, port, prefix, trustedCaCert, 0, null);
    }
    /**
     * Create connector using hostname, schema, port, path and trusted certificate.
     *
     * @param hostname        The hostname
     * @param useTLS          If TRUE, use HTTPS, otherwise HTTP
     * @param tlsVersion      TLS version
     * @param port            The port
     * @param prefix          HTTP API prefix (default: /v1/)
     * @param trustedCaCert   Trusted CA certificate
     * @param numberOfRetries Number of retries on 5xx errors
     * @param timeout         Timeout for HTTP requests (milliseconds)
     */
    public HTTPVaultConnector(final String hostname,
                              final boolean useTLS,
                              final String tlsVersion,
                              final Integer port,
                              final String prefix,
                              final X509Certificate trustedCaCert,
                              final int numberOfRetries,
                              final Integer timeout) {
        this(((useTLS) ? "https" : "http")
                        + "://" + hostname
                        + ((port != null) ? ":" + port : "")
                        + prefix,
                trustedCaCert,
                numberOfRetries,
                timeout,
                tlsVersion);
    }
    /**
     * Create connector using full URL.
     *
     * @param baseURL The URL
     */
    public HTTPVaultConnector(final String baseURL) {
        this(baseURL, null);
    }
    /**
     * Create connector using full URL and trusted certificate.
     *
     * @param baseURL       The URL
     * @param trustedCaCert Trusted CA certificate
     */
    public HTTPVaultConnector(final String baseURL, final X509Certificate trustedCaCert) {
        this(baseURL, trustedCaCert, 0, null);
    }
    /**
     * Create connector using full URL and trusted certificate.
     *
     * @param baseURL         The URL
     * @param trustedCaCert   Trusted CA certificate
     * @param numberOfRetries Number of retries on 5xx errors
     */
    public HTTPVaultConnector(final String baseURL, final X509Certificate trustedCaCert, final int numberOfRetries) {
        this(baseURL, trustedCaCert, numberOfRetries, null);
    }
    /**
     * Create connector using full URL and trusted certificate.
     *
     * @param baseURL         The URL
     * @param trustedCaCert   Trusted CA certificate
     * @param numberOfRetries Number of retries on 5xx errors
     * @param timeout         Timeout for HTTP requests (milliseconds)
     */
    public HTTPVaultConnector(final String baseURL,
                              final X509Certificate trustedCaCert,
                              final int numberOfRetries,
                              final Integer timeout) {
        this(baseURL, trustedCaCert, numberOfRetries, timeout, DEFAULT_TLS_VERSION);
    }
    /**
     * Create connector using full URL and trusted certificate.
     *
     * @param baseURL         The URL
     * @param trustedCaCert   Trusted CA certificate
     * @param numberOfRetries Number of retries on 5xx errors
     * @param timeout         Timeout for HTTP requests (milliseconds)
     * @param tlsVersion      TLS Version.
     */
    public HTTPVaultConnector(final String baseURL,
                              final X509Certificate trustedCaCert,
                              final int numberOfRetries,
                              final Integer timeout,
                              final String tlsVersion) {
        this.request = new RequestHelper(baseURL, numberOfRetries, timeout, tlsVersion, trustedCaCert);
    }
    @Override
@ -235,24 +149,28 @@ public class HTTPVaultConnector implements VaultConnector {
    @Override
    public final SealResponse unseal(final String key, final Boolean reset) throws VaultConnectorException {
-        Map<String, String> param = new HashMap<>(2, 1);
+        Map<String, String> param = mapOfStrings(
-        param.put("key", key);
+            "key", key,
-        if (reset != null) {
+            "reset", reset
-            param.put("reset", reset.toString());
+        );
        }
        return request.put(PATH_UNSEAL, param, token, SealResponse.class);
    }
    @Override
    public HealthResponse getHealth() throws VaultConnectorException {
        /* Force status code to be 200, so we don't need to modify the request sequence. */
        Map<String, String> param = new HashMap<>(3, 1);
        param.put("standbycode", "200");    // Default: 429.
        param.put("sealedcode", "200");     // Default: 503.
        param.put("uninitcode", "200");     // Default: 501.
-        return request.get(PATH_HEALTH, param, token, HealthResponse.class);
+        return request.get(
            PATH_HEALTH,
            // Force status code to be 200, so we don't need to modify the request sequence.
            Map.of(
                "standbycode", "200",   // Default: 429.
                "sealedcode", "200",    // Default: 503.
                "uninitcode", "200"     // Default: 501.
            ),
            token,
            HealthResponse.class
        );
    }
    @Override
@ -263,7 +181,7 @@ public class HTTPVaultConnector implements VaultConnector {
    @Override
    public final List<AuthBackend> getAuthBackends() throws VaultConnectorException {
        /* Issue request and parse response */
-        AuthMethodsResponse amr = request.get(PATH_AUTH, emptyMap(), token, AuthMethodsResponse.class);
+        AuthMethodsResponse amr = request.get(PATH_SYS_AUTH, emptyMap(), token, AuthMethodsResponse.class);
        return amr.getSupportedMethods().values().stream().map(AuthMethod::getType).collect(Collectors.toList());
    }
@ -273,7 +191,7 @@ public class HTTPVaultConnector implements VaultConnector {
        /* set token */
        this.token = token;
        this.tokenTTL = 0;
-        TokenResponse res = request.post(PATH_TOKEN + PATH_LOOKUP, emptyMap(), token, TokenResponse.class);
+        TokenResponse res = request.post(PATH_AUTH_TOKEN + PATH_LOOKUP, emptyMap(), token, TokenResponse.class);
        authorized = true;
        return res;
@ -281,28 +199,18 @@ public class HTTPVaultConnector implements VaultConnector {
    @Override
    public final AuthResponse authUserPass(final String username, final String password)
-            throws VaultConnectorException {
+        throws VaultConnectorException {
        final Map<String, String> payload = singletonMap("password", password);
        return queryAuth(PATH_AUTH_USERPASS + username, payload);
    }
    @Override
    @Deprecated
    public final AuthResponse authAppId(final String appID, final String userID) throws VaultConnectorException {
        final Map<String, String> payload = new HashMap<>(2, 1);
        payload.put("app_id", appID);
        payload.put("user_id", userID);
        return queryAuth(PATH_AUTH_APPID + "login", payload);
    }
    @Override
    public final AuthResponse authAppRole(final String roleID, final String secretID) throws VaultConnectorException {
-        final Map<String, String> payload = new HashMap<>(2, 1);
+        final Map<String, String> payload = mapOfStrings(
-        payload.put("role_id", roleID);
+            "role_id", roleID,
-        if (secretID != null) {
+            "secret_id", secretID
-            payload.put("secret_id", secretID);
+        );
-        }
+        return queryAuth(PATH_AUTH_APPROLE + PATH_LOGIN, payload);
        return queryAuth(PATH_AUTH_APPROLE + "login", payload);
    }
    /**
@ -314,7 +222,7 @@ public class HTTPVaultConnector implements VaultConnector {
     * @throws VaultConnectorException on errors
     */
    private AuthResponse queryAuth(final String path, final Map<String, String> payload)
-            throws VaultConnectorException {
+        throws VaultConnectorException {
        /* Issue request and parse response */
        AuthResponse auth = request.post(path, payload, token, AuthResponse.class);
        /* verify response */
@ -325,36 +233,6 @@ public class HTTPVaultConnector implements VaultConnector {
        return auth;
    }
    @Override
    @Deprecated
    public final boolean registerAppId(final String appID, final String policy, final String displayName)
            throws VaultConnectorException {
        requireAuth();
        Map<String, String> payload = new HashMap<>(2, 1);
        payload.put("value", policy);
        payload.put("display_name", displayName);
        /* Issue request and expect code 204 with empty response */
        request.postWithoutResponse(PATH_AUTH_APPID + "map/app-id/" + appID, payload, token);
        return true;
    }
    @Override
    @Deprecated
    public final boolean registerUserId(final String appID, final String userID) throws VaultConnectorException {
        requireAuth();
        /* Issue request and expect code 204 with empty response */
        request.postWithoutResponse(
                PATH_AUTH_APPID + "map/user-id/" + userID,
                singletonMap("value", appID),
                token
        );
        return true;
    }
    @Override
    public final boolean createAppRole(final AppRole role) throws VaultConnectorException {
        requireAuth();
@ -371,10 +249,10 @@ public class HTTPVaultConnector implements VaultConnector {
        requireAuth();
        /* Request HTTP response and parse Secret */
        return request.get(
-                String.format(PATH_AUTH_APPROLE_ROLE, roleName, ""),
+            String.format(PATH_AUTH_APPROLE_ROLE, roleName, ""),
-                emptyMap(),
+            emptyMap(),
-                token,
+            token,
-                AppRoleResponse.class
+            AppRoleResponse.class
        );
    }
@ -393,10 +271,10 @@ public class HTTPVaultConnector implements VaultConnector {
        requireAuth();
        /* Issue request, parse response and extract Role ID */
        return request.get(
-                String.format(PATH_AUTH_APPROLE_ROLE, roleName, "/role-id"),
+            String.format(PATH_AUTH_APPROLE_ROLE, roleName, "/role-id"),
-                emptyMap(),
+            emptyMap(),
-                token,
+            token,
-                RawDataResponse.class
+            RawDataResponse.class
        ).getData().get("role_id").toString();
    }
@ -406,9 +284,9 @@ public class HTTPVaultConnector implements VaultConnector {
        /* Issue request and expect code 204 with empty response */
        request.postWithoutResponse(
-                String.format(PATH_AUTH_APPROLE_ROLE, roleName, "/role-id"),
+            String.format(PATH_AUTH_APPROLE_ROLE, roleName, "/role-id"),
-                singletonMap("role_id", roleID),
+            singletonMap("role_id", roleID),
-                token
+            token
        );
        return true;
@ -416,49 +294,49 @@ public class HTTPVaultConnector implements VaultConnector {
    @Override
    public final AppRoleSecretResponse createAppRoleSecret(final String roleName, final AppRoleSecret secret)
-            throws VaultConnectorException {
+        throws VaultConnectorException {
        requireAuth();
        if (secret.getId() != null && !secret.getId().isEmpty()) {
            return request.post(
-                    String.format(PATH_AUTH_APPROLE_ROLE, roleName, "/custom-secret-id"),
+                String.format(PATH_AUTH_APPROLE_ROLE, roleName, "/custom-secret-id"),
-                    secret,
+                secret,
-                    token,
+                token,
-                    AppRoleSecretResponse.class
+                AppRoleSecretResponse.class
            );
        } else {
            return request.post(
-                    String.format(PATH_AUTH_APPROLE_ROLE, roleName, "/secret-id"),
+                String.format(PATH_AUTH_APPROLE_ROLE, roleName, "/secret-id"),
-                    secret, token,
+                secret, token,
-                    AppRoleSecretResponse.class
+                AppRoleSecretResponse.class
            );
        }
    }
    @Override
    public final AppRoleSecretResponse lookupAppRoleSecret(final String roleName, final String secretID)
-            throws VaultConnectorException {
+        throws VaultConnectorException {
        requireAuth();
        /* Issue request and parse secret response */
        return request.post(
-                String.format(PATH_AUTH_APPROLE_ROLE, roleName, "/secret-id/lookup"),
+            String.format(PATH_AUTH_APPROLE_ROLE, roleName, "/secret-id/lookup"),
-                new AppRoleSecret(secretID),
+            new AppRoleSecret(secretID),
-                token,
+            token,
-                AppRoleSecretResponse.class
+            AppRoleSecretResponse.class
        );
    }
    @Override
    public final boolean destroyAppRoleSecret(final String roleName, final String secretID)
-            throws VaultConnectorException {
+        throws VaultConnectorException {
        requireAuth();
        /* Issue request and expect code 204 with empty response */
        request.postWithoutResponse(
-                String.format(PATH_AUTH_APPROLE_ROLE, roleName, "/secret-id/destroy"),
+            String.format(PATH_AUTH_APPROLE_ROLE, roleName, "/secret-id/destroy"),
-                new AppRoleSecret(secretID),
+            new AppRoleSecret(secretID),
-                token);
+            token);
        return true;
    }
@ -468,10 +346,10 @@ public class HTTPVaultConnector implements VaultConnector {
        requireAuth();
        SecretListResponse secrets = request.get(
-                PATH_AUTH_APPROLE + "role?list=true",
+            PATH_AUTH_APPROLE + "/role?list=true",
-                emptyMap(),
+            emptyMap(),
-                token,
+            token,
-                SecretListResponse.class
+            SecretListResponse.class
        );
        return secrets.getKeys();
@ -482,10 +360,10 @@ public class HTTPVaultConnector implements VaultConnector {
        requireAuth();
        SecretListResponse secrets = request.get(
-                String.format(PATH_AUTH_APPROLE_ROLE, roleName, "/secret-id?list=true"),
+            String.format(PATH_AUTH_APPROLE_ROLE, roleName, "/secret-id?list=true"),
-                emptyMap(),
+            emptyMap(),
-                token,
+            token,
-                SecretListResponse.class
+            SecretListResponse.class
        );
        return secrets.getKeys();
@ -495,23 +373,22 @@ public class HTTPVaultConnector implements VaultConnector {
    public final SecretResponse read(final String key) throws VaultConnectorException {
        requireAuth();
        /* Issue request and parse secret response */
-        return request.get(key, emptyMap(), token, SecretResponse.class);
+        return request.get(key, emptyMap(), token, PlainSecretResponse.class);
    }
    @Override
-    public final SecretResponse readSecretVersion(final String mount, final String key, final Integer version) throws VaultConnectorException {
+    public final SecretResponse readSecretVersion(final String mount, final String key, final Integer version)
        throws VaultConnectorException {
        requireAuth();
        /* Request HTTP response and parse secret metadata */
-        Map<String, String> args = new HashMap<>(1, 1);
+        Map<String, String> args = mapOfStrings("version", version);
        if (version != null) {
            args.put("version", version.toString());
        }
-        return request.get(mount + PATH_DATA + key, args, token, SecretResponse.class);
+        return request.get(mount + PATH_DATA + key, args, token, MetaSecretResponse.class);
    }
    @Override
-    public final MetadataResponse readSecretMetadata(final String mount, final String key) throws VaultConnectorException {
+    public final MetadataResponse readSecretMetadata(final String mount, final String key)
        throws VaultConnectorException {
        requireAuth();
        /* Request HTTP response and parse secret metadata */
@ -519,20 +396,25 @@ public class HTTPVaultConnector implements VaultConnector {
    }
    @Override
-    public void updateSecretMetadata(final String mount, final String key, final Integer maxVersions, final boolean casRequired) throws VaultConnectorException {
+    public void updateSecretMetadata(final String mount,
                                     final String key,
                                     final Integer maxVersions,
                                     final boolean casRequired) throws VaultConnectorException {
        requireAuth();
-        Map<String, Object> payload = new HashMap<>(2, 1);
+        Map<String, Object> payload = mapOf(
-        if (maxVersions != null) {
+            "max_versions", maxVersions,
-            payload.put("max_versions", maxVersions);
+            "cas_required", casRequired
-        }
+        );
        payload.put("cas_required", casRequired);
        write(mount + PATH_METADATA + key, payload);
    }
    @Override
-    public final SecretVersionResponse writeSecretData(final String mount, final String key, final Map<String, Object> data, final Integer cas) throws VaultConnectorException {
+    public final SecretVersionResponse writeSecretData(final String mount,
                                                       final String key,
                                                       final Map<String, Object> data,
                                                       final Integer cas) throws VaultConnectorException {
        requireAuth();
        if (key == null || key.isEmpty()) {
@ -540,17 +422,18 @@ public class HTTPVaultConnector implements VaultConnector {
        }
        // Add CAS value to options map if present.
-        Map<String, Object> options = new HashMap<>(1, 1);
+        Map<String, Object> options = mapOf("cas", cas);
        if (cas != null) {
            options.put("cas", cas);
        }
        Map<String, Object> payload = new HashMap<>(2, 1);
        payload.put("data", data);
        payload.put("options", options);
        /* Issue request and parse metadata response */
-        return request.post(mount + PATH_DATA + key, payload, token, SecretVersionResponse.class);
+        return request.post(
            mount + PATH_DATA + key,
            Map.of(
                "data", data,
                "options", options
            ),
            token,
            SecretVersionResponse.class
        );
    }
    @Override
@ -563,22 +446,23 @@ public class HTTPVaultConnector implements VaultConnector {
    }
    @Override
-    public final void write(final String key, final Map<String, Object> data, final Map<String, Object> options) throws VaultConnectorException {
+    public final void write(final String key, final Map<String, Object> data, final Map<String, Object> options)
        throws VaultConnectorException {
        requireAuth();
        if (key == null || key.isEmpty()) {
            throw new InvalidRequestException("Secret path must not be empty.");
        }
-        // By default data is directly passed as payload.
+        // By default, data is directly passed as payload.
        Object payload = data;
        // If options are given, split payload in two parts.
        if (options != null) {
-            Map<String, Object> payloadMap = new HashMap<>(2, 1);
+            payload = Map.of(
-            payloadMap.put("data", data);
+                "data", data,
-            payloadMap.put("options", options);
+                "options", options
-            payload = payloadMap;
+            );
        }
        /* Issue request and expect code 204 with empty response */
@ -604,17 +488,20 @@ public class HTTPVaultConnector implements VaultConnector {
    }
    @Override
-    public final void deleteSecretVersions(final String mount, final String key, final int... versions) throws VaultConnectorException {
+    public final void deleteSecretVersions(final String mount, final String key, final int... versions)
        throws VaultConnectorException {
        handleSecretVersions(mount, PATH_DELETE, key, versions);
    }
    @Override
-    public final void undeleteSecretVersions(final String mount, final String key, final int... versions) throws VaultConnectorException {
+    public final void undeleteSecretVersions(final String mount, final String key, final int... versions)
        throws VaultConnectorException {
        handleSecretVersions(mount, PATH_UNDELETE, key, versions);
    }
    @Override
-    public final void destroySecretVersions(final String mount, final String key, final int... versions) throws VaultConnectorException {
+    public final void destroySecretVersions(final String mount, final String key, final int... versions)
        throws VaultConnectorException {
        handleSecretVersions(mount, PATH_DESTROY, key, versions);
    }
@ -628,7 +515,10 @@ public class HTTPVaultConnector implements VaultConnector {
     * @throws VaultConnectorException on error
     * @since 0.8
     */
-    private void handleSecretVersions(final String mount, final String pathPart, final String key, final int... versions) throws VaultConnectorException {
+    private void handleSecretVersions(final String mount,
                                      final String pathPart,
                                      final String key,
                                      final int... versions) throws VaultConnectorException {
        requireAuth();
        /* Request HTTP response and expect empty result */
@ -650,11 +540,10 @@ public class HTTPVaultConnector implements VaultConnector {
    public final SecretResponse renew(final String leaseID, final Integer increment) throws VaultConnectorException {
        requireAuth();
-        Map<String, String> payload = new HashMap<>(2, 1);
+        Map<String, String> payload = mapOfStrings(
-        payload.put("lease_id", leaseID);
+            "lease_id", leaseID,
-        if (increment != null) {
+            "increment", increment
-            payload.put("increment", increment.toString());
+        );
        }
        /* Issue request and parse secret response */
        return request.put(PATH_RENEW, payload, token, SecretResponse.class);
@ -662,12 +551,12 @@ public class HTTPVaultConnector implements VaultConnector {
    @Override
    public final AuthResponse createToken(final Token token) throws VaultConnectorException {
-        return createTokenInternal(token, PATH_TOKEN + PATH_CREATE);
+        return createTokenInternal(token, PATH_AUTH_TOKEN + PATH_CREATE);
    }
    @Override
    public final AuthResponse createToken(final Token token, final boolean orphan) throws VaultConnectorException {
-        return createTokenInternal(token, PATH_TOKEN + PATH_CREATE_ORPHAN);
+        return createTokenInternal(token, PATH_AUTH_TOKEN + PATH_CREATE_ORPHAN);
    }
    @Override
@ -675,7 +564,7 @@ public class HTTPVaultConnector implements VaultConnector {
        if (role == null || role.isEmpty()) {
            throw new InvalidRequestException("No role name specified.");
        }
-        return createTokenInternal(token, PATH_TOKEN + PATH_CREATE + "/" + role);
+        return createTokenInternal(token, PATH_AUTH_TOKEN + PATH_CREATE + "/" + role);
    }
    @Override
@ -710,10 +599,10 @@ public class HTTPVaultConnector implements VaultConnector {
        /* Request HTTP response and parse Secret */
        return request.get(
-                PATH_TOKEN + PATH_LOOKUP,
+            PATH_AUTH_TOKEN + PATH_LOOKUP,
-                singletonMap("token", token),
+            singletonMap("token", token),
-                token,
+            token,
-                TokenResponse.class
+            TokenResponse.class
        );
    }
@ -728,7 +617,7 @@ public class HTTPVaultConnector implements VaultConnector {
        }
        // Issue request and expect code 204 with empty response.
-        request.postWithoutResponse(PATH_TOKEN + PATH_ROLES + "/" + name, role, token);
+        request.postWithoutResponse(PATH_AUTH_TOKEN + PATH_ROLES + "/" + name, role, token);
        return true;
    }
@ -738,14 +627,14 @@ public class HTTPVaultConnector implements VaultConnector {
        requireAuth();
        // Request HTTP response and parse response.
-        return request.get(PATH_TOKEN + PATH_ROLES + "/" + name, emptyMap(), token, TokenRoleResponse.class);
+        return request.get(PATH_AUTH_TOKEN + PATH_ROLES + "/" + name, emptyMap(), token, TokenRoleResponse.class);
    }
    @Override
    public List<String> listTokenRoles() throws VaultConnectorException {
        requireAuth();
-        return list(PATH_TOKEN + PATH_ROLES);
+        return list(PATH_AUTH_TOKEN + PATH_ROLES);
    }
    @Override
@ -757,11 +646,52 @@ public class HTTPVaultConnector implements VaultConnector {
        }
        // Issue request and expect code 204 with empty response.
-        request.deleteWithoutResponse(PATH_TOKEN + PATH_ROLES + "/" + name, token);
+        request.deleteWithoutResponse(PATH_AUTH_TOKEN + PATH_ROLES + "/" + name, token);
        return true;
    }
    @Override
    public final TransitResponse transitEncrypt(final String keyName, final String plaintext)
        throws VaultConnectorException {
        requireAuth();
        Map<String, Object> payload = mapOf(
            "plaintext", plaintext
        );
        return request.post(PATH_TRANSIT_ENCRYPT + keyName, payload, token, TransitResponse.class);
    }
    @Override
    public final TransitResponse transitDecrypt(final String keyName, final String ciphertext)
        throws VaultConnectorException {
        requireAuth();
        Map<String, Object> payload = mapOf(
            "ciphertext", ciphertext
        );
        return request.post(PATH_TRANSIT_DECRYPT + keyName, payload, token, TransitResponse.class);
    }
    @Override
    public final TransitResponse transitHash(final String algorithm, final String input, final String format)
        throws VaultConnectorException {
        if (format != null && !"hex".equals(format) && !"base64".equals(format)) {
            throw new IllegalArgumentException("Unsupported format " + format);
        }
        requireAuth();
        Map<String, Object> payload = mapOf(
            "input", input,
            "format", format
        );
        return request.post(PATH_TRANSIT_HASH + algorithm, payload, token, TransitResponse.class);
    }
    /**
     * Check for required authorization.
     *
@ -773,4 +703,42 @@ public class HTTPVaultConnector implements VaultConnector {
            throw new AuthorizationRequiredException();
        }
    }
    /**
     * Generate a map of non-null {@link String} keys and values
     *
     * @param keyValues Key-value tuples as vararg.
     * @return The map of non-null keys and values.
     */
    private static Map<String, String> mapOfStrings(Object... keyValues) {
        Map<String, String> map = new HashMap<>(keyValues.length / 2, 1);
        for (int i = 0; i < keyValues.length - 1; i = i + 2) {
            Object key = keyValues[i];
            Object val = keyValues[i + 1];
            if (key instanceof String && val != null) {
                map.put((String) key, val.toString());
            }
        }
        return map;
    }
    /**
     * Generate a map of non-null {@link String} keys and {@link Object} values
     *
     * @param keyValues Key-value tuples as vararg.
     * @return The map of non-null keys and values.
     */
    private static Map<String, Object> mapOf(Object... keyValues) {
        Map<String, Object> map = new HashMap<>(keyValues.length / 2, 1);
        for (int i = 0; i < keyValues.length; i = i + 2) {
            Object key = keyValues[i];
            Object val = keyValues[i + 1];
            if (key instanceof String && val != null) {
                map.put((String) key, val);
            }
        }
        return map;
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/builder/HTTPVaultConnectorBuilder.java
+++ b/src/main/java/de/stklcode/jvault/connector/builder/HTTPVaultConnectorBuilder.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -14,17 +14,17 @@
 * limitations under the License.
 */
-package de.stklcode.jvault.connector.builder;
+package de.stklcode.jvault.connector;
 import de.stklcode.jvault.connector.HTTPVaultConnector;
 import de.stklcode.jvault.connector.exception.ConnectionException;
 import de.stklcode.jvault.connector.exception.TlsException;
 import de.stklcode.jvault.connector.exception.VaultConnectorException;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
-import java.io.InputStream;
+import java.net.URI;
-import java.net.MalformedURLException;
+import java.net.URISyntaxException;
-import java.net.URL;
+import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
@ -37,8 +37,9 @@ import java.security.cert.X509Certificate;
 *
 * @author Stefan Kalscheuer
 * @since 0.8.0
 * @since 0.9.5 Package {@link de.stklcode.jvault.connector}
 */
-public final class HTTPVaultConnectorBuilder implements VaultConnectorBuilder {
+public final class HTTPVaultConnectorBuilder {
    private static final String ENV_VAULT_ADDR = "VAULT_ADDR";
    private static final String ENV_VAULT_CACERT = "VAULT_CACERT";
    private static final String ENV_VAULT_TOKEN = "VAULT_TOKEN";
@ -65,7 +66,7 @@ public final class HTTPVaultConnectorBuilder implements VaultConnectorBuilder {
     * Default empty constructor.
     * Initializes factory with default values.
     */
-    public HTTPVaultConnectorBuilder() {
+    HTTPVaultConnectorBuilder() {
        host = DEFAULT_HOST;
        port = DEFAULT_PORT;
        tls = DEFAULT_TLS;
@ -74,6 +75,36 @@ public final class HTTPVaultConnectorBuilder implements VaultConnectorBuilder {
        numberOfRetries = DEFAULT_NUMBER_OF_RETRIES;
    }
    /**
     * Set base URL, e.g. "protocol://host:port/prefix".
     *
     * @param baseURL Base URL
     * @return self
     * @throws URISyntaxException Invalid URI syntax.
     * @since 1.0
     */
    public HTTPVaultConnectorBuilder withBaseURL(final String baseURL) throws URISyntaxException {
        return withBaseURL(new URI(baseURL));
    }
    /**
     * Set base URL, e.g. "protocol://host:port/prefix".
     *
     * @param baseURL Base URL
     * @return self
     * @since 1.0
     */
    public HTTPVaultConnectorBuilder withBaseURL(final URI baseURL) {
        String path = baseURL.getPath();
        if (path == null || path.isBlank()) {
            path = DEFAULT_PREFIX;
        }
        return withTLS(!("http".equalsIgnoreCase(baseURL.getScheme())))
            .withHost(baseURL.getHost())
            .withPort(baseURL.getPort())
            .withPrefix(path);
    }
    /**
     * Set hostname (default: 127.0.0.1).
     *
@ -85,17 +116,43 @@ public final class HTTPVaultConnectorBuilder implements VaultConnectorBuilder {
        return this;
    }
    /**
     * Get hostname.
     *
     * @return Hostname or IP address
     */
    String getHost() {
        return this.host;
    }
    /**
     * Set port (default: 8200).
     * A value of {@code null} or {@code -1} indicates that no port is specified, i.e. the protocol default is used.
     * Otherwise, a valid port number between 1 and 65535 is expected.
     *
     * @param port Vault TCP port
     * @return self
     */
    public HTTPVaultConnectorBuilder withPort(final Integer port) {
-        this.port = port;
+        if (port == null || port < 0) {
            this.port = null;
        } else if (port < 1 || port > 65535) {
            throw new IllegalArgumentException("Port number " + port + " out of range");
        } else {
            this.port = port;
        }
        return this;
    }
    /**
     * Set port..
     *
     * @return Vault TCP port
     */
    Integer getPort() {
        return this.port;
    }
    /**
     * Set TLS usage (default: TRUE).
     *
@ -107,6 +164,24 @@ public final class HTTPVaultConnectorBuilder implements VaultConnectorBuilder {
        return this;
    }
    /**
     * Get TLS usage flag.
     *
     * @return use TLS or not
     */
    boolean isWithTLS() {
        return this.tls;
    }
    /**
     * Get TLS version.
     *
     * @return TLS version.
     */
    String getTlsVersion() {
        return this.tlsVersion;
    }
    /**
     * Set TLS usage (default: TRUE).
     *
@ -153,7 +228,7 @@ public final class HTTPVaultConnectorBuilder implements VaultConnectorBuilder {
    /**
     * Set API prefix. Default is "/v1/" and changes should not be necessary for current state of development.
     *
-     * @param prefix Vault API prefix (default: "/v1/"
+     * @param prefix Vault API prefix (default: "/v1/")
     * @return self
     */
    public HTTPVaultConnectorBuilder withPrefix(final String prefix) {
@ -161,6 +236,15 @@ public final class HTTPVaultConnectorBuilder implements VaultConnectorBuilder {
        return this;
    }
    /**
     * Get API prefix.
     *
     * @return Vault API prefix.
     */
    String getPrefix() {
        return this.prefix;
    }
    /**
     * Add a trusted CA certificate for HTTPS connections.
     *
@ -190,6 +274,15 @@ public final class HTTPVaultConnectorBuilder implements VaultConnectorBuilder {
        return this;
    }
    /**
     * Get the trusted CA certificate for HTTPS connections.
     *
     * @return path to certificate file, if specified.
     */
    X509Certificate getTrustedCA() {
        return this.trustedCA;
    }
    /**
     * Set token for automatic authentication, using {@link #buildAndAuth()}.
     *
@ -203,7 +296,7 @@ public final class HTTPVaultConnectorBuilder implements VaultConnectorBuilder {
    }
    /**
-     * Build connector based on the {@code }VAULT_ADDR} and {@code VAULT_CACERT} (optional) environment variables.
+     * Build connector based on the {@code VAULT_ADDR} and {@code VAULT_CACERT} (optional) environment variables.
     *
     * @return self
     * @throws VaultConnectorException if Vault address from environment variables is malformed
@ -211,13 +304,10 @@ public final class HTTPVaultConnectorBuilder implements VaultConnectorBuilder {
     */
    public HTTPVaultConnectorBuilder fromEnv() throws VaultConnectorException {
        /* Parse URL from environment variable */
-        if (System.getenv(ENV_VAULT_ADDR) != null && !System.getenv(ENV_VAULT_ADDR).trim().isEmpty()) {
+        if (System.getenv(ENV_VAULT_ADDR) != null && !System.getenv(ENV_VAULT_ADDR).isBlank()) {
            try {
-                URL url = new URL(System.getenv(ENV_VAULT_ADDR));
+                withBaseURL(System.getenv(ENV_VAULT_ADDR));
-                this.host = url.getHost();
+            } catch (URISyntaxException e) {
                this.port = url.getPort();
                this.tls = url.getProtocol().equals("https");
            } catch (MalformedURLException e) {
                throw new ConnectionException("URL provided in environment variable malformed", e);
            }
        }
@ -225,7 +315,7 @@ public final class HTTPVaultConnectorBuilder implements VaultConnectorBuilder {
        /* Read number of retries */
        if (System.getenv(ENV_VAULT_MAX_RETRIES) != null) {
            try {
-                numberOfRetries = Integer.parseInt(System.getenv(ENV_VAULT_MAX_RETRIES));
+                withNumberOfRetries(Integer.parseInt(System.getenv(ENV_VAULT_MAX_RETRIES)));
            } catch (NumberFormatException ignored) {
                /* Ignore malformed values. */
            }
@ -235,8 +325,12 @@ public final class HTTPVaultConnectorBuilder implements VaultConnectorBuilder {
        token = System.getenv(ENV_VAULT_TOKEN);
        /* Parse certificate, if set */
-        if (System.getenv(ENV_VAULT_CACERT) != null && !System.getenv(ENV_VAULT_CACERT).trim().isEmpty()) {
+        if (System.getenv(ENV_VAULT_CACERT) != null && !System.getenv(ENV_VAULT_CACERT).isBlank()) {
-            return withTrustedCA(Paths.get(System.getenv(ENV_VAULT_CACERT)));
+            X509Certificate cert = certificateFromString(System.getenv(ENV_VAULT_CACERT));
            if (cert == null) {
                cert = certificateFromFile(Paths.get(System.getenv(ENV_VAULT_CACERT)));
            }
            return withTrustedCA(cert);
        }
        return this;
    }
@ -253,6 +347,15 @@ public final class HTTPVaultConnectorBuilder implements VaultConnectorBuilder {
        return this;
    }
    /**
     * Get the number of retries to attempt on 5xx errors.
     *
     * @return The number of retries to attempt on 5xx errors (default: 0)
     */
    int getNumberOfRetries() {
        return this.numberOfRetries;
    }
    /**
     * Define a custom timeout for the HTTP connection.
     *
@ -265,12 +368,31 @@ public final class HTTPVaultConnectorBuilder implements VaultConnectorBuilder {
        return this;
    }
-    @Override
+    /**
-    public HTTPVaultConnector build() {
+     * Get custom timeout for the HTTP connection.
-        return new HTTPVaultConnector(host, tls, tlsVersion, port, prefix, trustedCA, numberOfRetries, timeout);
+     *
     * @return Timeout value in milliseconds.
     */
    Integer getTimeout() {
        return this.timeout;
    }
-    @Override
+    /**
     * Build command, produces connector after initialization.
     *
     * @return Vault Connector instance.
     */
    public HTTPVaultConnector build() {
        return new HTTPVaultConnector(this);
    }
    /**
     * Build connector and authenticate with token set in factory or from environment.
     *
     * @return Authenticated Vault connector instance.
     * @throws VaultConnectorException if authentication failed
     * @since 0.6.0
     */
    public HTTPVaultConnector buildAndAuth() throws VaultConnectorException {
        if (token == null) {
            throw new ConnectionException("No vault token provided, unable to authenticate.");
@ -280,6 +402,28 @@ public final class HTTPVaultConnectorBuilder implements VaultConnectorBuilder {
        return con;
    }
    /**
     * Read given certificate file to X.509 certificate.
     *
     * @param cert Certificate string (optionally PEM)
     * @return X.509 Certificate object if parseable, else {@code null}
     * @throws TlsException on error
     * @since 1.5.0
     */
    private X509Certificate certificateFromString(final String cert) throws TlsException {
        // Check if PEM header is present in given string
        if (cert.contains("-BEGIN ") && cert.contains("-END")) {
            try (var is = new ByteArrayInputStream(cert.getBytes(StandardCharsets.UTF_8))) {
                return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(is);
            } catch (IOException | CertificateException e) {
                throw new TlsException("Unable to read certificate.", e);
            }
        }
        // Not am PEM string, skip
        return null;
    }
    /**
     * Read given certificate file to X.509 certificate.
     *
@ -289,7 +433,7 @@ public final class HTTPVaultConnectorBuilder implements VaultConnectorBuilder {
     * @since 0.4.0
     */
    private X509Certificate certificateFromFile(final Path certFile) throws TlsException {
-        try (InputStream is = Files.newInputStream(certFile)) {
+        try (var is = Files.newInputStream(certFile)) {
            return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(is);
        } catch (IOException | CertificateException e) {
            throw new TlsException("Unable to read certificate.", e);
--- a/src/main/java/de/stklcode/jvault/connector/VaultConnector.java
+++ b/src/main/java/de/stklcode/jvault/connector/VaultConnector.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -16,7 +16,6 @@
 package de.stklcode.jvault.connector;
 import de.stklcode.jvault.connector.exception.InvalidRequestException;
 import de.stklcode.jvault.connector.exception.VaultConnectorException;
 import de.stklcode.jvault.connector.model.*;
 import de.stklcode.jvault.connector.model.response.*;
@ -32,10 +31,6 @@ import java.util.*;
 * @since 0.1
 */
 public interface VaultConnector extends AutoCloseable, Serializable {
    /**
     * Default sub-path for Vault secrets.
     */
    String PATH_SECRET = "secret";
    /**
     * Reset authorization information.
@ -114,18 +109,6 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     */
    AuthResponse authUserPass(final String username, final String password) throws VaultConnectorException;
    /**
     * Authorize to Vault using AppID method.
     *
     * @param appID  The App ID
     * @param userID The User ID
     * @return The {@link AuthResponse}
     * @throws VaultConnectorException on error
     * @deprecated As of Vault 0.6.1 App-ID is superseded by AppRole. Consider using {@link #authAppRole} instead.
     */
    @Deprecated
    AuthResponse authAppId(final String appID, final String userID) throws VaultConnectorException;
    /**
     * Authorize to Vault using AppRole method without secret ID.
     *
@ -149,20 +132,6 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     */
    AuthResponse authAppRole(final String roleID, final String secretID) throws VaultConnectorException;
    /**
     * Register new App-ID with policy.
     *
     * @param appID       The unique App-ID
     * @param policy      The policy to associate with
     * @param displayName Arbitrary name to display
     * @return {@code true} on success
     * @throws VaultConnectorException on error
     * @deprecated As of Vault 0.6.1 App-ID is superseded by AppRole. Consider using {@link #createAppRole} instead.
     */
    @Deprecated
    boolean registerAppId(final String appID, final String policy, final String displayName)
            throws VaultConnectorException;
    /**
     * Register a new AppRole role from given metamodel.
     *
@ -222,7 +191,7 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     * @since 0.4.0
     */
    default boolean createAppRole(final String roleName, final List<String> policies, final String roleID)
-            throws VaultConnectorException {
+        throws VaultConnectorException {
        return createAppRole(AppRole.builder(roleName).withTokenPolicies(policies).withId(roleID).build());
    }
@ -288,7 +257,7 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     * @since 0.4.0
     */
    default AppRoleSecretResponse createAppRoleSecret(final String roleName, final String secretID)
-            throws VaultConnectorException {
+        throws VaultConnectorException {
        return createAppRoleSecret(roleName, new AppRoleSecret(secretID));
    }
@ -302,7 +271,7 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     * @since 0.4.0
     */
    AppRoleSecretResponse createAppRoleSecret(final String roleName, final AppRoleSecret secret)
-            throws VaultConnectorException;
+        throws VaultConnectorException;
    /**
     * Lookup an AppRole secret.
@ -314,7 +283,7 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     * @since 0.4.0
     */
    AppRoleSecretResponse lookupAppRoleSecret(final String roleName, final String secretID)
-            throws VaultConnectorException;
+        throws VaultConnectorException;
    /**
     * Destroy an AppRole secret.
@ -344,38 +313,6 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     */
    List<String> listAppRoleSecrets(final String roleName) throws VaultConnectorException;
    /**
     * Register User-ID with App-ID.
     *
     * @param appID  The App-ID
     * @param userID The User-ID
     * @return {@code true} on success
     * @throws VaultConnectorException on error
     * @deprecated As of Vault 0.6.1 App-ID is superseded by AppRole.
     * Consider using {@link #createAppRoleSecret} instead.
     */
    @Deprecated
    boolean registerUserId(final String appID, final String userID) throws VaultConnectorException;
    /**
     * Register new App-ID and User-ID at once.
     *
     * @param appID       The App-ID
     * @param policy      The policy to associate with
     * @param displayName Arbitrary name to display
     * @param userID      The User-ID
     * @return {@code true} on success
     * @throws VaultConnectorException on error
     * @deprecated As of Vault 0.6.1 App-ID is superseded by AppRole.
     */
    @Deprecated
    default boolean registerAppUserId(final String appID,
                                      final String policy,
                                      final String displayName,
                                      final String userID) throws VaultConnectorException {
        return registerAppId(appID, policy, userID) && registerUserId(appID, userID);
    }
    /**
     * Get authorization status.
     *
@ -393,34 +330,6 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     */
    SecretResponse read(final String key) throws VaultConnectorException;
    /**
     * Retrieve secret from Vault.
     * <br>
     * Prefix {@code secret/} is automatically added to key.
     *
     * @param key Secret identifier
     * @return Secret response
     * @throws VaultConnectorException on error
     */
    default SecretResponse readSecret(final String key) throws VaultConnectorException {
        return read(PATH_SECRET + "/" + key);
    }
    /**
     * Retrieve the latest secret data for specific version from Vault.
     * <br>
     * Prefix "secret/data" is automatically added to key.
     * Only available for KV v2 secrets.
     *
     * @param key Secret identifier
     * @return Secret response
     * @throws VaultConnectorException on error
     * @since 0.8
     */
    default SecretResponse readSecretData(final String key) throws VaultConnectorException {
        return readSecretVersion(key, null);
    }
    /**
     * Retrieve the latest secret data for specific version from Vault.
     * <br>
@ -437,22 +346,6 @@ public interface VaultConnector extends AutoCloseable, Serializable {
        return readSecretVersion(mount, key, null);
    }
    /**
     * Write secret to Vault.
     * <br>
     * Prefix {@code secret/} is automatically added to path.
     * Only available for KV v2 secrets.
     *
     * @param key  Secret identifier.
     * @param data Secret content. Value must be be JSON serializable.
     * @return Metadata for the created/updated secret.
     * @throws VaultConnectorException on error
     * @since 0.8
     */
    default SecretVersionResponse writeSecretData(final String key, final Map<String, Object> data) throws VaultConnectorException {
        return writeSecretData(PATH_SECRET, key, data, null);
    }
    /**
     * Write secret to Vault.
     * <br>
@ -466,7 +359,9 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     * @throws VaultConnectorException on error
     * @since 0.8
     */
-    default SecretVersionResponse writeSecretData(final String mount, final String key, final Map<String, Object> data) throws VaultConnectorException {
+    default SecretVersionResponse writeSecretData(final String mount,
                                                  final String key,
                                                  final Map<String, Object> data) throws VaultConnectorException {
        return writeSecretData(mount, key, data, null);
    }
@ -484,23 +379,10 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     * @throws VaultConnectorException on error
     * @since 0.8
     */
-    SecretVersionResponse writeSecretData(final String mount, final String key, final Map<String, Object> data, final Integer cas) throws VaultConnectorException;
+    SecretVersionResponse writeSecretData(final String mount,
-
+                                          final String key,
-    /**
+                                          final Map<String, Object> data,
-     * Retrieve secret data from Vault.
+                                          final Integer cas) throws VaultConnectorException;
     * <br>
     * Path {@code <mount>/data/<key>} is read here.
     * Only available for KV v2 secrets.
     *
     * @param key     Secret identifier
     * @param version Version to read. If {@code null} or zero, the latest version will be returned.
     * @return Secret response
     * @throws VaultConnectorException on error
     * @since 0.8
     */
    default SecretResponse readSecretVersion(final String key, final Integer version) throws VaultConnectorException {
        return readSecretVersion(PATH_SECRET, key, version);
    }
    /**
     * Retrieve secret data from Vault.
@ -515,37 +397,8 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     * @throws VaultConnectorException on error
     * @since 0.8
     */
-    SecretResponse readSecretVersion(final String mount, final String key, final Integer version) throws VaultConnectorException;
+    SecretResponse readSecretVersion(final String mount, final String key, final Integer version)
-
+        throws VaultConnectorException;
    /**
     * Retrieve secret metadata from Vault.
     * Path {@code secret/metadata/<key>} is read here.
     * Only available for KV v2 secrets.
     *
     * @param key Secret identifier
     * @return Metadata response
     * @throws VaultConnectorException on error
     * @since 0.8
     */
    default MetadataResponse readSecretMetadata(final String key) throws VaultConnectorException {
        return readSecretMetadata(PATH_SECRET, key);
    }
    /**
     * Update secret metadata.
     * <br>
     * Path {@code secret/metadata/<key>} is read here.
     * Only available for KV v2 secrets.
     *
     * @param key         Secret identifier
     * @param maxVersions Maximum number of versions (fallback to backend default if {@code null})
     * @param casRequired Specify if Check-And-Set is required for this secret.
     * @throws VaultConnectorException on error
     * @since 0.8
     */
    default void updateSecretMetadata(final String key, final Integer maxVersions, final boolean casRequired) throws VaultConnectorException {
        updateSecretMetadata(PATH_SECRET, key, maxVersions, casRequired);
    }
    /**
     * Retrieve secret metadata from Vault.
@ -574,7 +427,10 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     * @throws VaultConnectorException on error
     * @since 0.8
     */
-    void updateSecretMetadata(final String mount, final String key, final Integer maxVersions, final boolean casRequired) throws VaultConnectorException;
+    void updateSecretMetadata(final String mount,
                              final String key,
                              final Integer maxVersions,
                              final boolean casRequired) throws VaultConnectorException;
    /**
     * List available nodes from Vault.
@ -586,19 +442,6 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     */
    List<String> list(final String path) throws VaultConnectorException;
    /**
     * List available secrets from Vault.
     * <br>
     * Prefix {@code secret/} is automatically added to path.
     *
     * @param path Root path to search
     * @return List of secret keys
     * @throws VaultConnectorException on error
     */
    default List<String> listSecrets(final String path) throws VaultConnectorException {
        return list(PATH_SECRET + "/" + path);
    }
    /**
     * Write simple value to Vault.
     *
@ -632,37 +475,8 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     * @throws VaultConnectorException on error
     * @since 0.8 {@code options} parameter added
     */
-    void write(final String key, final Map<String, Object> data, final Map<String, Object> options) throws VaultConnectorException;
+    void write(final String key, final Map<String, Object> data, final Map<String, Object> options)
-
+        throws VaultConnectorException;
    /**
     * Write secret to Vault.
     * <br>
     * Prefix {@code secret/} is automatically added to path.
     *
     * @param key   Secret path
     * @param value Secret value
     * @throws VaultConnectorException on error
     */
    default void writeSecret(final String key, final String value) throws VaultConnectorException {
        writeSecret(key, Collections.singletonMap("value", value));
    }
    /**
     * Write secret to Vault.
     * <br>
     * Prefix {@code secret/} is automatically added to path.
     *
     * @param key  Secret path
     * @param data Secret content. Value must be be JSON serializable.
     * @throws VaultConnectorException on error
     * @since 0.5.0
     */
    default void writeSecret(final String key, final Map<String, Object> data) throws VaultConnectorException {
        if (key == null || key.isEmpty()) {
            throw new InvalidRequestException("Secret path must not be empty.");
        }
        write(PATH_SECRET + "/" + key, data);
    }
    /**
     * Delete key from Vault.
@ -673,31 +487,6 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     */
    void delete(final String key) throws VaultConnectorException;
    /**
     * Delete secret from Vault.
     * <br>
     * Prefix {@code secret/} is automatically added to path.
     *
     * @param key Secret path
     * @throws VaultConnectorException on error
     */
    default void deleteSecret(final String key) throws VaultConnectorException {
        delete(PATH_SECRET + "/" + key);
    }
    /**
     * Delete latest version of a secret from Vault.
     * <br>
     * Prefix {@code secret/} is automatically added to path. Only available for KV v2 stores.
     *
     * @param key Secret path.
     * @throws VaultConnectorException on error
     * @since 0.8
     */
    default void deleteLatestSecretVersion(final String key) throws VaultConnectorException {
        deleteLatestSecretVersion(PATH_SECRET, key);
    }
    /**
     * Delete latest version of a secret from Vault.
     * <br>
@ -710,20 +499,6 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     */
    void deleteLatestSecretVersion(final String mount, final String key) throws VaultConnectorException;
    /**
     * Delete latest version of a secret from Vault.
     * <br>
     * Prefix {@code secret/} is automatically added to path.
     * Only available for KV v2 stores.
     *
     * @param key Secret path.
     * @throws VaultConnectorException on error
     * @since 0.8
     */
    default void deleteAllSecretVersions(final String key) throws VaultConnectorException {
        deleteAllSecretVersions(PATH_SECRET, key);
    }
    /**
     * Delete latest version of a secret from Vault.
     * <br>
@ -737,20 +512,6 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     */
    void deleteAllSecretVersions(final String mount, final String key) throws VaultConnectorException;
    /**
     * Delete secret versions from Vault.
     * <br>
     * Only available for KV v2 stores.
     *
     * @param key      Secret path.
     * @param versions Versions of the secret to delete.
     * @throws VaultConnectorException on error
     * @since 0.8
     */
    default void deleteSecretVersions(final String key, final int... versions) throws VaultConnectorException {
        deleteSecretVersions(PATH_SECRET, key, versions);
    }
    /**
     * Delete secret versions from Vault.
     * <br>
@ -762,20 +523,8 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     * @throws VaultConnectorException on error
     * @since 0.8
     */
-    void deleteSecretVersions(final String mount, final String key, final int... versions) throws VaultConnectorException;
+    void deleteSecretVersions(final String mount, final String key, final int... versions)
-
+        throws VaultConnectorException;
    /**
     * Undelete (restore) secret versions from Vault.
     * Only available for KV v2 stores.
     *
     * @param key      Secret path.
     * @param versions Versions of the secret to undelete.
     * @throws VaultConnectorException on error
     * @since 0.8
     */
    default void undeleteSecretVersions(final String key, final int... versions) throws VaultConnectorException {
        undeleteSecretVersions(PATH_SECRET, key, versions);
    }
    /**
     * Undelete (restore) secret versions from Vault.
@ -787,20 +536,8 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     * @throws VaultConnectorException on error
     * @since 0.8
     */
-    void undeleteSecretVersions(final String mount, final String key, final int... versions) throws VaultConnectorException;
+    void undeleteSecretVersions(final String mount, final String key, final int... versions)
-
+        throws VaultConnectorException;
    /**
     * Destroy secret versions from Vault.
     * Only available for KV v2 stores.
     *
     * @param key      Secret path.
     * @param versions Versions of the secret to destroy.
     * @throws VaultConnectorException on error
     * @since 0.8
     */
    default void destroySecretVersions(final String key, final int... versions) throws VaultConnectorException {
        destroySecretVersions(PATH_SECRET, key, versions);
    }
    /**
     * Destroy secret versions from Vault.
@ -812,7 +549,8 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     * @throws VaultConnectorException on error
     * @since 0.8
     */
-    void destroySecretVersions(final String mount, final String key, final int... versions) throws VaultConnectorException;
+    void destroySecretVersions(final String mount, final String key, final int... versions)
        throws VaultConnectorException;
    /**
     * Revoke given lease immediately.
@ -933,6 +671,82 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     */
    boolean deleteTokenRole(final String name) throws VaultConnectorException;
    /**
     * Encrypt plaintext via transit engine from Vault.
     *
     * @param keyName   Transit key name
     * @param plaintext Text to encrypt (Base64 encoded)
     * @return Transit response
     * @throws VaultConnectorException on error
     * @since 1.5.0
     */
    TransitResponse transitEncrypt(final String keyName, final String plaintext) throws VaultConnectorException;
    /**
     * Encrypt plaintext via transit engine from Vault.
     *
     * @param keyName   Transit key name
     * @param plaintext Binary data to encrypt
     * @return Transit response
     * @throws VaultConnectorException on error
     * @since 1.5.0
     */
    default TransitResponse transitEncrypt(final String keyName, final byte[] plaintext)
        throws VaultConnectorException {
        return transitEncrypt(keyName, Base64.getEncoder().encodeToString(plaintext));
    }
    /**
     * Decrypt ciphertext via transit engine from Vault.
     *
     * @param keyName    Transit key name
     * @param ciphertext Text to decrypt
     * @return Transit response
     * @throws VaultConnectorException on error
     * @since 1.5.0
     */
    TransitResponse transitDecrypt(final String keyName, final String ciphertext) throws VaultConnectorException;
    /**
     * Hash data in hex format via transit engine from Vault.
     *
     * @param algorithm Specifies the hash algorithm to use
     * @param input     Data to hash
     * @return Transit response
     * @throws VaultConnectorException on error
     * @since 1.5.0
     */
    default TransitResponse transitHash(final String algorithm, final String input) throws VaultConnectorException {
        return transitHash(algorithm, input, "hex");
    }
    /**
     * Hash data via transit engine from Vault.
     *
     * @param algorithm Specifies the hash algorithm to use
     * @param input     Data to hash (Base64 encoded)
     * @param format    Specifies the output encoding (hex/base64)
     * @return Transit response
     * @throws VaultConnectorException on error
     * @since 1.5.0
     */
    TransitResponse transitHash(final String algorithm, final String input, final String format)
        throws VaultConnectorException;
    /**
     * Hash data via transit engine from Vault.
     *
     * @param algorithm Specifies the hash algorithm to use
     * @param input     Data to hash
     * @return Transit response
     * @throws VaultConnectorException on error
     * @since 1.5.0
     */
    default TransitResponse transitHash(final String algorithm, final byte[] input, final String format)
        throws VaultConnectorException {
        return transitHash(algorithm, Base64.getEncoder().encodeToString(input), format);
    }
    /**
     * Read credentials for MySQL backend at default mount point.
     *
@ -940,7 +754,9 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     * @return the credentials response
     * @throws VaultConnectorException on error
     * @since 0.5.0
     * @deprecated use {@link #readDbCredentials(String, String)} your MySQL mountpoint
     */
    @Deprecated(since = "1.5.0", forRemoval = true)
    default CredentialsResponse readMySqlCredentials(final String role) throws VaultConnectorException {
        return readDbCredentials(role, "mysql");
    }
@ -952,7 +768,9 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     * @return the credentials response
     * @throws VaultConnectorException on error
     * @since 0.5.0
     * @deprecated use {@link #readDbCredentials(String, String)} your PostgreSQL mountpoint
     */
    @Deprecated(since = "1.5.0", forRemoval = true)
    default CredentialsResponse readPostgreSqlCredentials(final String role) throws VaultConnectorException {
        return readDbCredentials(role, "postgresql");
    }
@ -964,34 +782,38 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     * @return the credentials response
     * @throws VaultConnectorException on error
     * @since 0.5.0
     * @deprecated use {@link #readDbCredentials(String, String)} your MSSQL mountpoint
     */
    @Deprecated(since = "1.5.0", forRemoval = true)
    default CredentialsResponse readMsSqlCredentials(final String role) throws VaultConnectorException {
        return readDbCredentials(role, "mssql");
    }
    /**
-     * Read credentials for MSSQL backend at default mount point.
+     * Read credentials for MongoDB backend at default mount point.
     *
     * @param role the role name
     * @return the credentials response
     * @throws VaultConnectorException on error
     * @since 0.5.0
     * @deprecated use {@link #readDbCredentials(String, String)} your MongoDB mountpoint
     */
    @Deprecated(since = "1.5.0", forRemoval = true)
    default CredentialsResponse readMongoDbCredentials(final String role) throws VaultConnectorException {
        return readDbCredentials(role, "mongodb");
    }
    /**
-     * Read credentials for SQL backends.
+     * Read credentials for database backends.
     *
     * @param role  the role name
-     * @param mount mount point of the SQL backend
+     * @param mount mount point of the database backend
     * @return the credentials response
     * @throws VaultConnectorException on error
     * @since 0.5.0
     */
    default CredentialsResponse readDbCredentials(final String role, final String mount)
-            throws VaultConnectorException {
+        throws VaultConnectorException {
        return (CredentialsResponse) read(mount + "/creds/" + role);
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/builder/VaultConnectorBuilder.java
+++ b/src/main/java/de/stklcode/jvault/connector/builder/VaultConnectorBuilder.java
@ -1,54 +0,0 @@
 /*
 * Copyright 2016-2021 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package de.stklcode.jvault.connector.builder;
 import de.stklcode.jvault.connector.VaultConnector;
 import de.stklcode.jvault.connector.exception.VaultConnectorException;
 /**
 * Abstract Vault Connector Builder interface.
 * Provides builder style for Vault connectors.
 *
 * @author Stefan Kalscheuer
 * @since 0.8.0
 */
 public interface VaultConnectorBuilder {
    /**
     * Get Factory implementation for HTTP Vault Connector.
     *
     * @return HTTP Connector Factory
     */
    static HTTPVaultConnectorBuilder http() {
        return new HTTPVaultConnectorBuilder();
    }
    /**
     * Build command, produces connector after initialization.
     *
     * @return Vault Connector instance.
     */
    VaultConnector build();
    /**
     * Build connector and authenticate with token set in factory or from environment.
     *
     * @return Authenticated Vault connector instance.
     * @throws VaultConnectorException if authentication failed
     * @since 0.6.0
     */
    VaultConnector buildAndAuth() throws VaultConnectorException;
 }
--- a/src/main/java/de/stklcode/jvault/connector/builder/package-info.java
+++ b/src/main/java/de/stklcode/jvault/connector/builder/package-info.java
@ -1,21 +0,0 @@
 /*
 * Copyright 2016-2021 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 /**
 * This package contains the {@link de.stklcode.jvault.connector.builder.VaultConnectorBuilder} to initialize a
 * connector instance.
 */
 package de.stklcode.jvault.connector.builder;
--- a/src/main/java/de/stklcode/jvault/connector/exception/AuthorizationRequiredException.java
+++ b/src/main/java/de/stklcode/jvault/connector/exception/AuthorizationRequiredException.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -19,8 +19,9 @@ package de.stklcode.jvault.connector.exception;
 /**
 * Exception thrown trying to do a request without any authorization handles.
 *
- * @author  Stefan Kalscheuer
+ * @author Stefan Kalscheuer
- * @since   0.1
+ * @since 0.1
 */
 public class AuthorizationRequiredException extends VaultConnectorException {
    private static final long serialVersionUID = 2629577936657393880L;
 }
--- a/src/main/java/de/stklcode/jvault/connector/exception/ConnectionException.java
+++ b/src/main/java/de/stklcode/jvault/connector/exception/ConnectionException.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -23,6 +23,8 @@ package de.stklcode.jvault.connector.exception;
 * @since 0.1
 */
 public class ConnectionException extends VaultConnectorException {
    private static final long serialVersionUID = 3005430116002990418L;
    /**
     * Constructs a new empty exception.
     */
--- a/src/main/java/de/stklcode/jvault/connector/exception/InvalidRequestException.java
+++ b/src/main/java/de/stklcode/jvault/connector/exception/InvalidRequestException.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -19,10 +19,12 @@ package de.stklcode.jvault.connector.exception;
 /**
 * Exception thrown when trying to send malformed request.
 *
- * @author  Stefan Kalscheuer
+ * @author Stefan Kalscheuer
- * @since   0.1
+ * @since 0.1
 */
 public class InvalidRequestException extends VaultConnectorException {
    private static final long serialVersionUID = -6712239648281809159L;
    /**
     * Constructs a new empty exception.
     */
--- a/src/main/java/de/stklcode/jvault/connector/exception/InvalidResponseException.java
+++ b/src/main/java/de/stklcode/jvault/connector/exception/InvalidResponseException.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -24,6 +24,8 @@ package de.stklcode.jvault.connector.exception;
 * @since 0.1
 */
 public final class InvalidResponseException extends VaultConnectorException {
    private static final long serialVersionUID = 2003151038614163479L;
    private final Integer statusCode;
    private final String response;
@ -136,30 +138,6 @@ public final class InvalidResponseException extends VaultConnectorException {
        this.response = response;
    }
    /**
     * Specify the HTTP status code. Can be retrieved by {@link #getStatusCode()} later.
     *
     * @param statusCode The status code
     * @return self
     * @deprecated as of 0.6.2, use constructor with status code argument instead
     */
    @Deprecated
    public InvalidResponseException withStatusCode(final Integer statusCode) {
        return new InvalidResponseException(getMessage(), statusCode, getResponse(), getCause());
    }
    /**
     * Specify the response string. Can be retrieved by {@link #getResponse()} later.
     *
     * @param response Response text
     * @return self
     * @deprecated use constructor with response argument instead
     */
    @Deprecated
    public InvalidResponseException withResponse(final String response) {
        return new InvalidResponseException(getMessage(), getStatusCode(), response, getCause());
    }
    /**
     * Retrieve the HTTP status code.
     *
--- a/src/main/java/de/stklcode/jvault/connector/exception/PermissionDeniedException.java
+++ b/src/main/java/de/stklcode/jvault/connector/exception/PermissionDeniedException.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -19,10 +19,12 @@ package de.stklcode.jvault.connector.exception;
 /**
 * Exception thrown when trying to access a path the current user/token does not have permission to access.
 *
- * @author  Stefan Kalscheuer
+ * @author Stefan Kalscheuer
- * @since   0.1
+ * @since 0.1
 */
 public class PermissionDeniedException extends VaultConnectorException {
    private static final long serialVersionUID = -7149134015090750776L;
    /**
     * Constructs a new empty exception.
     */
--- a/src/main/java/de/stklcode/jvault/connector/exception/TlsException.java
+++ b/src/main/java/de/stklcode/jvault/connector/exception/TlsException.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -19,10 +19,12 @@ package de.stklcode.jvault.connector.exception;
 /**
 * Exception thrown on errors with TLS connection.
 *
- * @author  Stefan Kalscheuer
+ * @author Stefan Kalscheuer
- * @since   0.4.0
+ * @since 0.4.0
 */
 public class TlsException extends VaultConnectorException {
    private static final long serialVersionUID = -5139276834988258086L;
    /**
     * Constructs a new empty exception.
     */
--- a/src/main/java/de/stklcode/jvault/connector/exception/VaultConnectorException.java
+++ b/src/main/java/de/stklcode/jvault/connector/exception/VaultConnectorException.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -19,10 +19,12 @@ package de.stklcode.jvault.connector.exception;
 /**
 * Abstract Exception class for Vault Connector internal exceptions.
 *
- * @author  Stefan Kalscheuer
+ * @author Stefan Kalscheuer
- * @since   0.1
+ * @since 0.1
 */
 public abstract class VaultConnectorException extends Exception {
    private static final long serialVersionUID = -2612477894310906036L;
    /**
     * Constructs a new empty exception.
     */
--- a/src/main/java/de/stklcode/jvault/connector/exception/package-info.java
+++ b/src/main/java/de/stklcode/jvault/connector/exception/package-info.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/factory/HTTPVaultConnectorFactory.java
+++ b/src/main/java/de/stklcode/jvault/connector/factory/HTTPVaultConnectorFactory.java
@ -1,204 +0,0 @@
 /*
 * Copyright 2016-2021 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package de.stklcode.jvault.connector.factory;
 import de.stklcode.jvault.connector.HTTPVaultConnector;
 import de.stklcode.jvault.connector.builder.HTTPVaultConnectorBuilder;
 import de.stklcode.jvault.connector.exception.VaultConnectorException;
 import javax.net.ssl.SSLContext;
 import java.nio.file.Path;
 import java.security.cert.X509Certificate;
 /**
 * Vault Connector Factory implementation for HTTP Vault connectors.
 *
 * @author Stefan Kalscheuer
 * @since 0.1
 * @deprecated As of 0.8.0 please refer to {@link de.stklcode.jvault.connector.builder.HTTPVaultConnectorBuilder} with identical API.
 */
@Deprecated
 public final class HTTPVaultConnectorFactory extends VaultConnectorFactory {
    private final HTTPVaultConnectorBuilder delegate;
    /**
     * Default empty constructor.
     * Initializes factory with default values.
     */
    public HTTPVaultConnectorFactory() {
        delegate = new HTTPVaultConnectorBuilder();
    }
    /**
     * Set hostname (default: 127.0.0.1).
     *
     * @param host Hostname or IP address
     * @return self
     */
    public HTTPVaultConnectorFactory withHost(final String host) {
        delegate.withHost(host);
        return this;
    }
    /**
     * Set port (default: 8200).
     *
     * @param port Vault TCP port
     * @return self
     */
    public HTTPVaultConnectorFactory withPort(final Integer port) {
        delegate.withPort(port);
        return this;
    }
    /**
     * Set TLS usage (default: TRUE).
     *
     * @param useTLS use TLS or not
     * @return self
     */
    public HTTPVaultConnectorFactory withTLS(final boolean useTLS) {
        delegate.withTLS(useTLS);
        return this;
    }
    /**
     * Convenience Method for TLS usage (enabled by default).
     *
     * @return self
     */
    public HTTPVaultConnectorFactory withTLS() {
        return withTLS(true);
    }
    /**
     * Convenience Method for NOT using TLS.
     *
     * @return self
     */
    public HTTPVaultConnectorFactory withoutTLS() {
        return withTLS(false);
    }
    /**
     * Set API prefix. Default is "/v1/" and changes should not be necessary for current state of development.
     *
     * @param prefix Vault API prefix (default: "/v1/"
     * @return self
     */
    public HTTPVaultConnectorFactory withPrefix(final String prefix) {
        delegate.withPrefix(prefix);
        return this;
    }
    /**
     * Add a trusted CA certificate for HTTPS connections.
     *
     * @param cert path to certificate file
     * @return self
     * @throws VaultConnectorException on error
     * @since 0.4.0
     */
    public HTTPVaultConnectorFactory withTrustedCA(final Path cert) throws VaultConnectorException {
        delegate.withTrustedCA(cert);
        return this;
    }
    /**
     * Add a trusted CA certificate for HTTPS connections.
     *
     * @param cert path to certificate file
     * @return self
     * @since 0.8.0
     */
    public HTTPVaultConnectorFactory withTrustedCA(final X509Certificate cert) {
        delegate.withTrustedCA(cert);
        return this;
    }
    /**
     * Add a custom SSL context.
     * Overwrites certificates set by {@link #withTrustedCA}.
     *
     * @param sslContext the SSL context
     * @return self
     * @since 0.4.0
     * @deprecated As of 0.8.0 this is no longer supported, please use {@link #withTrustedCA(Path)} or {@link #withTrustedCA(X509Certificate)}.
     */
    public HTTPVaultConnectorFactory withSslContext(final SSLContext sslContext) {
        throw new UnsupportedOperationException("Use of deprecated method, please switch to withTrustedCA()");
    }
    /**
     * Set token for automatic authentication, using {@link #buildAndAuth()}.
     *
     * @param token Vault token
     * @return self
     * @since 0.6.0
     */
    public HTTPVaultConnectorFactory withToken(final String token) {
        delegate.withToken(token);
        return this;
    }
    /**
     * Build connector based on the {@code }VAULT_ADDR} and {@code VAULT_CACERT} (optional) environment variables.
     *
     * @return self
     * @throws VaultConnectorException if Vault address from environment variables is malformed
     * @since 0.6.0
     */
    public HTTPVaultConnectorFactory fromEnv() throws VaultConnectorException {
        delegate.fromEnv();
        return this;
    }
    /**
     * Define the number of retries to attempt on 5xx errors.
     *
     * @param numberOfRetries The number of retries to attempt on 5xx errors (default: 0)
     * @return self
     * @since 0.6.0
     */
    public HTTPVaultConnectorFactory withNumberOfRetries(final int numberOfRetries) {
        delegate.withNumberOfRetries(numberOfRetries);
        return this;
    }
    /**
     * Define a custom timeout for the HTTP connection.
     *
     * @param milliseconds Timeout value in milliseconds.
     * @return self
     * @since 0.6.0
     */
    public HTTPVaultConnectorFactory withTimeout(final int milliseconds) {
        delegate.withTimeout(milliseconds);
        return this;
    }
    @Override
    public HTTPVaultConnector build() {
        return delegate.build();
    }
    @Override
    public HTTPVaultConnector buildAndAuth() throws VaultConnectorException {
        return delegate.buildAndAuth();
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/factory/VaultConnectorFactory.java
+++ b/src/main/java/de/stklcode/jvault/connector/factory/VaultConnectorFactory.java
@ -1,42 +0,0 @@
 /*
 * Copyright 2016-2021 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package de.stklcode.jvault.connector.factory;
 import de.stklcode.jvault.connector.builder.VaultConnectorBuilder;
 /**
 * Abstract Vault Connector Factory interface.
 * Provides builder pattern style factory for Vault connectors.
 *
 * @author Stefan Kalscheuer
 * @since 0.1
 * @deprecated As of 0.8.0 please refer to {@link VaultConnectorBuilder} with identical API.
 */
@Deprecated
 public abstract class VaultConnectorFactory implements VaultConnectorBuilder {
    /**
     * Get Factory implementation for HTTP Vault Connector.
     *
     * @return HTTP Connector Factory
     * @deprecated As of 0.8.0 please refer to {@link VaultConnectorBuilder#http()}.
     */
    @Deprecated
    public static HTTPVaultConnectorFactory httpFactory() {
        return new HTTPVaultConnectorFactory();
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/factory/package-info.java
+++ b/src/main/java/de/stklcode/jvault/connector/factory/package-info.java
@ -1,23 +0,0 @@
 /*
 * Copyright 2016-2021 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 /**
 * This package contains the {@link de.stklcode.jvault.connector.factory.VaultConnectorFactory} to initialize a
 * connector instance.
 *
 * @deprecated As of v0.8.0 please refer to {@link de.stklcode.jvault.connector.builder}.
 */
 package de.stklcode.jvault.connector.factory;
--- a/src/main/java/de/stklcode/jvault/connector/internal/Error.java
+++ b/src/main/java/de/stklcode/jvault/connector/internal/Error.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -29,6 +29,7 @@ final class Error {
    static final String URI_FORMAT = "Invalid URI format";
    static final String RESPONSE_CODE = "Invalid response code";
    static final String INIT_SSL_CONTEXT = "Unable to initialize SSLContext";
    static final String CONNECTION = "Unable to connect to Vault server";
    /**
     * Constructor hidden, this class should not be instantiated.
--- a/src/main/java/de/stklcode/jvault/connector/internal/RequestHelper.java
+++ b/src/main/java/de/stklcode/jvault/connector/internal/RequestHelper.java
@ -1,30 +1,35 @@
 package de.stklcode.jvault.connector.internal;
 import com.fasterxml.jackson.core.JsonProcessingException;
-import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.SerializationFeature;
 import com.fasterxml.jackson.databind.json.JsonMapper;
 import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
 import de.stklcode.jvault.connector.exception.*;
 import de.stklcode.jvault.connector.model.response.ErrorResponse;
 import org.apache.http.HttpResponse;
 import org.apache.http.client.config.RequestConfig;
 import org.apache.http.client.methods.*;
 import org.apache.http.client.utils.URIBuilder;
 import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
 import org.apache.http.entity.StringEntity;
 import org.apache.http.impl.client.CloseableHttpClient;
 import org.apache.http.impl.client.HttpClientBuilder;
 import org.apache.http.util.EntityUtils;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.TrustManagerFactory;
 import java.io.*;
 import java.net.URI;
 import java.net.URISyntaxException;
-import java.nio.charset.StandardCharsets;
+import java.net.URLEncoder;
-import java.security.*;
+import java.net.http.HttpClient;
 import java.net.http.HttpRequest;
 import java.net.http.HttpResponse;
 import java.security.KeyManagementException;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.time.Duration;
 import java.util.Map;
 import java.util.concurrent.CompletionException;
 import java.util.stream.Collectors;
 import static java.nio.charset.StandardCharsets.UTF_8;
 /**
 * Helper class to bundle Vault HTTP requests.
 *
@ -39,7 +44,7 @@ public final class RequestHelper implements Serializable {
    private final int retries;                      // Number of retries on 5xx errors.
    private final String tlsVersion;                // TLS version (#22).
    private final X509Certificate trustedCaCert;    // Trusted CA certificate.
-    private final ObjectMapper jsonMapper;
+    private final JsonMapper jsonMapper;
    /**
     * Constructor of the request helper.
@ -55,12 +60,16 @@ public final class RequestHelper implements Serializable {
                         final Integer timeout,
                         final String tlsVersion,
                         final X509Certificate trustedCaCert) {
-        this.baseURL = baseURL;
+        this.baseURL = baseURL + (baseURL.endsWith("/") ? "" : "/");
        this.retries = retries;
        this.timeout = timeout;
        this.tlsVersion = tlsVersion;
        this.trustedCaCert = trustedCaCert;
-        this.jsonMapper = new ObjectMapper();
+        this.jsonMapper = JsonMapper.builder()
            .addModule(new JavaTimeModule())
            .enable(SerializationFeature.WRITE_DATES_AS_TIMESTAMPS)
            .disable(DeserializationFeature.ADJUST_DATES_TO_CONTEXT_TIME_ZONE)
            .build();
    }
    /**
@ -74,26 +83,24 @@ public final class RequestHelper implements Serializable {
     * @since 0.8 Added {@code token} parameter.
     */
    public String post(final String path, final Object payload, final String token) throws VaultConnectorException {
-        /* Initialize post */
+        // Initialize POST.
-        HttpPost post = new HttpPost(baseURL + path);
+        var req = HttpRequest.newBuilder(URI.create(baseURL + path));
-        /* generate JSON from payload */
+        // Generate JSON from payload.
        StringEntity input;
        try {
-            input = new StringEntity(jsonMapper.writeValueAsString(payload), StandardCharsets.UTF_8);
+            req.POST(HttpRequest.BodyPublishers.ofString(jsonMapper.writeValueAsString(payload), UTF_8));
        } catch (JsonProcessingException e) {
            throw new InvalidRequestException(Error.PARSE_RESPONSE, e);
        }
        input.setContentEncoding("UTF-8");
        input.setContentType("application/json");
        post.setEntity(input);
-        /* Set X-Vault-Token header */
+        req.setHeader("Content-Type", "application/json; charset=utf-8");
        // Set X-Vault-Token header.
        if (token != null) {
-            post.addHeader(HEADER_VAULT_TOKEN, token);
+            req.setHeader(HEADER_VAULT_TOKEN, token);
        }
-        return request(post, retries);
+        return request(req, retries);
    }
    /**
@ -109,7 +116,7 @@ public final class RequestHelper implements Serializable {
     * @since 0.8
     */
    public <T> T post(final String path, final Object payload, final String token, final Class<T> target)
-            throws VaultConnectorException {
+        throws VaultConnectorException {
        try {
            String response = post(path, payload, token);
            return jsonMapper.readValue(response, target);
@ -127,7 +134,8 @@ public final class RequestHelper implements Serializable {
     * @throws VaultConnectorException on connection error
     * @since 0.8
     */
-    public void postWithoutResponse(final String path, final Object payload, final String token) throws VaultConnectorException {
+    public void postWithoutResponse(final String path, final Object payload, final String token)
        throws VaultConnectorException {
        if (!post(path, payload, token).isEmpty()) {
            throw new InvalidResponseException(Error.UNEXPECTED_RESPONSE);
        }
@ -143,27 +151,26 @@ public final class RequestHelper implements Serializable {
     * @throws VaultConnectorException on connection error
     * @since 0.8 Added {@code token} parameter.
     */
-    public String put(final String path, final Map<String, String> payload, final String token) throws VaultConnectorException {
+    public String put(final String path, final Map<String, String> payload, final String token)
-        /* Initialize put */
+        throws VaultConnectorException {
-        HttpPut put = new HttpPut(baseURL + path);
+        // Initialize PUT.
        var req = HttpRequest.newBuilder(URI.create(baseURL + path));
-        /* generate JSON from payload */
+        // Generate JSON from payload.
        StringEntity entity = null;
        try {
-            entity = new StringEntity(jsonMapper.writeValueAsString(payload));
+            req.PUT(HttpRequest.BodyPublishers.ofString(jsonMapper.writeValueAsString(payload), UTF_8));
-        } catch (UnsupportedEncodingException | JsonProcessingException e) {
+        } catch (JsonProcessingException e) {
            throw new InvalidRequestException("Payload serialization failed", e);
        }
-        /* Parse parameters */
+        req.setHeader("Content-Type", "application/json; charset=utf-8");
        put.setEntity(entity);
-        /* Set X-Vault-Token header */
+        // Set X-Vault-Token header.
        if (token != null) {
-            put.addHeader(HEADER_VAULT_TOKEN, token);
+            req.setHeader(HEADER_VAULT_TOKEN, token);
        }
-        return request(put, retries);
+        return request(req, retries);
    }
    /**
@ -179,7 +186,7 @@ public final class RequestHelper implements Serializable {
     * @since 0.8
     */
    public <T> T put(final String path, final Map<String, String> payload, final String token, final Class<T> target)
-            throws VaultConnectorException {
+        throws VaultConnectorException {
        try {
            String response = put(path, payload, token);
            return jsonMapper.readValue(response, target);
@ -198,7 +205,7 @@ public final class RequestHelper implements Serializable {
     * @since 0.8
     */
    public void putWithoutResponse(final String path, final Map<String, String> payload, final String token)
-            throws VaultConnectorException {
+        throws VaultConnectorException {
        if (!put(path, payload, token).isEmpty()) {
            throw new InvalidResponseException(Error.UNEXPECTED_RESPONSE);
        }
@ -214,15 +221,15 @@ public final class RequestHelper implements Serializable {
     * @since 0.8 Added {@code token} parameter.
     */
    public String delete(final String path, final String token) throws VaultConnectorException {
-        /* Initialize delete */
+        // Initialize DELETE.
-        HttpDelete delete = new HttpDelete(baseURL + path);
+        HttpRequest.Builder req = HttpRequest.newBuilder(URI.create(baseURL + path)).DELETE();
-        /* Set X-Vault-Token header */
+        // Set X-Vault-Token header.
        if (token != null) {
-            delete.addHeader(HEADER_VAULT_TOKEN, token);
+            req.setHeader(HEADER_VAULT_TOKEN, token);
        }
-        return request(delete, retries);
+        return request(req, retries);
    }
    /**
@ -250,26 +257,32 @@ public final class RequestHelper implements Serializable {
     * @since 0.8 Added {@code token} parameter.
     */
    public String get(final String path, final Map<String, String> payload, final String token)
-            throws VaultConnectorException {
+        throws VaultConnectorException {
-        HttpGet get;
+        // Add parameters to URI.
-        try {
+        var uriBuilder = new StringBuilder(baseURL + path);
            /* Add parameters to URI */
            URIBuilder uriBuilder = new URIBuilder(baseURL + path);
            payload.forEach(uriBuilder::addParameter);
-            /* Initialize request */
+        if (!payload.isEmpty()) {
-            get = new HttpGet(uriBuilder.build());
+            uriBuilder.append("?").append(
                payload.entrySet().stream().map(par ->
                    URLEncoder.encode(par.getKey(), UTF_8) + "=" + URLEncoder.encode(par.getValue(), UTF_8)
                ).collect(Collectors.joining("&"))
            );
        }
        // Initialize GET.
        try {
            var req = HttpRequest.newBuilder(new URI(uriBuilder.toString()));
            // Set X-Vault-Token header.
            if (token != null) {
                req.setHeader(HEADER_VAULT_TOKEN, token);
            }
            return request(req, retries);
        } catch (URISyntaxException e) {
            /* this should never occur and may leak sensible information */
            throw new InvalidRequestException(Error.URI_FORMAT);
        }
        /* Set X-Vault-Token header */
        if (token != null) {
            get.addHeader(HEADER_VAULT_TOKEN, token);
        }
        return request(get, retries);
    }
    /**
@ -285,7 +298,7 @@ public final class RequestHelper implements Serializable {
     * @since 0.8
     */
    public <T> T get(final String path, final Map<String, String> payload, final String token, final Class<T> target)
-            throws VaultConnectorException {
+        throws VaultConnectorException {
        try {
            String response = get(path, payload, token);
            return jsonMapper.readValue(response, target);
@ -297,34 +310,40 @@ public final class RequestHelper implements Serializable {
    /**
     * Execute prepared HTTP request and return result.
     *
-     * @param base    Prepares Request
+     * @param requestBuilder Prepared request.
-     * @param retries number of retries
+     * @param retries        Number of retries.
     * @return HTTP response
     * @throws VaultConnectorException on connection error
     */
-    private String request(final HttpRequestBase base, final int retries) throws VaultConnectorException {
+    private String request(final HttpRequest.Builder requestBuilder, final int retries) throws VaultConnectorException {
-        /* Set JSON Header */
+        // Set JSON Header.
-        base.addHeader("accept", "application/json");
+        requestBuilder.setHeader("accept", "application/json");
-        CloseableHttpResponse response = null;
+        var clientBuilder = HttpClient.newBuilder();
-        try (CloseableHttpClient httpClient = HttpClientBuilder.create()
+        // Set custom timeout, if defined.
-                .setSSLSocketFactory(createSSLSocketFactory())
+        if (this.timeout != null) {
-                .build()) {
+            clientBuilder.connectTimeout(Duration.ofMillis(timeout));
-            /* Set custom timeout, if defined */
+        }
            if (this.timeout != null) {
                base.setConfig(RequestConfig.copy(RequestConfig.DEFAULT).setConnectTimeout(timeout).build());
            }
-            /* Execute request */
+        // Set custom SSL context.
-            response = httpClient.execute(base);
+        clientBuilder.sslContext(createSSLContext());
        HttpClient client = clientBuilder.build();
        // Execute request.
        try {
            HttpResponse<InputStream> response = client.sendAsync(
                requestBuilder.build(),
                HttpResponse.BodyHandlers.ofInputStream()
            ).join();
            /* Check if response is valid */
            if (response == null) {
                throw new InvalidResponseException("Response unavailable");
            }
-            switch (response.getStatusLine().getStatusCode()) {
+            switch (response.statusCode()) {
                case 200:
                    return handleResult(response);
                case 204:
@ -332,65 +351,61 @@ public final class RequestHelper implements Serializable {
                case 403:
                    throw new PermissionDeniedException();
                default:
-                    if (response.getStatusLine().getStatusCode() >= 500
+                    if (response.statusCode() >= 500 && response.statusCode() < 600 && retries > 0) {
-                            && response.getStatusLine().getStatusCode() < 600 && retries > 0) {
+                        // Retry on 5xx errors.
-                        /* Retry on 5xx errors */
+                        return request(requestBuilder, retries - 1);
                        return request(base, retries - 1);
                    } else {
-                        /* Fail on different error code and/or no retries left */
+                        // Fail on different error code and/or no retries left.
                        handleError(response);
-                        /* Throw exception without details, if response entity is empty. */
+                        // Throw exception without details, if response entity is empty.
-                        throw new InvalidResponseException(Error.RESPONSE_CODE,
+                        throw new InvalidResponseException(Error.RESPONSE_CODE, response.statusCode());
                                response.getStatusLine().getStatusCode());
                    }
            }
-        } catch (IOException e) {
+        } catch (CompletionException e) {
-            throw new InvalidResponseException(Error.READ_RESPONSE, e);
+            throw new ConnectionException(Error.CONNECTION, e.getCause());
        } finally {
-            if (response != null && response.getEntity() != null) {
+            if (client instanceof AutoCloseable) {
                // Close the client, which is supported since JDK21.
                try {
-                    EntityUtils.consume(response.getEntity());
+                    ((AutoCloseable) client).close();
-                } catch (IOException ignored) {
+                } catch (Exception ignored) {
-                    // Exception ignored.
+                    // Ignore
                }
            }
        }
    }
    /**
-     * Create a custom socket factory from trusted CA certificate.
+     * Create a custom SSL context from trusted CA certificate.
     *
-     * @return The factory.
+     * @return The context.
     * @throws TlsException An error occurred during initialization of the SSL context.
     * @since 0.8.0
     * @since 0.10 Generate {@link SSLContext} instead of Apache {@code SSLConnectionSocketFactory}
     */
-    private SSLConnectionSocketFactory createSSLSocketFactory() throws TlsException {
+    private SSLContext createSSLContext() throws TlsException {
        try {
-            // Create context..
+            // Create context.
-            SSLContext context = SSLContext.getInstance(tlsVersion);
+            var sslContext = SSLContext.getInstance(tlsVersion);
            if (trustedCaCert != null) {
                // Create Keystore with trusted certificate.
-                KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+                var keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
                keyStore.load(null, null);
                keyStore.setCertificateEntry("trustedCert", trustedCaCert);
                // Initialize TrustManager.
-                TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+                var tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                tmf.init(keyStore);
-                context.init(null, tmf.getTrustManagers(), null);
+                sslContext.init(null, tmf.getTrustManagers(), null);
            } else {
-                context.init(null, null, null);
+                sslContext.init(null, null, null);
            }
-            return new SSLConnectionSocketFactory(
+            return sslContext;
-                    context,
+        } catch (CertificateException | NoSuchAlgorithmException | KeyStoreException | IOException |
-                    null,
+                 KeyManagementException e) {
                    null,
                    SSLConnectionSocketFactory.getDefaultHostnameVerifier()
            );
        } catch (CertificateException | NoSuchAlgorithmException | KeyStoreException | IOException | KeyManagementException e) {
            throw new TlsException(Error.INIT_SSL_CONTEXT, e);
        }
    }
@ -402,10 +417,9 @@ public final class RequestHelper implements Serializable {
     * @return Complete response body as String
     * @throws InvalidResponseException on reading errors
     */
-    private String handleResult(final HttpResponse response) throws InvalidResponseException {
+    private String handleResult(final HttpResponse<InputStream> response) throws InvalidResponseException {
-        try (BufferedReader br = new BufferedReader(
+        try (var reader = new BufferedReader(new InputStreamReader(response.body(), UTF_8))) {
-                new InputStreamReader(response.getEntity().getContent()))) {
+            return reader.lines().collect(Collectors.joining("\n"));
            return br.lines().collect(Collectors.joining("\n"));
        } catch (IOException ignored) {
            throw new InvalidResponseException(Error.READ_RESPONSE, 200);
        }
@ -417,21 +431,20 @@ public final class RequestHelper implements Serializable {
     * @param response The raw HTTP response (assuming status code 5xx)
     * @throws VaultConnectorException Expected exception with details to throw
     */
-    private void handleError(final HttpResponse response) throws VaultConnectorException {
+    private void handleError(final HttpResponse<InputStream> response) throws VaultConnectorException {
-        if (response.getEntity() != null) {
+        try (var body = response.body()) {
-            try (BufferedReader br = new BufferedReader(
+            if (body != null) {
-                    new InputStreamReader(response.getEntity().getContent()))) {
+                try (var reader = new BufferedReader(new InputStreamReader(body, UTF_8))) {
-                String responseString = br.lines().collect(Collectors.joining("\n"));
+                    ErrorResponse er = jsonMapper.readValue(reader, ErrorResponse.class);
-                ErrorResponse er = jsonMapper.readValue(responseString, ErrorResponse.class);
+                    /* Check for "permission denied" response */
-                /* Check for "permission denied" response */
+                    if (!er.getErrors().isEmpty() && er.getErrors().get(0).equals("permission denied")) {
-                if (!er.getErrors().isEmpty() && er.getErrors().get(0).equals("permission denied")) {
+                        throw new PermissionDeniedException();
-                    throw new PermissionDeniedException();
+                    }
                    throw new InvalidResponseException(Error.RESPONSE_CODE, response.statusCode(), er.toString());
                }
                throw new InvalidResponseException(Error.RESPONSE_CODE,
                        response.getStatusLine().getStatusCode(), er.toString());
            } catch (IOException ignored) {
                // Exception ignored.
            }
        } catch (IOException ignored) {
            // Exception ignored.
        }
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/AppRole.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/AppRole.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -18,27 +18,21 @@ package de.stklcode.jvault.connector.model;
 import com.fasterxml.jackson.annotation.*;
 import java.io.Serializable;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Objects;
 /**
 * Vault AppRole role metamodel.
 *
 * @author Stefan Kalscheuer
 * @since 0.4.0
 * @since 1.1 implements {@link Serializable}
 */
@JsonIgnoreProperties(ignoreUnknown = true)
-public final class AppRole {
+public final class AppRole implements Serializable {
-    /**
+    private static final long serialVersionUID = 693228837510483448L;
     * Get {@link Builder} instance.
     *
     * @param name Role name.
     * @return AppRole Builder.
     * @since 0.8
     */
    public static Builder builder(final String name) {
        return new Builder(name);
    }
    @JsonProperty("role_name")
    private String name;
@ -61,9 +55,9 @@ public final class AppRole {
    @JsonInclude(JsonInclude.Include.NON_NULL)
    private Integer secretIdTtl;
-    @JsonProperty("enable_local_secret_ids")
+    @JsonProperty("local_secret_ids")
    @JsonInclude(JsonInclude.Include.NON_NULL)
-    private Boolean enableLocalSecretIds;
+    private Boolean localSecretIds;
    @JsonProperty("token_ttl")
    @JsonInclude(JsonInclude.Include.NON_NULL)
@ -105,53 +99,6 @@ public final class AppRole {
    public AppRole() {
    }
    /**
     * Construct complete {@link AppRole} object.
     * <p>
     * This constructor is used for transition from {@code bound_cidr_list} to {@code secret_id_bound_cidrs} only.
     *
     * @param name                 Role name (required)
     * @param id                   Role ID (optional)
     * @param bindSecretId         Bind secret ID (optional)
     * @param secretIdBoundCidrs   Whitelist of subnets in CIDR notation (optional)
     * @param secretIdNumUses      Maximum number of uses per secret (optional)
     * @param secretIdTtl          Maximum TTL in seconds for secrets (optional)
     * @param enableLocalSecretIds Enable local secret IDs (optional)
     * @param tokenTtl             Token TTL in seconds (optional)
     * @param tokenMaxTtl          Maximum token TTL in seconds, including renewals (optional)
     * @param tokenPolicies        List of token policies (optional)
     * @param tokenBoundCidrs      Whitelist of subnets in CIDR notation for associated tokens (optional)
     * @param tokenExplicitMaxTtl  Explicit maximum TTL for associated tokens (optional)
     * @param tokenNoDefaultPolicy Enable or disable default policy for associated tokens (optional)
     * @param tokenNumUses         Number of uses for tokens (optional)
     * @param tokenPeriod          Duration in seconds, if set the token is a periodic token (optional)
     * @param tokenType            Token type (optional)
     * @deprecated As of 0.9 in favor of {@link #builder(String)}. Will be removed with next major release.
     */
    @Deprecated
    AppRole(final String name, final String id, final Boolean bindSecretId, final List<String> secretIdBoundCidrs,
            final Integer secretIdNumUses, final Integer secretIdTtl, final Boolean enableLocalSecretIds,
            final Integer tokenTtl, final Integer tokenMaxTtl, final List<String> tokenPolicies,
            final List<String> tokenBoundCidrs, final Integer tokenExplicitMaxTtl, final Boolean tokenNoDefaultPolicy,
            final Integer tokenNumUses, final Integer tokenPeriod, final String tokenType) {
        this.name = name;
        this.id = id;
        this.bindSecretId = bindSecretId;
        this.secretIdBoundCidrs = secretIdBoundCidrs;
        this.tokenPolicies = tokenPolicies;
        this.secretIdNumUses = secretIdNumUses;
        this.secretIdTtl = secretIdTtl;
        this.enableLocalSecretIds = enableLocalSecretIds;
        this.tokenTtl = tokenTtl;
        this.tokenMaxTtl = tokenMaxTtl;
        this.tokenBoundCidrs = tokenBoundCidrs;
        this.tokenExplicitMaxTtl = tokenExplicitMaxTtl;
        this.tokenNoDefaultPolicy = tokenNoDefaultPolicy;
        this.tokenNumUses = tokenNumUses;
        this.tokenPeriod = tokenPeriod;
        this.tokenType = tokenType;
    }
    /**
     * Construct {@link AppRole} object from {@link AppRole.Builder}.
     *
@ -164,7 +111,7 @@ public final class AppRole {
        this.secretIdBoundCidrs = builder.secretIdBoundCidrs;
        this.secretIdNumUses = builder.secretIdNumUses;
        this.secretIdTtl = builder.secretIdTtl;
-        this.enableLocalSecretIds = builder.enableLocalSecretIds;
+        this.localSecretIds = builder.localSecretIds;
        this.tokenTtl = builder.tokenTtl;
        this.tokenMaxTtl = builder.tokenMaxTtl;
        this.tokenPolicies = builder.tokenPolicies;
@ -176,6 +123,17 @@ public final class AppRole {
        this.tokenType = builder.tokenType != null ? builder.tokenType.value() : null;
    }
    /**
     * Get {@link Builder} instance.
     *
     * @param name Role name.
     * @return AppRole Builder.
     * @since 0.8
     */
    public static Builder builder(final String name) {
        return new Builder(name);
    }
    /**
     * @return the role name
     */
@ -265,16 +223,6 @@ public final class AppRole {
        return tokenPolicies;
    }
    /**
     * @return list of token policies
     * @deprecated Use {@link #getTokenPolicies()} instead.
     */
    @Deprecated
    @JsonIgnore
    public List<String> getPolicies() {
        return getTokenPolicies();
    }
    /**
     * @param tokenPolicies list of token policies
     * @since 0.9
@ -284,16 +232,6 @@ public final class AppRole {
        this.tokenPolicies = tokenPolicies;
    }
    /**
     * @param policies list of policies
     * @deprecated Use {@link #setTokenPolicies(List)} instead.
     */
    @Deprecated
    @JsonIgnore
    public void setPolicies(final List<String> policies) {
        setTokenPolicies(policies);
    }
    /**
     * @return list of policies as comma-separated {@link String}
     * @since 0.9
@ -307,16 +245,6 @@ public final class AppRole {
        return String.join(",", tokenPolicies);
    }
    /**
     * @return list of policies as comma-separated {@link String}
     * @deprecated Use {@link #getTokenPoliciesString()} instead.
     */
    @Deprecated
    @JsonIgnore
    public String getPoliciesString() {
        return getTokenPoliciesString();
    }
    /**
     * @return maximum number of uses per secret
     */
@ -334,9 +262,10 @@ public final class AppRole {
    /**
     * @return Enable local secret IDs?
     * @since 0.9
     * @since 1.3 renamed to {@code getLocalSecretIds()}
     */
-    public Boolean getEnableLocalSecretIds() {
+    public Boolean getLocalSecretIds() {
-        return enableLocalSecretIds;
+        return localSecretIds;
    }
    /**
@ -385,16 +314,6 @@ public final class AppRole {
        return tokenPeriod;
    }
    /**
     * @return duration in seconds, if specified
     * @deprecated Use {@link #getTokenPeriod()} instead.
     */
    @Deprecated
    @JsonIgnore
    public Integer getPeriod() {
        return getTokenPeriod();
    }
    /**
     * @return duration in seconds, if specified
     * @since 0.9
@ -403,6 +322,39 @@ public final class AppRole {
        return tokenType;
    }
    @Override
    public boolean equals(Object o) {
        if (this == o) {
            return true;
        } else if (o == null || getClass() != o.getClass()) {
            return false;
        }
        AppRole appRole = (AppRole) o;
        return Objects.equals(name, appRole.name) &&
            Objects.equals(id, appRole.id) &&
            Objects.equals(bindSecretId, appRole.bindSecretId) &&
            Objects.equals(secretIdBoundCidrs, appRole.secretIdBoundCidrs) &&
            Objects.equals(secretIdNumUses, appRole.secretIdNumUses) &&
            Objects.equals(secretIdTtl, appRole.secretIdTtl) &&
            Objects.equals(localSecretIds, appRole.localSecretIds) &&
            Objects.equals(tokenTtl, appRole.tokenTtl) &&
            Objects.equals(tokenMaxTtl, appRole.tokenMaxTtl) &&
            Objects.equals(tokenPolicies, appRole.tokenPolicies) &&
            Objects.equals(tokenBoundCidrs, appRole.tokenBoundCidrs) &&
            Objects.equals(tokenExplicitMaxTtl, appRole.tokenExplicitMaxTtl) &&
            Objects.equals(tokenNoDefaultPolicy, appRole.tokenNoDefaultPolicy) &&
            Objects.equals(tokenNumUses, appRole.tokenNumUses) &&
            Objects.equals(tokenPeriod, appRole.tokenPeriod) &&
            Objects.equals(tokenType, appRole.tokenType);
    }
    @Override
    public int hashCode() {
        return Objects.hash(name, id, bindSecretId, secretIdBoundCidrs, secretIdNumUses, secretIdTtl,
            localSecretIds, tokenTtl, tokenMaxTtl, tokenPolicies, tokenBoundCidrs, tokenExplicitMaxTtl,
            tokenNoDefaultPolicy, tokenNumUses, tokenPeriod, tokenType);
    }
    /**
     * A builder for vault AppRole roles..
@ -419,7 +371,7 @@ public final class AppRole {
        private List<String> tokenPolicies;
        private Integer secretIdNumUses;
        private Integer secretIdTtl;
-        private Boolean enableLocalSecretIds;
+        private Boolean localSecretIds;
        private Integer tokenTtl;
        private Integer tokenMaxTtl;
        private List<String> tokenBoundCidrs;
@ -536,18 +488,6 @@ public final class AppRole {
            return this;
        }
        /**
         * Add given policies.
         *
         * @param policies the policies
         * @return self
         * @deprecated Use {@link #withTokenPolicies(List)} instead.
         */
        @Deprecated
        public Builder withPolicies(final List<String> policies) {
            return withTokenPolicies(policies);
        }
        /**
         * Add a single policy.
         *
@ -563,18 +503,6 @@ public final class AppRole {
            return this;
        }
        /**
         * Add a single policy.
         *
         * @param policy the policy
         * @return self
         * @deprecated Use {@link #withTokenPolicy(String)} instead.
         */
        @Deprecated
        public Builder withPolicy(final String policy) {
            return withTokenPolicy(policy);
        }
        /**
         * Set number of uses for sectet IDs.
         *
@ -600,12 +528,13 @@ public final class AppRole {
        /**
         * Enable or disable local secret IDs.
         *
-         * @param enableLocalSecretIds Enable local secret IDs?
+         * @param localSecretIds Enable local secret IDs?
         * @return self
         * @since 0.9
         * @since 1.3 renamed to {@code withLocalSecretIds()}
         */
-        public Builder withEnableLocalSecretIds(final Boolean enableLocalSecretIds) {
+        public Builder withLocalSecretIds(final Boolean localSecretIds) {
-            this.enableLocalSecretIds = enableLocalSecretIds;
+            this.localSecretIds = localSecretIds;
            return this;
        }
@ -703,23 +632,11 @@ public final class AppRole {
         * @return self
         * @since 0.9
         */
-        public Builder wit0hTokenPeriod(final Integer tokenPeriod) {
+        public Builder withTokenPeriod(final Integer tokenPeriod) {
            this.tokenPeriod = tokenPeriod;
            return this;
        }
        /**
         * Set renewal period for generated token in seconds.
         *
         * @param period period in seconds
         * @return self
         * @deprecated Use {@link #wit0hTokenPeriod(Integer)} instead.
         */
        @Deprecated
        public Builder withPeriod(final Integer period) {
            return wit0hTokenPeriod(period);
        }
        /**
         * Set type of generated token.
         *
--- a/src/main/java/de/stklcode/jvault/connector/model/AppRoleBuilder.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/AppRoleBuilder.java
@ -1,365 +0,0 @@
 /*
 * Copyright 2016-2021 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package de.stklcode.jvault.connector.model;
 import java.util.ArrayList;
 import java.util.List;
 /**
 * A builder for vault AppRole roles..
 *
 * @author Stefan Kalscheuer
 * @since 0.4.0
 * @deprecated As of 0.9 in favor of {@link AppRole.Builder}.
 */
@Deprecated
 public final class AppRoleBuilder {
    private String name;
    private String id;
    private Boolean bindSecretId;
    private List<String> secretIdBoundCidrs;
    private List<String> tokenPolicies;
    private Integer secretIdNumUses;
    private Integer secretIdTtl;
    private Boolean enableLocalSecretIds;
    private Integer tokenTtl;
    private Integer tokenMaxTtl;
    private List<String> tokenBoundCidrs;
    private Integer tokenExplicitMaxTtl;
    private Boolean tokenNoDefaultPolicy;
    private Integer tokenNumUses;
    private Integer tokenPeriod;
    private Token.Type tokenType;
    /**
     * Construct {@link AppRoleBuilder} with only the role name set.
     *
     * @param name Role name
     */
    public AppRoleBuilder(final String name) {
        this.name = name;
    }
    /**
     * Add custom role ID. (optional)
     *
     * @param id the ID
     * @return self
     */
    public AppRoleBuilder withId(final String id) {
        this.id = id;
        return this;
    }
    /**
     * Set if role is bound to secret ID.
     *
     * @param bindSecretId the display name
     * @return self
     */
    public AppRoleBuilder withBindSecretID(final Boolean bindSecretId) {
        this.bindSecretId = bindSecretId;
        return this;
    }
    /**
     * Bind role to secret ID.
     * Convenience method for {@link #withBindSecretID(Boolean)}
     *
     * @return self
     */
    public AppRoleBuilder withBindSecretID() {
        return withBindSecretID(true);
    }
    /**
     * Do not bind role to secret ID.
     * Convenience method for {@link #withBindSecretID(Boolean)}
     *
     * @return self
     */
    public AppRoleBuilder withoutBindSecretID() {
        return withBindSecretID(false);
    }
    /**
     * Set bound CIDR blocks.
     *
     * @param secretIdBoundCidrs List of CIDR blocks which can perform login
     * @return self
     * @since 0.8 replaces {@code withBoundCidrList(List)}
     */
    public AppRoleBuilder withSecretIdBoundCidrs(final List<String> secretIdBoundCidrs) {
        if (this.secretIdBoundCidrs == null) {
            this.secretIdBoundCidrs = new ArrayList<>();
        }
        this.secretIdBoundCidrs.addAll(secretIdBoundCidrs);
        return this;
    }
    /**
     * Add a CIDR block to list of bound blocks for secret.
     *
     * @param secretBoundCidr the CIDR block
     * @return self
     * @since 0.9
     */
    public AppRoleBuilder withSecretBoundCidr(final String secretBoundCidr) {
        if (secretIdBoundCidrs == null) {
            secretIdBoundCidrs = new ArrayList<>();
        }
        secretIdBoundCidrs.add(secretBoundCidr);
        return this;
    }
    /**
     * Add given policies.
     *
     * @param tokenPolicies the token policies
     * @return self
     * @since 0.9
     */
    public AppRoleBuilder withTokenPolicies(final List<String> tokenPolicies) {
        if (this.tokenPolicies == null) {
            this.tokenPolicies = new ArrayList<>();
        }
        this.tokenPolicies.addAll(tokenPolicies);
        return this;
    }
    /**
     * Add given policies.
     *
     * @param policies the policies
     * @return self
     * @deprecated Use {@link #withTokenPolicies(List)} instead.
     */
    @Deprecated
    public AppRoleBuilder withPolicies(final List<String> policies) {
        return withTokenPolicies(policies);
    }
    /**
     * Add a single policy.
     *
     * @param tokenPolicy the token policy
     * @return self
     * @since 0.9
     */
    public AppRoleBuilder withTokenPolicy(final String tokenPolicy) {
        if (this.tokenPolicies == null) {
            this.tokenPolicies = new ArrayList<>();
        }
        tokenPolicies.add(tokenPolicy);
        return this;
    }
    /**
     * Add a single policy.
     *
     * @param policy the policy
     * @return self
     * @deprecated Use {@link #withTokenPolicy(String)} instead.
     */
    @Deprecated
    public AppRoleBuilder withPolicy(final String policy) {
        return withTokenPolicy(policy);
    }
    /**
     * Set number of uses for secret IDs.
     *
     * @param secretIdNumUses the number of uses
     * @return self
     */
    public AppRoleBuilder withSecretIdNumUses(final Integer secretIdNumUses) {
        this.secretIdNumUses = secretIdNumUses;
        return this;
    }
    /**
     * Set default secret ID TTL in seconds.
     *
     * @param secretIdTtl the TTL
     * @return self
     */
    public AppRoleBuilder withSecretIdTtl(final Integer secretIdTtl) {
        this.secretIdTtl = secretIdTtl;
        return this;
    }
    /**
     * Enable or disable local secret IDs.
     *
     * @param enableLocalSecretIds Enable local secret IDs?
     * @return self
     * @since 0.9
     */
    public AppRoleBuilder withEnableLocalSecretIds(final Boolean enableLocalSecretIds) {
        this.enableLocalSecretIds = enableLocalSecretIds;
        return this;
    }
    /**
     * Set default token TTL in seconds.
     *
     * @param tokenTtl the TTL
     * @return self
     */
    public AppRoleBuilder withTokenTtl(final Integer tokenTtl) {
        this.tokenTtl = tokenTtl;
        return this;
    }
    /**
     * Set maximum token TTL in seconds.
     *
     * @param tokenMaxTtl the TTL
     * @return self
     */
    public AppRoleBuilder withTokenMaxTtl(final Integer tokenMaxTtl) {
        this.tokenMaxTtl = tokenMaxTtl;
        return this;
    }
    /**
     * Set bound CIDR blocks for associated tokens.
     *
     * @param tokenBoundCidrs List of CIDR blocks which can perform login
     * @return self
     * @since 0.9
     */
    public AppRoleBuilder withTokenBoundCidrs(final List<String> tokenBoundCidrs) {
        if (this.tokenBoundCidrs == null) {
            this.tokenBoundCidrs = new ArrayList<>();
        }
        this.tokenBoundCidrs.addAll(tokenBoundCidrs);
        return this;
    }
    /**
     * Add a CIDR block to list of bound blocks for token.
     *
     * @param tokenBoundCidr the CIDR block
     * @return self
     * @since 0.9
     */
    public AppRoleBuilder withTokenBoundCidr(final String tokenBoundCidr) {
        if (tokenBoundCidrs == null) {
            tokenBoundCidrs = new ArrayList<>();
        }
        tokenBoundCidrs.add(tokenBoundCidr);
        return this;
    }
    /**
     * Set explicit maximum token TTL in seconds.
     *
     * @param tokenExplicitMaxTtl the TTL
     * @return self
     */
    public AppRoleBuilder withTokenExplicitMaxTtl(final Integer tokenExplicitMaxTtl) {
        this.tokenExplicitMaxTtl = tokenExplicitMaxTtl;
        return this;
    }
    /**
     * Enable or disable default policy for generated token.
     *
     * @param tokenNoDefaultPolicy Enable default policy for token?
     * @return self
     * @since 0.9
     */
    public AppRoleBuilder withTokenNoDefaultPolicy(final Boolean tokenNoDefaultPolicy) {
        this.tokenNoDefaultPolicy = tokenNoDefaultPolicy;
        return this;
    }
    /**
     * Set number of uses for generated tokens.
     *
     * @param tokenNumUses number of uses for tokens
     * @return self
     * @since 0.9
     */
    public AppRoleBuilder withTokenNumUses(final Integer tokenNumUses) {
        this.tokenNumUses = tokenNumUses;
        return this;
    }
    /**
     * Set renewal period for generated token in seconds.
     *
     * @param tokenPeriod period in seconds
     * @return self
     * @since 0.9
     */
    public AppRoleBuilder wit0hTokenPeriod(final Integer tokenPeriod) {
        this.tokenPeriod = tokenPeriod;
        return this;
    }
    /**
     * Set renewal period for generated token in seconds.
     *
     * @param period period in seconds
     * @return self
     * @deprecated Use {@link #wit0hTokenPeriod(Integer)} instead.
     */
    @Deprecated
    public AppRoleBuilder withPeriod(final Integer period) {
        return wit0hTokenPeriod(period);
    }
    /**
     * Set type of generated token.
     *
     * @param tokenType token type
     * @return self
     * @since 0.9
     */
    public AppRoleBuilder withTokenType(final Token.Type tokenType) {
        this.tokenType = tokenType;
        return this;
    }
    /**
     * Build the AppRole role based on given parameters.
     *
     * @return the role
     */
    public AppRole build() {
        return new AppRole(
                name,
                id,
                bindSecretId,
                secretIdBoundCidrs,
                secretIdNumUses,
                secretIdTtl,
                enableLocalSecretIds,
                tokenTtl,
                tokenMaxTtl,
                tokenPolicies,
                tokenBoundCidrs,
                tokenExplicitMaxTtl,
                tokenNoDefaultPolicy,
                tokenNumUses,
                tokenPeriod,
                tokenType != null ? tokenType.value() : null
        );
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/AppRoleSecret.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/AppRoleSecret.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -18,17 +18,22 @@ package de.stklcode.jvault.connector.model;
 import com.fasterxml.jackson.annotation.*;
 import java.io.Serializable;
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
 /**
 * Vault AppRole role metamodel.
 *
 * @author Stefan Kalscheuer
 * @since 0.4.0
 * @since 1.1 implements {@link Serializable}
 */
@JsonIgnoreProperties(ignoreUnknown = true)
-public final class AppRoleSecret {
+public final class AppRoleSecret implements Serializable {
    private static final long serialVersionUID = -3401074170145792641L;
    @JsonProperty("secret_id")
    @JsonInclude(JsonInclude.Include.NON_NULL)
    private String id;
@ -166,4 +171,29 @@ public final class AppRoleSecret {
    public Integer getTtl() {
        return ttl;
    }
    @Override
    public boolean equals(Object o) {
        if (this == o) {
            return true;
        } else if (o == null || getClass() != o.getClass()) {
            return false;
        }
        AppRoleSecret that = (AppRoleSecret) o;
        return Objects.equals(id, that.id) &&
            Objects.equals(accessor, that.accessor) &&
            Objects.equals(metadata, that.metadata) &&
            Objects.equals(cidrList, that.cidrList) &&
            Objects.equals(creationTime, that.creationTime) &&
            Objects.equals(expirationTime, that.expirationTime) &&
            Objects.equals(lastUpdatedTime, that.lastUpdatedTime) &&
            Objects.equals(numUses, that.numUses) &&
            Objects.equals(ttl, that.ttl);
    }
    @Override
    public int hashCode() {
        return Objects.hash(id, accessor, metadata, cidrList, creationTime, expirationTime, lastUpdatedTime, numUses,
            ttl);
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/AuthBackend.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/AuthBackend.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -24,7 +24,6 @@ package de.stklcode.jvault.connector.model;
 */
 public enum AuthBackend {
    TOKEN("token"),
    APPID("app-id"),
    APPROLE("approle"),
    USERPASS("userpass"),
    GITHUB("github"),   // Not supported yet.
--- a/src/main/java/de/stklcode/jvault/connector/model/Token.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/Token.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -20,6 +20,7 @@ import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonInclude;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import java.io.Serializable;
 import java.util.*;
 /**
@ -27,18 +28,11 @@ import java.util.*;
 *
 * @author Stefan Kalscheuer
 * @since 0.4.0
 * @since 1.1 implements {@link Serializable}
 */
@JsonIgnoreProperties(ignoreUnknown = true)
-public final class Token {
+public final class Token implements Serializable {
-    /**
+    private static final long serialVersionUID = 5208508683665365287L;
     * Get {@link Builder} instance.
     *
     * @return Token Builder.
     * @since 0.8
     */
    public static Builder builder() {
        return new Builder();
    }
    @JsonProperty("id")
    @JsonInclude(JsonInclude.Include.NON_NULL)
@ -98,71 +92,6 @@ public final class Token {
    public Token() {
    }
    /**
     * Construct complete {@link Token} object with default type.
     *
     * @param id              Token ID (optional)
     * @param displayName     Token display name (optional)
     * @param noParent        Token has no parent (optional)
     * @param noDefaultPolicy Do not add default policy (optional)
     * @param ttl             Token TTL in seconds (optional)
     * @param numUses         Number of uses (optional)
     * @param policies        List of policies (optional)
     * @param meta            Metadata (optional)
     * @param renewable       Is the token renewable (optional)
     * @deprecated As of 0.9 in favor of {@link #builder()}. Will be removed with next major release.
     */
    @Deprecated
    public Token(final String id,
                 final String displayName,
                 final Boolean noParent,
                 final Boolean noDefaultPolicy,
                 final Integer ttl,
                 final Integer numUses,
                 final List<String> policies,
                 final Map<String, String> meta,
                 final Boolean renewable) {
        this(id, Type.DEFAULT.value(), displayName, noParent, noDefaultPolicy, ttl, numUses, policies, meta, renewable);
    }
    /**
     * Construct complete {@link Token} object.
     *
     * @param id              Token ID (optional)
     * @param type            Token type (optional)
     * @param displayName     Token display name (optional)
     * @param noParent        Token has no parent (optional)
     * @param noDefaultPolicy Do not add default policy (optional)
     * @param ttl             Token TTL in seconds (optional)
     * @param numUses         Number of uses (optional)
     * @param policies        List of policies (optional)
     * @param meta            Metadata (optional)
     * @param renewable       Is the token renewable (optional)
     * @deprecated As of 0.9 in favor of {@link #builder()}. Will be removed with next major release.
     */
    @Deprecated
    public Token(final String id,
                 final String type,
                 final String displayName,
                 final Boolean noParent,
                 final Boolean noDefaultPolicy,
                 final Integer ttl,
                 final Integer numUses,
                 final List<String> policies,
                 final Map<String, String> meta,
                 final Boolean renewable) {
        this.id = id;
        this.type = type;
        this.displayName = displayName;
        this.ttl = ttl;
        this.numUses = numUses;
        this.noParent = noParent;
        this.noDefaultPolicy = noDefaultPolicy;
        this.policies = policies;
        this.meta = meta;
        this.renewable = renewable;
    }
    /**
     * Construct {@link Token} object from {@link Builder}.
     *
@ -184,6 +113,16 @@ public final class Token {
        this.entityAlias = builder.entityAlias;
    }
    /**
     * Get {@link Builder} instance.
     *
     * @return Token Builder.
     * @since 0.8
     */
    public static Builder builder() {
        return new Builder();
    }
    /**
     * @return Token ID
     */
@ -279,6 +218,35 @@ public final class Token {
        return entityAlias;
    }
    @Override
    public boolean equals(Object o) {
        if (this == o) {
            return true;
        } else if (o == null || getClass() != o.getClass()) {
            return false;
        }
        Token token = (Token) o;
        return Objects.equals(id, token.id) &&
            Objects.equals(type, token.type) &&
            Objects.equals(displayName, token.displayName) &&
            Objects.equals(noParent, token.noParent) &&
            Objects.equals(noDefaultPolicy, token.noDefaultPolicy) &&
            Objects.equals(ttl, token.ttl) &&
            Objects.equals(explicitMaxTtl, token.explicitMaxTtl) &&
            Objects.equals(numUses, token.numUses) &&
            Objects.equals(policies, token.policies) &&
            Objects.equals(meta, token.meta) &&
            Objects.equals(renewable, token.renewable) &&
            Objects.equals(period, token.period) &&
            Objects.equals(entityAlias, token.entityAlias);
    }
    @Override
    public int hashCode() {
        return Objects.hash(id, type, displayName, noParent, noDefaultPolicy, ttl, explicitMaxTtl, numUses, policies,
            meta, renewable, period, entityAlias);
    }
    /**
     * Constants for token types.
     */
--- a/src/main/java/de/stklcode/jvault/connector/model/TokenBuilder.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/TokenBuilder.java
@ -1,275 +0,0 @@
 /*
 * Copyright 2016-2021 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package de.stklcode.jvault.connector.model;
 import java.util.*;
 /**
 * A builder for vault tokens.
 *
 * @author Stefan Kalscheuer
 * @since 0.4.0
 * @deprecated As of 0.9 in favor of {@link Token.Builder}.
 */
@Deprecated
 public final class TokenBuilder {
    private String id;
    private Token.Type type;
    private String displayName;
    private Boolean noParent;
    private Boolean noDefaultPolicy;
    private Integer ttl;
    private Integer numUses;
    private List<String> policies;
    private Map<String, String> meta;
    private Boolean renewable;
    /**
     * Add token ID. (optional)
     *
     * @param id the ID
     * @return self
     */
    public TokenBuilder withId(final String id) {
        this.id = id;
        return this;
    }
    /**
     * Specify token type.
     *
     * @param type the type
     * @return self
     * @since 0.9
     */
    public TokenBuilder withType(final Token.Type type) {
        this.type = type;
        return this;
    }
    /**
     * Add display name.
     *
     * @param displayName the display name
     * @return self
     */
    public TokenBuilder withDisplayName(final String displayName) {
        this.displayName = displayName;
        return this;
    }
    /**
     * Set desired time to live.
     *
     * @param ttl the ttl
     * @return self
     */
    public TokenBuilder withTtl(final Integer ttl) {
        this.ttl = ttl;
        return this;
    }
    /**
     * Set desired number of uses.
     *
     * @param numUses the number of uses
     * @return self
     */
    public TokenBuilder withNumUses(final Integer numUses) {
        this.numUses = numUses;
        return this;
    }
    /**
     * Set TRUE if the token should be created without parent.
     *
     * @param noParent if TRUE, token is created as orphan
     * @return self
     */
    public TokenBuilder withNoParent(final boolean noParent) {
        this.noParent = noParent;
        return this;
    }
    /**
     * Create token without parent.
     * Convenience method for withNoParent()
     *
     * @return self
     */
    public TokenBuilder asOrphan() {
        return withNoParent(true);
    }
    /**
     * Create token with parent.
     * Convenience method for withNoParent()
     *
     * @return self
     */
    public TokenBuilder withParent() {
        return withNoParent(false);
    }
    /**
     * Set TRUE if the default policy should not be part of this token.
     *
     * @param noDefaultPolicy if TRUE, default policy is not attached
     * @return self
     */
    public TokenBuilder withNoDefaultPolicy(final boolean noDefaultPolicy) {
        this.noDefaultPolicy = noDefaultPolicy;
        return this;
    }
    /**
     * Attach default policy to token.
     * Convenience method for withNoDefaultPolicy()
     *
     * @return self
     */
    public TokenBuilder withDefaultPolicy() {
        return withNoDefaultPolicy(false);
    }
    /**
     * Do not attach default policy to token.
     * Convenience method for withNoDefaultPolicy()
     *
     * @return self
     */
    public TokenBuilder withoutDefaultPolicy() {
        return withNoDefaultPolicy(true);
    }
    /**
     * Add given policies.
     *
     * @param policies the policies
     * @return self
     * @since 0.5.0
     */
    public TokenBuilder withPolicies(final String... policies) {
        return withPolicies(Arrays.asList(policies));
    }
    /**
     * Add given policies.
     *
     * @param policies the policies
     * @return self
     */
    public TokenBuilder withPolicies(final List<String> policies) {
        if (this.policies == null) {
            this.policies = new ArrayList<>();
        }
        this.policies.addAll(policies);
        return this;
    }
    /**
     * Add a single policy.
     *
     * @param policy the policy
     * @return self
     */
    public TokenBuilder withPolicy(final String policy) {
        if (this.policies == null) {
            this.policies = new ArrayList<>();
        }
        policies.add(policy);
        return this;
    }
    /**
     * Add meta data.
     *
     * @param meta the metadata
     * @return self
     */
    public TokenBuilder withMeta(final Map<String, String> meta) {
        if (this.meta == null) {
            this.meta = new HashMap<>();
        }
        this.meta.putAll(meta);
        return this;
    }
    /**
     * Add meta data.
     *
     * @param key   the key
     * @param value the value
     * @return self
     */
    public TokenBuilder withMeta(final String key, final String value) {
        if (this.meta == null) {
            this.meta = new HashMap<>();
        }
        this.meta.put(key, value);
        return this;
    }
    /**
     * Set if token is renewable.
     *
     * @param renewable TRUE, if renewable
     * @return self
     */
    public TokenBuilder withRenewable(final Boolean renewable) {
        this.renewable = renewable;
        return this;
    }
    /**
     * Set token to be renewable.
     * Convenience method for withRenewable()
     *
     * @return self
     */
    public TokenBuilder renewable() {
        return withRenewable(true);
    }
    /**
     * Set token to be not renewable.
     * Convenience method for withRenewable()
     *
     * @return self
     */
    public TokenBuilder notRenewable() {
        return withRenewable(false);
    }
    /**
     * Build the token based on given parameters.
     *
     * @return the token
     */
    public Token build() {
        return new Token(id,
                type != null ? type.value() : null,
                displayName,
                noParent,
                noDefaultPolicy,
                ttl,
                numUses,
                policies,
                meta,
                renewable);
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/TokenRole.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/TokenRole.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -20,25 +20,21 @@ import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonInclude;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import java.io.Serializable;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Objects;
 /**
 * Vault Token Role metamodel.
 *
 * @author Stefan Kalscheuer
 * @since 0.9
 * @since 1.1 implements {@link Serializable}
 */
@JsonIgnoreProperties(ignoreUnknown = true)
-public final class TokenRole {
+public final class TokenRole implements Serializable {
-    /**
+    private static final long serialVersionUID = -3505215215838576321L;
     * Get {@link Builder} instance.
     *
     * @return Token Role Builder.
     */
    public static Builder builder() {
        return new Builder();
    }
    @JsonProperty("name")
    @JsonInclude(JsonInclude.Include.NON_NULL)
@ -48,10 +44,18 @@ public final class TokenRole {
    @JsonInclude(JsonInclude.Include.NON_NULL)
    private List<String> allowedPolicies;
    @JsonProperty("allowed_policies_glob")
    @JsonInclude(JsonInclude.Include.NON_NULL)
    private List<String> allowedPoliciesGlob;
    @JsonProperty("disallowed_policies")
    @JsonInclude(JsonInclude.Include.NON_NULL)
    private List<String> disallowedPolicies;
    @JsonProperty("disallowed_policies_glob")
    @JsonInclude(JsonInclude.Include.NON_NULL)
    private List<String> disallowedPoliciesGlob;
    @JsonProperty("orphan")
    @JsonInclude(JsonInclude.Include.NON_NULL)
    private Boolean orphan;
@ -101,7 +105,9 @@ public final class TokenRole {
    public TokenRole(final Builder builder) {
        this.name = builder.name;
        this.allowedPolicies = builder.allowedPolicies;
        this.allowedPoliciesGlob = builder.allowedPoliciesGlob;
        this.disallowedPolicies = builder.disallowedPolicies;
        this.disallowedPoliciesGlob = builder.disallowedPoliciesGlob;
        this.orphan = builder.orphan;
        this.renewable = builder.renewable;
        this.pathSuffix = builder.pathSuffix;
@ -114,6 +120,15 @@ public final class TokenRole {
        this.tokenType = builder.tokenType != null ? builder.tokenType.value() : null;
    }
    /**
     * Get {@link Builder} instance.
     *
     * @return Token Role Builder.
     */
    public static Builder builder() {
        return new Builder();
    }
    /**
     * @return Token Role name
     */
@ -128,6 +143,14 @@ public final class TokenRole {
        return allowedPolicies;
    }
    /**
     * @return List of allowed policy glob patterns
     * @since 1.1
     */
    public List<String> getAllowedPoliciesGlob() {
        return allowedPoliciesGlob;
    }
    /**
     * @return List of disallowed policies
     */
@ -135,6 +158,14 @@ public final class TokenRole {
        return disallowedPolicies;
    }
    /**
     * @return List of disallowed policy glob patterns
     * @since 1.1
     */
    public List<String> getDisallowedPoliciesGlob() {
        return disallowedPoliciesGlob;
    }
    /**
     * @return Is Token Role orphan?
     */
@ -205,6 +236,38 @@ public final class TokenRole {
        return tokenType;
    }
    @Override
    public boolean equals(Object o) {
        if (this == o) {
            return true;
        } else if (o == null || getClass() != o.getClass()) {
            return false;
        }
        TokenRole tokenRole = (TokenRole) o;
        return Objects.equals(name, tokenRole.name) &&
            Objects.equals(allowedPolicies, tokenRole.allowedPolicies) &&
            Objects.equals(allowedPoliciesGlob, tokenRole.allowedPoliciesGlob) &&
            Objects.equals(disallowedPolicies, tokenRole.disallowedPolicies) &&
            Objects.equals(disallowedPoliciesGlob, tokenRole.disallowedPoliciesGlob) &&
            Objects.equals(orphan, tokenRole.orphan) &&
            Objects.equals(renewable, tokenRole.renewable) &&
            Objects.equals(pathSuffix, tokenRole.pathSuffix) &&
            Objects.equals(allowedEntityAliases, tokenRole.allowedEntityAliases) &&
            Objects.equals(tokenBoundCidrs, tokenRole.tokenBoundCidrs) &&
            Objects.equals(tokenExplicitMaxTtl, tokenRole.tokenExplicitMaxTtl) &&
            Objects.equals(tokenNoDefaultPolicy, tokenRole.tokenNoDefaultPolicy) &&
            Objects.equals(tokenNumUses, tokenRole.tokenNumUses) &&
            Objects.equals(tokenPeriod, tokenRole.tokenPeriod) &&
            Objects.equals(tokenType, tokenRole.tokenType);
    }
    @Override
    public int hashCode() {
        return Objects.hash(name, allowedPolicies, allowedPoliciesGlob, disallowedPolicies, disallowedPoliciesGlob,
            orphan, renewable, pathSuffix, allowedEntityAliases, tokenBoundCidrs, tokenExplicitMaxTtl,
            tokenNoDefaultPolicy, tokenNumUses, tokenPeriod, tokenType);
    }
    /**
     * A builder for vault token roles.
     *
@ -214,7 +277,9 @@ public final class TokenRole {
    public static final class Builder {
        private String name;
        private List<String> allowedPolicies;
        private List<String> allowedPoliciesGlob;
        private List<String> disallowedPolicies;
        private List<String> disallowedPoliciesGlob;
        private Boolean orphan;
        private Boolean renewable;
        private String pathSuffix;
@ -269,6 +334,40 @@ public final class TokenRole {
            return this;
        }
        /**
         * Add an allowed policy glob pattern.
         *
         * @param allowedPolicyGlob allowed policy glob pattern to add
         * @return self
         * @since 1.1
         */
        public Builder withAllowedPolicyGlob(final String allowedPolicyGlob) {
            if (allowedPolicyGlob != null) {
                if (this.allowedPoliciesGlob == null) {
                    this.allowedPoliciesGlob = new ArrayList<>();
                }
                this.allowedPoliciesGlob.add(allowedPolicyGlob);
            }
            return this;
        }
        /**
         * Add allowed policy glob patterns.
         *
         * @param allowedPoliciesGlob list of allowed policy glob patterns
         * @return self
         * @since 1.1
         */
        public Builder withAllowedPoliciesGlob(final List<String> allowedPoliciesGlob) {
            if (allowedPoliciesGlob != null) {
                if (this.allowedPoliciesGlob == null) {
                    this.allowedPoliciesGlob = new ArrayList<>();
                }
                this.allowedPoliciesGlob.addAll(allowedPoliciesGlob);
            }
            return this;
        }
        /**
         * Add a disallowed policy.
         *
@ -301,6 +400,40 @@ public final class TokenRole {
            return this;
        }
        /**
         * Add an allowed policy glob pattern.
         *
         * @param disallowedPolicyGlob disallowed policy glob pattern to add
         * @return self
         * @since 1.1
         */
        public Builder withDisallowedPolicyGlob(final String disallowedPolicyGlob) {
            if (disallowedPolicyGlob != null) {
                if (this.disallowedPoliciesGlob == null) {
                    this.disallowedPoliciesGlob = new ArrayList<>();
                }
                this.disallowedPoliciesGlob.add(disallowedPolicyGlob);
            }
            return this;
        }
        /**
         * Add disallowed policy glob patterns.
         *
         * @param disallowedPoliciesGlob list of disallowed policy glob patterns
         * @return self
         * @since 1.1
         */
        public Builder withDisallowedPoliciesGlob(final List<String> disallowedPoliciesGlob) {
            if (disallowedPoliciesGlob != null) {
                if (this.disallowedPoliciesGlob == null) {
                    this.disallowedPoliciesGlob = new ArrayList<>();
                }
                this.disallowedPoliciesGlob.addAll(disallowedPoliciesGlob);
            }
            return this;
        }
        /**
         * Set TRUE if the token role should be created orphan.
         *
--- a/src/main/java/de/stklcode/jvault/connector/model/package-info.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/package-info.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/model/response/AppRoleResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/AppRoleResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -17,13 +17,10 @@
 package de.stklcode.jvault.connector.model.response;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
-import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.annotation.JsonProperty;
 import de.stklcode.jvault.connector.exception.InvalidResponseException;
 import de.stklcode.jvault.connector.model.AppRole;
-import java.io.IOException;
+import java.util.Objects;
 import java.util.HashMap;
 import java.util.Map;
 /**
 * Vault response for AppRole lookup.
@ -33,24 +30,10 @@ import java.util.Map;
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public final class AppRoleResponse extends VaultDataResponse {
-    private AppRole role;
+    private static final long serialVersionUID = -6536422219633829177L;
-    @Override
+    @JsonProperty("data")
-    public void setData(final Map<String, Object> data) throws InvalidResponseException {
+    private AppRole role;
        ObjectMapper mapper = new ObjectMapper();
        try {
            /* null empty strings on list objects */
            Map<String, Object> filteredData = new HashMap<>(data.size(), 1);
            data.forEach((k, v) -> {
                if (!(v instanceof String && ((String) v).isEmpty())) {
                    filteredData.put(k, v);
                }
            });
            this.role = mapper.readValue(mapper.writeValueAsString(filteredData), AppRole.class);
        } catch (IOException e) {
            throw new InvalidResponseException("Failed deserializing response", e);
        }
    }
    /**
     * @return The role
@ -58,4 +41,20 @@ public final class AppRoleResponse extends VaultDataResponse {
    public AppRole getRole() {
        return role;
    }
    @Override
    public boolean equals(Object o) {
        if (this == o) {
            return true;
        } else if (o == null || getClass() != o.getClass() || !super.equals(o)) {
            return false;
        }
        AppRoleResponse that = (AppRoleResponse) o;
        return Objects.equals(role, that.role);
    }
    @Override
    public int hashCode() {
        return Objects.hash(super.hashCode(), role);
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/AppRoleSecretResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/AppRoleSecretResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -17,13 +17,10 @@
 package de.stklcode.jvault.connector.model.response;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
-import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.annotation.JsonProperty;
 import de.stklcode.jvault.connector.exception.InvalidResponseException;
 import de.stklcode.jvault.connector.model.AppRoleSecret;
-import java.io.IOException;
+import java.util.Objects;
 import java.util.HashMap;
 import java.util.Map;
 /**
 * Vault response for AppRole lookup.
@ -33,24 +30,10 @@ import java.util.Map;
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public final class AppRoleSecretResponse extends VaultDataResponse {
-    private AppRoleSecret secret;
+    private static final long serialVersionUID = -2484103304072370585L;
-    @Override
+    @JsonProperty("data")
-    public void setData(final Map<String, Object> data) throws InvalidResponseException {
+    private AppRoleSecret secret;
        ObjectMapper mapper = new ObjectMapper();
        try {
            /* null empty strings on list objects */
            Map<String, Object> filteredData = new HashMap<>(data.size(), 1);
            data.forEach((k, v) -> {
                if (!(v instanceof String && ((String) v).isEmpty())) {
                    filteredData.put(k, v);
                }
            });
            this.secret = mapper.readValue(mapper.writeValueAsString(filteredData), AppRoleSecret.class);
        } catch (IOException e) {
            throw new InvalidResponseException("Failed deserializing response", e);
        }
    }
    /**
     * @return The secret
@ -58,4 +41,20 @@ public final class AppRoleSecretResponse extends VaultDataResponse {
    public AppRoleSecret getSecret() {
        return secret;
    }
    @Override
    public boolean equals(Object o) {
        if (this == o) {
            return true;
        } else if (o == null || getClass() != o.getClass() || !super.equals(o)) {
            return false;
        }
        AppRoleSecretResponse that = (AppRoleSecretResponse) o;
        return Objects.equals(secret, that.secret);
    }
    @Override
    public int hashCode() {
        return Objects.hash(super.hashCode(), secret);
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/AuthMethodsResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/AuthMethodsResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -17,22 +17,24 @@
 package de.stklcode.jvault.connector.model.response;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
-import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.annotation.JsonProperty;
 import de.stklcode.jvault.connector.exception.InvalidResponseException;
 import de.stklcode.jvault.connector.model.response.embedded.AuthMethod;
 import java.io.IOException;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Objects;
 /**
 * Authentication method response.
 *
- * @author  Stefan Kalscheuer
+ * @author Stefan Kalscheuer
- * @since   0.1
+ * @since 0.1
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public final class AuthMethodsResponse extends VaultDataResponse {
    private static final long serialVersionUID = -1802724129533405375L;
    @JsonProperty("data")
    private Map<String, AuthMethod> supportedMethods;
    /**
@ -42,23 +44,26 @@ public final class AuthMethodsResponse extends VaultDataResponse {
        this.supportedMethods = new HashMap<>();
    }
    @Override
    public void setData(final Map<String, Object> data) throws InvalidResponseException {
        ObjectMapper mapper = new ObjectMapper();
        for (Map.Entry<String, Object> entry : data.entrySet()) {
            try {
                this.supportedMethods.put(entry.getKey(),
                        mapper.readValue(mapper.writeValueAsString(entry.getValue()), AuthMethod.class));
            } catch (IOException e) {
                throw new InvalidResponseException();
            }
        }
    }
    /**
     * @return Supported authentication methods
     */
    public Map<String, AuthMethod> getSupportedMethods() {
        return supportedMethods;
    }
    @Override
    public boolean equals(Object o) {
        if (this == o) {
            return true;
        } else if (o == null || getClass() != o.getClass() || !super.equals(o)) {
            return false;
        }
        AuthMethodsResponse that = (AuthMethodsResponse) o;
        return Objects.equals(supportedMethods, that.supportedMethods);
    }
    @Override
    public int hashCode() {
        return Objects.hash(super.hashCode(), supportedMethods);
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/AuthResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/AuthResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -17,14 +17,8 @@
 package de.stklcode.jvault.connector.model.response;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import de.stklcode.jvault.connector.exception.InvalidResponseException;
 import de.stklcode.jvault.connector.model.response.embedded.AuthData;
 import java.io.IOException;
 import java.util.Map;
 /**
 * Vault response for authentication providing auth info in {@link AuthData} field.
 *
@ -33,42 +27,5 @@ import java.util.Map;
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public final class AuthResponse extends VaultDataResponse {
-    private Map<String, Object> data;
+    private static final long serialVersionUID = 1628851361067456715L;
    private AuthData auth;
    /**
     * Set authentication data. The input will be mapped to the {@link AuthData} model.
     *
     * @param auth Raw authentication data
     * @throws InvalidResponseException on mapping errors
     */
    @JsonProperty("auth")
    public void setAuth(final Map<String, Object> auth) throws InvalidResponseException {
        ObjectMapper mapper = new ObjectMapper();
        try {
            this.auth = mapper.readValue(mapper.writeValueAsString(auth), AuthData.class);
        } catch (IOException e) {
            throw new InvalidResponseException("Failed deserializing response", e);
        }
    }
    @Override
    public void setData(final Map<String, Object> data) {
        this.data = data;
    }
    /**
     * @return Raw data
     */
    public Map<String, Object> getData() {
        return data;
    }
    /**
     * @return Authentication data
     */
    public AuthData getAuth() {
        return auth;
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/CredentialsResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/CredentialsResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -21,11 +21,12 @@ import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 /**
 * Vault response from credentials lookup. Simple wrapper for data objects containing username and password fields.
 *
- * @author  Stefan Kalscheuer
+ * @author Stefan Kalscheuer
- * @since   0.5.0
+ * @since 0.5.0
 */
@JsonIgnoreProperties(ignoreUnknown = true)
-public final class CredentialsResponse extends SecretResponse {
+public final class CredentialsResponse extends PlainSecretResponse {
    private static final long serialVersionUID = -1439692963299045425L;
    /**
     * @return Username
--- a/src/main/java/de/stklcode/jvault/connector/model/response/ErrorResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/ErrorResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -20,15 +20,18 @@ import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import java.util.List;
 import java.util.Objects;
 /**
 * Vault response in case of errors.
 *
- * @author  Stefan Kalscheuer
+ * @author Stefan Kalscheuer
- * @since   0.1
+ * @since 0.1
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public final class ErrorResponse implements VaultResponse {
    private static final long serialVersionUID = -6227368087842549149L;
    @JsonProperty("errors")
    private List<String> errors;
@ -47,4 +50,20 @@ public final class ErrorResponse implements VaultResponse {
            return errors.get(0);
        }
    }
    @Override
    public boolean equals(Object o) {
        if (this == o) {
            return true;
        } else if (o == null || getClass() != o.getClass()) {
            return false;
        }
        ErrorResponse that = (ErrorResponse) o;
        return Objects.equals(errors, that.errors);
    }
    @Override
    public int hashCode() {
        return Objects.hash(errors);
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/HealthResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/HealthResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -19,14 +19,18 @@ package de.stklcode.jvault.connector.model.response;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import java.util.Objects;
 /**
 * Vault response for health query.
 *
- * @author  Stefan Kalscheuer
+ * @author Stefan Kalscheuer
- * @since   0.7.0
+ * @since 0.7.0
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public final class HealthResponse implements VaultResponse {
    private static final long serialVersionUID = 8675155916902904516L;
    @JsonProperty("cluster_id")
    private String clusterID;
@ -48,7 +52,7 @@ public final class HealthResponse implements VaultResponse {
    @JsonProperty("initialized")
    private Boolean initialized;
-    @JsonProperty("replication_perf_mode")
+    @JsonProperty("replication_performance_mode")
    private String replicationPerfMode;
    @JsonProperty("replication_dr_mode")
@ -57,6 +61,18 @@ public final class HealthResponse implements VaultResponse {
    @JsonProperty("performance_standby")
    private Boolean performanceStandby;
    @JsonProperty("echo_duration_ms")
    private Long echoDurationMs;
    @JsonProperty("clock_skew_ms")
    private Long clockSkewMs;
    @JsonProperty("replication_primary_canary_age_ms")
    private Long replicationPrimaryCanaryAgeMs;
    @JsonProperty("enterprise")
    private Boolean enterprise;
    /**
     * @return The Cluster ID.
     */
@ -129,4 +145,67 @@ public final class HealthResponse implements VaultResponse {
    public Boolean isPerformanceStandby() {
        return performanceStandby;
    }
    /**
     * @return Heartbeat echo duration in milliseconds (since Vault 1.16)
     * @since 1.3
     */
    public Long getEchoDurationMs() {
        return echoDurationMs;
    }
    /**
     * @return Clock skew in milliseconds (since Vault 1.16)
     * @since 1.3
     */
    public Long getClockSkewMs() {
        return clockSkewMs;
    }
    /**
     * @return Replication primary canary age in milliseconds (since Vault 1.17)
     * @since 1.3
     */
    public Long getReplicationPrimaryCanaryAgeMs() {
        return replicationPrimaryCanaryAgeMs;
    }
    /**
     * @return Enterprise instance? (since Vault 1.17)
     * @since 1.3
     */
    public Boolean isEnterprise() {
        return enterprise;
    }
    @Override
    public boolean equals(Object o) {
        if (this == o) {
            return true;
        } else if (o == null || getClass() != o.getClass()) {
            return false;
        }
        HealthResponse that = (HealthResponse) o;
        return Objects.equals(clusterID, that.clusterID) &&
            Objects.equals(clusterName, that.clusterName) &&
            Objects.equals(version, that.version) &&
            Objects.equals(serverTimeUTC, that.serverTimeUTC) &&
            Objects.equals(standby, that.standby) &&
            Objects.equals(sealed, that.sealed) &&
            Objects.equals(initialized, that.initialized) &&
            Objects.equals(replicationPerfMode, that.replicationPerfMode) &&
            Objects.equals(replicationDrMode, that.replicationDrMode) &&
            Objects.equals(performanceStandby, that.performanceStandby) &&
            Objects.equals(echoDurationMs, that.echoDurationMs) &&
            Objects.equals(clockSkewMs, that.clockSkewMs) &&
            Objects.equals(replicationPrimaryCanaryAgeMs, that.replicationPrimaryCanaryAgeMs) &&
            Objects.equals(enterprise, that.enterprise);
    }
    @Override
    public int hashCode() {
        return Objects.hash(clusterID, clusterName, version, serverTimeUTC, standby, sealed, initialized,
            replicationPerfMode, replicationDrMode, performanceStandby, echoDurationMs, clockSkewMs,
            replicationPrimaryCanaryAgeMs, enterprise);
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/HelpResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/HelpResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -19,14 +19,18 @@ package de.stklcode.jvault.connector.model.response;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import java.util.Objects;
 /**
 * Vault response for help request.
 *
- * @author  Stefan Kalscheuer
+ * @author Stefan Kalscheuer
- * @since   0.1
+ * @since 0.1
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public final class HelpResponse implements VaultResponse {
    private static final long serialVersionUID = -1152070966642848490L;
    @JsonProperty("help")
    private String help;
@ -36,4 +40,20 @@ public final class HelpResponse implements VaultResponse {
    public String getHelp() {
        return help;
    }
    @Override
    public boolean equals(Object o) {
        if (this == o) {
            return true;
        } else if (o == null || getClass() != o.getClass()) {
            return false;
        }
        HelpResponse that = (HelpResponse) o;
        return Objects.equals(help, that.help);
    }
    @Override
    public int hashCode() {
        return Objects.hash(help);
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/MetaSecretResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/MetaSecretResponse.java
@ -0,0 +1,75 @@
 /*
 * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package de.stklcode.jvault.connector.model.response;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import de.stklcode.jvault.connector.model.response.embedded.SecretWrapper;
 import de.stklcode.jvault.connector.model.response.embedded.VersionMetadata;
 import java.io.Serializable;
 import java.util.Collections;
 import java.util.Map;
 import java.util.Objects;
 /**
 * Vault response for secret responses with metadata.
 *
 * @author Stefan Kalscheuer
 * @since 1.1 abstract
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public class MetaSecretResponse extends SecretResponse {
    private static final long serialVersionUID = -1076542846391240162L;
    @JsonProperty("data")
    private SecretWrapper secret;
    @Override
    public final Map<String, Serializable> getData() {
        if (secret != null) {
            return secret.getData();
        } else {
            return Collections.emptyMap();
        }
    }
    @Override
    public final VersionMetadata getMetadata() {
        if (secret != null) {
            return secret.getMetadata();
        } else {
            return null;
        }
    }
    @Override
    public boolean equals(Object o) {
        if (this == o) {
            return true;
        } else if (o == null || getClass() != o.getClass() || !super.equals(o)) {
            return false;
        }
        MetaSecretResponse that = (MetaSecretResponse) o;
        return Objects.equals(secret, that.secret);
    }
    @Override
    public int hashCode() {
        return Objects.hash(super.hashCode(), secret);
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/MetadataResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/MetadataResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -17,12 +17,11 @@
 package de.stklcode.jvault.connector.model.response;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
-import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.annotation.JsonProperty;
 import de.stklcode.jvault.connector.exception.InvalidResponseException;
 import de.stklcode.jvault.connector.model.response.embedded.SecretMetadata;
-import java.io.IOException;
+import java.util.Objects;
-import java.util.Map;
+
 /**
 * Vault response for secret metadata (KV v2).
@ -32,19 +31,11 @@ import java.util.Map;
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public class MetadataResponse extends VaultDataResponse {
    private static final long serialVersionUID = -3679762333630984679L;
    @JsonProperty("data")
    private SecretMetadata metadata;
    @Override
    public final void setData(final Map<String, Object> data) throws InvalidResponseException {
        ObjectMapper mapper = new ObjectMapper();
        try {
            this.metadata = mapper.readValue(mapper.writeValueAsString(data), SecretMetadata.class);
        } catch (IOException e) {
            throw new InvalidResponseException("Failed deserializing response", e);
        }
    }
    /**
     * Get the actual metadata.
     *
@ -53,4 +44,20 @@ public class MetadataResponse extends VaultDataResponse {
    public SecretMetadata getMetadata() {
        return metadata;
    }
    @Override
    public boolean equals(Object o) {
        if (this == o) {
            return true;
        } else if (o == null || getClass() != o.getClass() || !super.equals(o)) {
            return false;
        }
        MetadataResponse that = (MetadataResponse) o;
        return Objects.equals(metadata, that.metadata);
    }
    @Override
    public int hashCode() {
        return Objects.hash(super.hashCode(), metadata);
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/PlainSecretResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/PlainSecretResponse.java
@ -0,0 +1,66 @@
 /*
 * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package de.stklcode.jvault.connector.model.response;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import de.stklcode.jvault.connector.model.response.embedded.VersionMetadata;
 import java.io.Serializable;
 import java.util.Collections;
 import java.util.Map;
 import java.util.Objects;
 /**
 * Vault response for plain secret responses.
 *
 * @author Stefan Kalscheuer
 * @since 1.1 abstract
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public class PlainSecretResponse extends SecretResponse {
    private static final long serialVersionUID = 3010138542437913023L;
    @JsonProperty("data")
    private Map<String, Serializable> data;
    @Override
    public final Map<String, Serializable> getData() {
        return Objects.requireNonNullElseGet(data, Collections::emptyMap);
    }
    @Override
    public final VersionMetadata getMetadata() {
        return null;
    }
    @Override
    public boolean equals(Object o) {
        if (this == o) {
            return true;
        } else if (o == null || getClass() != o.getClass() || !super.equals(o)) {
            return false;
        }
        PlainSecretResponse that = (PlainSecretResponse) o;
        return Objects.equals(data, that.data);
    }
    @Override
    public int hashCode() {
        return Objects.hash(super.hashCode(), data);
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/RawDataResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/RawDataResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -17,28 +17,45 @@
 package de.stklcode.jvault.connector.model.response;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import java.io.Serializable;
 import java.util.Map;
 import java.util.Objects;
 /**
 * Simple Vault data response.
 *
- * @author  Stefan Kalscheuer
+ * @author Stefan Kalscheuer
- * @since   0.4.0
+ * @since 0.4.0
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public final class RawDataResponse extends VaultDataResponse {
-    private Map<String, Object> data;
+    private static final long serialVersionUID = -319727427792124071L;
-    @Override
+    @JsonProperty("data")
-    public void setData(final Map<String, Object> data) {
+    private Map<String, Serializable> data;
        this.data = data;
    }
    /**
     * @return Raw data {@link Map}
     */
-    public Map<String, Object> getData() {
+    public Map<String, Serializable> getData() {
        return data;
    }
    @Override
    public boolean equals(Object o) {
        if (this == o) {
            return true;
        } else if (o == null || getClass() != o.getClass() || !super.equals(o)) {
            return false;
        }
        RawDataResponse that = (RawDataResponse) o;
        return Objects.equals(data, that.data);
    }
    @Override
    public int hashCode() {
        return Objects.hash(super.hashCode(), data);
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/SealResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/SealResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -19,6 +19,9 @@ package de.stklcode.jvault.connector.model.response;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import java.time.ZonedDateTime;
 import java.util.Objects;
 /**
 * Vault response for seal status or unseal request.
 *
@ -27,6 +30,8 @@ import com.fasterxml.jackson.annotation.JsonProperty;
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public final class SealResponse implements VaultResponse {
    private static final long serialVersionUID = -6000309255473305787L;
    @JsonProperty("type")
    private String type;
@ -48,6 +53,9 @@ public final class SealResponse implements VaultResponse {
    @JsonProperty("version")
    private String version;
    @JsonProperty("build_date")
    private ZonedDateTime buildDate;
    @JsonProperty("nonce")
    private String nonce;
@ -57,6 +65,15 @@ public final class SealResponse implements VaultResponse {
    @JsonProperty("cluster_id")
    private String clusterId;
    @JsonProperty("migration")
    private Boolean migration;
    @JsonProperty("recovery_seal")
    private Boolean recoverySeal;
    @JsonProperty("storage_type")
    private String storageType;
    /**
     * @return Seal type.
     * @since 0.8
@ -109,6 +126,14 @@ public final class SealResponse implements VaultResponse {
        return version;
    }
    /**
     * @return Vault build date.
     * @since 1.2
     */
    public ZonedDateTime getBuildDate() {
        return buildDate;
    }
    /**
     * @return A random nonce.
     * @since 0.8
@ -132,4 +157,58 @@ public final class SealResponse implements VaultResponse {
    public String getClusterId() {
        return clusterId;
    }
    /**
     * @return Migration status (since Vault 1.4)
     * @since 1.1
     */
    public Boolean getMigration() {
        return migration;
    }
    /**
     * @return Recovery seal status.
     * @since 1.1
     */
    public Boolean getRecoverySeal() {
        return recoverySeal;
    }
    /**
     * @return Storage type (since Vault 1.3).
     * @since 1.1
     */
    public String getStorageType() {
        return storageType;
    }
    @Override
    public boolean equals(Object o) {
        if (this == o) {
            return true;
        } else if (o == null || getClass() != o.getClass()) {
            return false;
        }
        SealResponse that = (SealResponse) o;
        return sealed == that.sealed &&
            initialized == that.initialized &&
            Objects.equals(type, that.type) &&
            Objects.equals(threshold, that.threshold) &&
            Objects.equals(numberOfShares, that.numberOfShares) &&
            Objects.equals(progress, that.progress) &&
            Objects.equals(version, that.version) &&
            Objects.equals(buildDate, that.buildDate) &&
            Objects.equals(nonce, that.nonce) &&
            Objects.equals(clusterName, that.clusterName) &&
            Objects.equals(clusterId, that.clusterId) &&
            Objects.equals(migration, that.migration) &&
            Objects.equals(recoverySeal, that.recoverySeal) &&
            Objects.equals(storageType, that.storageType);
    }
    @Override
    public int hashCode() {
        return Objects.hash(type, sealed, initialized, threshold, numberOfShares, progress, version, buildDate, nonce,
            clusterName, clusterId, migration, recoverySeal, storageType);
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/SecretListResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/SecretListResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -18,10 +18,11 @@ package de.stklcode.jvault.connector.model.response;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
-import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import de.stklcode.jvault.connector.model.response.embedded.SecretListWrapper;
 import java.util.Collections;
 import java.util.List;
-import java.util.Map;
+import java.util.Objects;
 /**
 * Vault response for secret list request.
@ -31,27 +32,34 @@ import java.util.Map;
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public final class SecretListResponse extends VaultDataResponse {
    private List<String> keys;
-    /**
+    private static final long serialVersionUID = 8597121175002967213L;
     * Set data. Extracts list of keys from raw response data.
     *
     * @param data Raw data
     * @throws InvalidResponseException on parsing errors
     */
    @JsonProperty("data")
-    public void setData(final Map<String, Object> data) throws InvalidResponseException {
+    private SecretListWrapper data;
        try {
            this.keys = (List<String>) data.get("keys");
        } catch (ClassCastException e) {
            throw new InvalidResponseException("Keys could not be parsed from data.", e);
        }
    }
    /**
     * @return List of secret keys
     */
    public List<String> getKeys() {
-        return keys;
+        if (data == null) {
            return Collections.emptyList();
        }
        return Objects.requireNonNullElseGet(data.getKeys(), Collections::emptyList);
    }
    @Override
    public boolean equals(Object o) {
        if (this == o) {
            return true;
        } else if (o == null || getClass() != o.getClass() || !super.equals(o)) {
            return false;
        }
        SecretListResponse that = (SecretListResponse) o;
        return Objects.equals(data, that.data);
    }
    @Override
    public int hashCode() {
        return Objects.hash(super.hashCode(), data);
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/SecretResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/SecretResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -17,12 +17,15 @@
 package de.stklcode.jvault.connector.model.response;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
-import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.SerializationFeature;
 import com.fasterxml.jackson.databind.json.JsonMapper;
 import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
 import de.stklcode.jvault.connector.exception.InvalidResponseException;
 import de.stklcode.jvault.connector.model.response.embedded.VersionMetadata;
 import java.io.IOException;
-import java.util.Collections;
+import java.io.Serializable;
 import java.util.Map;
 /**
@ -30,46 +33,20 @@ import java.util.Map;
 *
 * @author Stefan Kalscheuer
 * @since 0.1
 * @since 1.1 abstract
 */
@JsonIgnoreProperties(ignoreUnknown = true)
-public class SecretResponse extends VaultDataResponse {
+public abstract class SecretResponse extends VaultDataResponse {
-    private static final String KEY_DATA = "data";
+    private static final long serialVersionUID = 5198088815871692951L;
    private static final String KEY_METADATA = "metadata";
    private Map<String, Object> data;
    private VersionMetadata metadata;
    @Override
    public final void setData(final Map<String, Object> data) throws InvalidResponseException {
        if (data.size() == 2
                && data.containsKey(KEY_DATA) && data.get(KEY_DATA) instanceof Map
                && data.containsKey(KEY_METADATA) && data.get(KEY_METADATA) instanceof Map) {
            ObjectMapper mapper = new ObjectMapper();
            try {
                // This is apparently a KV v2 value.
                this.data = (Map<String, Object>) data.get(KEY_DATA);
                this.metadata = mapper.readValue(mapper.writeValueAsString(data.get(KEY_METADATA)), VersionMetadata.class);
            } catch (ClassCastException | IOException e) {
                throw new InvalidResponseException("Failed deserializing response", e);
            }
        } else {
            // For KV v1 without metadata just store the data map.
            this.data = data;
        }
    }
    /**
     * Get complete data object.
     *
     * @return data map
     * @since 0.4.0
     * @since 1.1 Serializable map value.
     */
-    public final Map<String, Object> getData() {
+    public abstract Map<String, Serializable> getData();
        if (data == null) {
            return Collections.emptyMap();
        }
        return data;
    }
    /**
     * Get secret metadata. This is only available for KV v2 secrets.
@ -77,9 +54,7 @@ public class SecretResponse extends VaultDataResponse {
     * @return Metadata of the secret.
     * @since 0.8
     */
-    public final VersionMetadata getMetadata() {
+    public abstract VersionMetadata getMetadata();
        return metadata;
    }
    /**
     * Get a single value for given key.
@ -89,60 +64,39 @@ public class SecretResponse extends VaultDataResponse {
     * @since 0.4.0
     */
    public final Object get(final String key) {
        if (data == null) {
            return null;
        }
        return getData().get(key);
    }
    /**
     * Get data element for key "value".
     * Method for backwards compatibility in case of simple secrets.
     *
     * @return the value
     * @deprecated Deprecated artifact, will be removed at latest at v1.0.0
     */
    @Deprecated
    public final String getValue() {
        Object value = get("value");
        if (value == null) {
            return null;
        }
        return value.toString();
    }
    /**
     * Get response parsed as JSON.
     *
     * @param type Class to parse response
     * @param <T>  Class to parse response
     * @return Parsed object
     * @throws InvalidResponseException on parsing error
     * @since 0.3
     * @deprecated Deprecated artifact, will be removed at latest at v1.0.0
     */
    @Deprecated
    public final <T> T getValue(final Class<T> type) throws InvalidResponseException {
        return get("value", type);
    }
    /**
     * Get response parsed as JSON.
     *
     * @param key  the key
     * @param type Class to parse response
-     * @param <T>  Class to parse response
+     * @param <C>  Class to parse response
     * @return Parsed object or {@code null} if absent
     * @throws InvalidResponseException on parsing error
     * @since 0.4.0
     */
-    public final <T> T get(final String key, final Class<T> type) throws InvalidResponseException {
+    public final <C> C get(final String key, final Class<C> type) throws InvalidResponseException {
        try {
            Object rawValue = get(key);
            if (rawValue == null) {
                return null;
            } else if (type.isInstance(rawValue)) {
                return type.cast(rawValue);
            } else {
                var om = JsonMapper.builder()
                    .addModule(new JavaTimeModule())
                    .enable(SerializationFeature.WRITE_DATES_AS_TIMESTAMPS)
                    .disable(DeserializationFeature.ADJUST_DATES_TO_CONTEXT_TIME_ZONE)
                    .build();
                if (rawValue instanceof String) {
                    return om.readValue((String) rawValue, type);
                } else {
                    return om.readValue(om.writeValueAsString(rawValue), type);
                }
            }
            return new ObjectMapper().readValue(rawValue.toString(), type);
        } catch (IOException e) {
            throw new InvalidResponseException("Unable to parse response payload: " + e.getMessage());
        }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/SecretVersionResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/SecretVersionResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -17,12 +17,10 @@
 package de.stklcode.jvault.connector.model.response;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
-import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.annotation.JsonProperty;
 import de.stklcode.jvault.connector.exception.InvalidResponseException;
 import de.stklcode.jvault.connector.model.response.embedded.VersionMetadata;
-import java.io.IOException;
+import java.util.Objects;
 import java.util.Map;
 /**
 * Vault response for a single secret version metadata, i.e. after update (KV v2).
@ -32,19 +30,11 @@ import java.util.Map;
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public class SecretVersionResponse extends VaultDataResponse {
    private static final long serialVersionUID = 2748635005258576174L;
    @JsonProperty("data")
    private VersionMetadata metadata;
    @Override
    public final void setData(final Map<String, Object> data) throws InvalidResponseException {
        ObjectMapper mapper = new ObjectMapper();
        try {
            this.metadata = mapper.readValue(mapper.writeValueAsString(data), VersionMetadata.class);
        } catch (IOException e) {
            throw new InvalidResponseException("Failed deserializing response", e);
        }
    }
    /**
     * Get the actual metadata.
     *
@ -53,4 +43,20 @@ public class SecretVersionResponse extends VaultDataResponse {
    public VersionMetadata getMetadata() {
        return metadata;
    }
    @Override
    public boolean equals(Object o) {
        if (this == o) {
            return true;
        } else if (o == null || getClass() != o.getClass() || !super.equals(o)) {
            return false;
        }
        SecretVersionResponse that = (SecretVersionResponse) o;
        return Objects.equals(metadata, that.metadata);
    }
    @Override
    public int hashCode() {
        return Objects.hash(super.hashCode(), metadata);
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/TokenResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/TokenResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -18,12 +18,9 @@ package de.stklcode.jvault.connector.model.response;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import de.stklcode.jvault.connector.exception.InvalidResponseException;
 import de.stklcode.jvault.connector.model.response.embedded.TokenData;
-import java.io.IOException;
+import java.util.Objects;
 import java.util.Map;
 /**
 * Vault response from token lookup providing Token information in {@link TokenData} field.
@ -33,31 +30,32 @@ import java.util.Map;
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public final class TokenResponse extends VaultDataResponse {
    private static final long serialVersionUID = -4341114947980033457L;
    @JsonProperty("data")
    private TokenData data;
    @JsonProperty("auth")
    private Boolean auth;
    /**
     * Set data. Parses response data map to {@link TokenData}.
     *
     * @param data Raw response data
     * @throws InvalidResponseException on parsing errors
     */
    @Override
    public void setData(final Map<String, Object> data) throws InvalidResponseException {
        ObjectMapper mapper = new ObjectMapper();
        try {
            this.data = mapper.readValue(mapper.writeValueAsString(data), TokenData.class);
        } catch (IOException e) {
            throw new InvalidResponseException("Failed deserializing response", e);
        }
    }
    /**
     * @return Token data
     */
    public TokenData getData() {
        return data;
    }
    @Override
    public boolean equals(Object o) {
        if (this == o) {
            return true;
        } else if (o == null || getClass() != o.getClass() || !super.equals(o)) {
            return false;
        }
        TokenResponse that = (TokenResponse) o;
        return Objects.equals(data, that.data);
    }
    @Override
    public int hashCode() {
        return Objects.hash(super.hashCode(), data);
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/TokenRoleResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/TokenRoleResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -17,13 +17,11 @@
 package de.stklcode.jvault.connector.model.response;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
-import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.annotation.JsonProperty;
 import de.stklcode.jvault.connector.exception.InvalidResponseException;
 import de.stklcode.jvault.connector.model.TokenRole;
 import de.stklcode.jvault.connector.model.response.embedded.TokenData;
-import java.io.IOException;
+import java.util.Objects;
 import java.util.Map;
 /**
 * Vault response from token role lookup providing Token information in {@link TokenData} field.
@ -33,23 +31,10 @@ import java.util.Map;
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public final class TokenRoleResponse extends VaultDataResponse {
-    private TokenRole data;
+    private static final long serialVersionUID = 5265363857731948626L;
-    /**
+    @JsonProperty("data")
-     * Set data. Parses response data map to {@link TokenRole}.
+    private TokenRole data;
     *
     * @param data Raw response data
     * @throws InvalidResponseException on parsing errors
     */
    @Override
    public void setData(final Map<String, Object> data) throws InvalidResponseException {
        ObjectMapper mapper = new ObjectMapper();
        try {
            this.data = mapper.readValue(mapper.writeValueAsString(data), TokenRole.class);
        } catch (IOException e) {
            throw new InvalidResponseException("Failed deserializing response", e);
        }
    }
    /**
     * @return TokenRole data
@ -57,4 +42,20 @@ public final class TokenRoleResponse extends VaultDataResponse {
    public TokenRole getData() {
        return data;
    }
    @Override
    public boolean equals(Object o) {
        if (this == o) {
            return true;
        } else if (o == null || getClass() != o.getClass() || !super.equals(o)) {
            return false;
        }
        TokenRoleResponse that = (TokenRoleResponse) o;
        return Objects.equals(data, that.data);
    }
    @Override
    public int hashCode() {
        return Objects.hash(super.hashCode(), data);
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/TransitResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/TransitResponse.java
@ -0,0 +1,92 @@
 /*
 * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package de.stklcode.jvault.connector.model.response;
 import com.fasterxml.jackson.annotation.JsonSetter;
 import java.util.Map;
 import java.util.Objects;
 /**
 * Response entity for transit operations.
 *
 * @author Stefan Kalscheuer
 * @since 1.5.0
 */
 public class TransitResponse extends VaultDataResponse {
    private static final long serialVersionUID = 6873804240772242771L;
    private String ciphertext;
    private String plaintext;
    private String sum;
    @JsonSetter("data")
    private void setData(Map<String, String> data) {
        ciphertext = data.get("ciphertext");
        plaintext = data.get("plaintext");
        sum = data.get("sum");
    }
    /**
     * Get ciphertext.
     * Populated after encryption.
     *
     * @return Ciphertext
     */
    public String getCiphertext() {
        return ciphertext;
    }
    /**
     * Get plaintext.
     * Base64 encoded, populated after decryption.
     *
     * @return Plaintext
     */
    public String getPlaintext() {
        return plaintext;
    }
    /**
     * Get hash sum.
     * Hex or Base64 string. Populated after hashing.
     *
     * @return Hash sum
     */
    public String getSum() {
        return sum;
    }
    @Override
    public boolean equals(Object o) {
        if (this == o) {
            return true;
        } else if (o == null || getClass() != o.getClass() || !super.equals(o)) {
            return false;
        }
        TransitResponse that = (TransitResponse) o;
        return Objects.equals(ciphertext, that.ciphertext) &&
            Objects.equals(plaintext, that.plaintext) &&
            Objects.equals(sum, that.sum);
    }
    @Override
    public int hashCode() {
        return Objects.hash(super.hashCode(), ciphertext, plaintext, sum);
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/VaultDataResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/VaultDataResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -17,10 +17,11 @@
 package de.stklcode.jvault.connector.model.response;
 import com.fasterxml.jackson.annotation.JsonProperty;
-import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import de.stklcode.jvault.connector.model.response.embedded.AuthData;
 import de.stklcode.jvault.connector.model.response.embedded.WrapInfo;
 import java.util.List;
-import java.util.Map;
+import java.util.Objects;
 /**
 * Abstract Vault response with default payload fields.
@ -29,6 +30,11 @@ import java.util.Map;
 * @since 0.1
 */
 public abstract class VaultDataResponse implements VaultResponse {
    private static final long serialVersionUID = 4787715235558510045L;
    @JsonProperty("request_id")
    private String requestId;
    @JsonProperty("lease_id")
    private String leaseId;
@ -41,14 +47,22 @@ public abstract class VaultDataResponse implements VaultResponse {
    @JsonProperty("warnings")
    private List<String> warnings;
    @JsonProperty("wrap_info")
    private WrapInfo wrapInfo;
    @JsonProperty("auth")
    private AuthData auth;
    @JsonProperty("mount_type")
    private String mountType;
    /**
-     * Set data. To be implemented in the specific subclasses, as data can be of arbitrary structure.
+     * @return Request ID
-     *
+     * @since 1.1
     * @param data Raw response data
     * @throws InvalidResponseException on parsing errors
     */
-    @JsonProperty("data")
+    public final String getRequestId() {
-    public abstract void setData(final Map<String, Object> data) throws InvalidResponseException;
+        return requestId;
    }
    /**
     * @return Lease ID
@ -77,4 +91,51 @@ public abstract class VaultDataResponse implements VaultResponse {
    public final List<String> getWarnings() {
        return warnings;
    }
    /**
     * @return Wrapping information
     * @since 1.1
     */
    public final WrapInfo getWrapInfo() {
        return wrapInfo;
    }
    /**
     * @return Authentication information for this response
     * @since 1.3
     */
    public final AuthData getAuth() {
        return auth;
    }
    /**
     * @return Information about the type of mount this secret is from (since Vault 1.17)
     * @since 1.3
     */
    public final String getMountType() {
        return mountType;
    }
    @Override
    public boolean equals(Object o) {
        if (this == o) {
            return true;
        } else if (o == null || getClass() != o.getClass()) {
            return false;
        }
        VaultDataResponse that = (VaultDataResponse) o;
        return renewable == that.renewable &&
            Objects.equals(requestId, that.requestId) &&
            Objects.equals(leaseId, that.leaseId) &&
            Objects.equals(leaseDuration, that.leaseDuration) &&
            Objects.equals(warnings, that.warnings) &&
            Objects.equals(wrapInfo, that.wrapInfo) &&
            Objects.equals(auth, that.auth) &&
            Objects.equals(mountType, that.mountType);
    }
    @Override
    public int hashCode() {
        return Objects.hash(requestId, leaseId, renewable, leaseDuration, warnings, wrapInfo, auth, mountType);
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/VaultResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/VaultResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -16,11 +16,14 @@
 package de.stklcode.jvault.connector.model.response;
 import java.io.Serializable;
 /**
 * Marker interface for responses from Vault backend.
 *
- * @author  Stefan Kalscheuer
+ * @author Stefan Kalscheuer
- * @since   0.1
+ * @since 0.1
 * @since 1.1 extends {@link Serializable}
 */
-public interface VaultResponse {
+public interface VaultResponse extends Serializable {
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/AuthData.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/AuthData.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -19,17 +19,22 @@ package de.stklcode.jvault.connector.model.response.embedded;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import java.io.Serializable;
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
 /**
 * Embedded authorization information inside Vault response.
 *
- * @author  Stefan Kalscheuer
+ * @author Stefan Kalscheuer
- * @since   0.1
+ * @since 0.1
 * @since 1.1 implements {@link Serializable}
 */
@JsonIgnoreProperties(ignoreUnknown = true)
-public final class AuthData {
+public final class AuthData implements Serializable {
    private static final long serialVersionUID = 5969334512309655317L;
    @JsonProperty("client_token")
    private String clientToken;
@ -60,6 +65,12 @@ public final class AuthData {
    @JsonProperty("orphan")
    private boolean orphan;
    @JsonProperty("num_uses")
    private Integer numUses;
    @JsonProperty("mfa_requirement")
    private MfaRequirement mfaRequirement;
    /**
     * @return Client token
     */
@ -126,6 +137,14 @@ public final class AuthData {
        return accessor;
    }
    /**
     * @return allowed number of uses for the issued token
     * @since 1.3
     */
    public Integer getNumUses() {
        return numUses;
    }
    /**
     * @return Token is orphan
     * @since 0.9
@ -133,4 +152,41 @@ public final class AuthData {
    public boolean isOrphan() {
        return orphan;
    }
    /**
     * @return multi-factor requirement
     * @since 1.2
     */
    public MfaRequirement getMfaRequirement() {
        return mfaRequirement;
    }
    @Override
    public boolean equals(Object o) {
        if (this == o) {
            return true;
        }
        if (o == null || getClass() != o.getClass()) {
            return false;
        }
        AuthData authData = (AuthData) o;
        return renewable == authData.renewable &&
            orphan == authData.orphan &&
            Objects.equals(clientToken, authData.clientToken) &&
            Objects.equals(accessor, authData.accessor) &&
            Objects.equals(policies, authData.policies) &&
            Objects.equals(tokenPolicies, authData.tokenPolicies) &&
            Objects.equals(metadata, authData.metadata) &&
            Objects.equals(leaseDuration, authData.leaseDuration) &&
            Objects.equals(entityId, authData.entityId) &&
            Objects.equals(tokenType, authData.tokenType) &&
            Objects.equals(numUses, authData.numUses) &&
            Objects.equals(mfaRequirement, authData.mfaRequirement);
    }
    @Override
    public int hashCode() {
        return Objects.hash(clientToken, accessor, policies, tokenPolicies, metadata, leaseDuration, renewable,
            entityId, tokenType, orphan, numUses, mfaRequirement);
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/AuthMethod.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/AuthMethod.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -21,28 +21,60 @@ import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.annotation.JsonSetter;
 import de.stklcode.jvault.connector.model.AuthBackend;
 import java.io.Serializable;
 import java.util.Map;
 import java.util.Objects;
 /**
 * Embedded authentication method response.
 *
- * @author  Stefan Kalscheuer
+ * @author Stefan Kalscheuer
- * @since   0.1
+ * @since 0.1
 * @since 1.1 implements {@link Serializable}
 */
@JsonIgnoreProperties(ignoreUnknown = true)
-public final class AuthMethod {
+public final class AuthMethod implements Serializable {
    private static final long serialVersionUID = -439987082190917691L;
    private AuthBackend type;
    private String rawType;
    @JsonProperty("accessor")
    private String accessor;
    @JsonProperty("deprecation_status")
    private String deprecationStatus;
    @JsonProperty("description")
    private String description;
    @JsonProperty("config")
-    private Map<String, String> config;
+    private MountConfig config;
    @JsonProperty("external_entropy_access")
    private boolean externalEntropyAccess;
    @JsonProperty("local")
    private boolean local;
    @JsonProperty("options")
    private Map<String, String> options;
    @JsonProperty("plugin_version")
    private String pluginVersion;
    @JsonProperty("running_plugin_version")
    private String runningPluginVersion;
    @JsonProperty("running_sha256")
    private String runningSha256;
    @JsonProperty("seal_wrap")
    private boolean sealWrap;
    @JsonProperty("uuid")
    private String uuid;
    /**
     * @param type Backend type, passed to {@link AuthBackend#forType(String)}
     */
@ -66,6 +98,22 @@ public final class AuthMethod {
        return rawType;
    }
    /**
     * @return Accessor
     * @since 1.1
     */
    public String getAccessor() {
        return accessor;
    }
    /**
     * @return Deprecation status
     * @since 1.2
     */
    public String getDeprecationStatus() {
        return deprecationStatus;
    }
    /**
     * @return Description
     */
@ -75,15 +123,103 @@ public final class AuthMethod {
    /**
     * @return Configuration data
     * @since 0.2
     * @since 1.2 Returns {@link MountConfig} instead of {@link Map}
     */
-    public Map<String, String> getConfig() {
+    public MountConfig getConfig() {
        return config;
    }
    /**
     * @return Backend has access to external entropy source
     * @since 1.1
     */
    public boolean isExternalEntropyAccess() {
        return externalEntropyAccess;
    }
    /**
     * @return Is local backend
     */
    public boolean isLocal() {
        return local;
    }
    /**
     * @return Options
     * @since 1.2
     */
    public Map<String, String> getOptions() {
        return options;
    }
    /**
     * @return Plugin version
     * @since 1.2
     */
    public String getPluginVersion() {
        return pluginVersion;
    }
    /**
     * @return Running plugin version
     * @since 1.2
     */
    public String getRunningPluginVersion() {
        return runningPluginVersion;
    }
    /**
     * @return Running SHA256
     * @since 1.2
     */
    public String getRunningSha256() {
        return runningSha256;
    }
    /**
     * @return Seal wrapping enabled
     * @since 1.1
     */
    public boolean isSealWrap() {
        return sealWrap;
    }
    /**
     * @return Backend UUID
     * @since 1.1
     */
    public String getUuid() {
        return uuid;
    }
    @Override
    public boolean equals(Object o) {
        if (this == o) {
            return true;
        } else if (o == null || getClass() != o.getClass()) {
            return false;
        }
        AuthMethod that = (AuthMethod) o;
        return local == that.local &&
            type == that.type &&
            externalEntropyAccess == that.externalEntropyAccess &&
            sealWrap == that.sealWrap &&
            Objects.equals(rawType, that.rawType) &&
            Objects.equals(accessor, that.accessor) &&
            Objects.equals(deprecationStatus, that.deprecationStatus) &&
            Objects.equals(description, that.description) &&
            Objects.equals(config, that.config) &&
            Objects.equals(options, that.options) &&
            Objects.equals(pluginVersion, that.pluginVersion) &&
            Objects.equals(runningPluginVersion, that.runningPluginVersion) &&
            Objects.equals(runningSha256, that.runningSha256) &&
            Objects.equals(uuid, that.uuid);
    }
    @Override
    public int hashCode() {
        return Objects.hash(type, rawType, accessor, deprecationStatus, description, config, externalEntropyAccess,
            local, options, pluginVersion, runningPluginVersion, runningSha256, sealWrap, uuid);
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/MfaConstraintAny.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/MfaConstraintAny.java
@ -0,0 +1,62 @@
 /*
 * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package de.stklcode.jvault.connector.model.response.embedded;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import java.io.Serializable;
 import java.util.List;
 import java.util.Objects;
 /**
 * Embedded multi-factor-authentication (MFA) constraint "any".
 *
 * @author Stefan Kalscheuer
 * @since 1.2
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public final class MfaConstraintAny implements Serializable {
    private static final long serialVersionUID = 1226126781813149627L;
    @JsonProperty("any")
    private List<MfaMethodId> any;
    /**
     * @return List of "any" MFA methods
     */
    public List<MfaMethodId> getAny() {
        return any;
    }
    @Override
    public boolean equals(Object o) {
        if (this == o) {
            return true;
        }
        if (o == null || getClass() != o.getClass()) {
            return false;
        }
        MfaConstraintAny mfaRequirement = (MfaConstraintAny) o;
        return Objects.equals(any, mfaRequirement.any);
    }
    @Override
    public int hashCode() {
        return Objects.hash(any);
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/MfaMethodId.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/MfaMethodId.java
@ -0,0 +1,94 @@
 /*
 * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package de.stklcode.jvault.connector.model.response.embedded;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import java.io.Serializable;
 import java.util.Objects;
 /**
 * Embedded multi-factor-authentication (MFA) requirement.
 *
 * @author Stefan Kalscheuer
 * @since 1.2
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public final class MfaMethodId implements Serializable {
    private static final long serialVersionUID = 691298070242998814L;
    @JsonProperty("type")
    private String type;
    @JsonProperty("id")
    private String id;
    @JsonProperty("uses_passcode")
    private Boolean usesPasscode;
    @JsonProperty("name")
    private String name;
    /**
     * @return MFA method type
     */
    public String getType() {
        return type;
    }
    /**
     * @return MFA method id
     */
    public String getId() {
        return id;
    }
    /**
     * @return MFA uses passcode id
     */
    public Boolean getUsesPasscode() {
        return usesPasscode;
    }
    /**
     * @return MFA method name
     */
    public String getName() {
        return name;
    }
    @Override
    public boolean equals(Object o) {
        if (this == o) {
            return true;
        }
        if (o == null || getClass() != o.getClass()) {
            return false;
        }
        MfaMethodId mfaMethodId = (MfaMethodId) o;
        return Objects.equals(type, mfaMethodId.type) &&
            Objects.equals(id, mfaMethodId.id) &&
            Objects.equals(usesPasscode, mfaMethodId.usesPasscode) &&
            Objects.equals(name, mfaMethodId.name);
    }
    @Override
    public int hashCode() {
        return Objects.hash(type, id, usesPasscode, name);
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/MfaRequirement.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/MfaRequirement.java
@ -0,0 +1,73 @@
 /*
 * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package de.stklcode.jvault.connector.model.response.embedded;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import java.io.Serializable;
 import java.util.Map;
 import java.util.Objects;
 /**
 * Embedded multi-factor-authentication (MFA) requirement.
 *
 * @author Stefan Kalscheuer
 * @since 1.2
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public final class MfaRequirement implements Serializable {
    private static final long serialVersionUID = -2516941512455319638L;
    @JsonProperty("mfa_request_id")
    private String mfaRequestId;
    @JsonProperty("mfa_constraints")
    private Map<String, MfaConstraintAny> mfaConstraints;
    /**
     * @return MFA request ID
     */
    public String getMfaRequestId() {
        return mfaRequestId;
    }
    /**
     * @return MFA constraints
     */
    public Map<String, MfaConstraintAny> getMfaConstraints() {
        return mfaConstraints;
    }
    @Override
    public boolean equals(Object o) {
        if (this == o) {
            return true;
        }
        if (o == null || getClass() != o.getClass()) {
            return false;
        }
        MfaRequirement mfaRequirement = (MfaRequirement) o;
        return Objects.equals(mfaRequestId, mfaRequirement.mfaRequestId) &&
            Objects.equals(mfaConstraints, mfaRequirement.mfaConstraints);
    }
    @Override
    public int hashCode() {
        return Objects.hash(mfaRequestId, mfaConstraints);
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/MountConfig.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/MountConfig.java
@ -0,0 +1,168 @@
 package de.stklcode.jvault.connector.model.response.embedded;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import java.io.Serializable;
 import java.util.List;
 import java.util.Objects;
 /**
 * Embedded mount config output.
 *
 * @author Stefan Kalscheuer
 * @since 1.2
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public class MountConfig implements Serializable {
    private static final long serialVersionUID = -8653909672663717792L;
    @JsonProperty("default_lease_ttl")
    private Integer defaultLeaseTtl;
    @JsonProperty("max_lease_ttl")
    private Integer maxLeaseTtl;
    @JsonProperty("force_no_cache")
    private Boolean forceNoCache;
    @JsonProperty("token_type")
    private String tokenType;
    @JsonProperty("audit_non_hmac_request_keys")
    private List<String> auditNonHmacRequestKeys;
    @JsonProperty("audit_non_hmac_response_keys")
    private List<String> auditNonHmacResponseKeys;
    @JsonProperty("listing_visibility")
    private String listingVisibility;
    @JsonProperty("passthrough_request_headers")
    private List<String> passthroughRequestHeaders;
    @JsonProperty("allowed_response_headers")
    private List<String> allowedResponseHeaders;
    @JsonProperty("allowed_managed_keys")
    private List<String> allowedManagedKeys;
    @JsonProperty("delegated_auth_accessors")
    private List<String> delegatedAuthAccessors;
    @JsonProperty("user_lockout_config")
    private UserLockoutConfig userLockoutConfig;
    /**
     * @return Default lease TTL
     */
    public Integer getDefaultLeaseTtl() {
        return defaultLeaseTtl;
    }
    /**
     * @return Maximum lease TTL
     */
    public Integer getMaxLeaseTtl() {
        return maxLeaseTtl;
    }
    /**
     * @return Force no cache?
     */
    public Boolean getForceNoCache() {
        return forceNoCache;
    }
    /**
     * @return Token type
     */
    public String getTokenType() {
        return tokenType;
    }
    /**
     * @return Audit non HMAC request keys
     */
    public List<String> getAuditNonHmacRequestKeys() {
        return auditNonHmacRequestKeys;
    }
    /**
     * @return Audit non HMAC response keys
     */
    public List<String> getAuditNonHmacResponseKeys() {
        return auditNonHmacResponseKeys;
    }
    /**
     * @return Listing visibility
     */
    public String getListingVisibility() {
        return listingVisibility;
    }
    /**
     * @return Passthrough request headers
     */
    public List<String> getPassthroughRequestHeaders() {
        return passthroughRequestHeaders;
    }
    /**
     * @return Allowed response headers
     */
    public List<String> getAllowedResponseHeaders() {
        return allowedResponseHeaders;
    }
    /**
     * @return Allowed managed keys
     */
    public List<String> getAllowedManagedKeys() {
        return allowedManagedKeys;
    }
    /**
     * @return Delegated auth accessors
     */
    public List<String> getDelegatedAuthAccessors() {
        return delegatedAuthAccessors;
    }
    /**
     * @return User lockout config
     */
    public UserLockoutConfig getUserLockoutConfig() {
        return userLockoutConfig;
    }
    @Override
    public boolean equals(Object o) {
        if (this == o) {
            return true;
        } else if (o == null || getClass() != o.getClass()) {
            return false;
        }
        MountConfig that = (MountConfig) o;
        return Objects.equals(defaultLeaseTtl, that.defaultLeaseTtl) &&
            Objects.equals(maxLeaseTtl, that.maxLeaseTtl) &&
            Objects.equals(forceNoCache, that.forceNoCache) &&
            Objects.equals(tokenType, that.tokenType) &&
            Objects.equals(auditNonHmacRequestKeys, that.auditNonHmacRequestKeys) &&
            Objects.equals(auditNonHmacResponseKeys, that.auditNonHmacResponseKeys) &&
            Objects.equals(listingVisibility, that.listingVisibility) &&
            Objects.equals(passthroughRequestHeaders, that.passthroughRequestHeaders) &&
            Objects.equals(allowedResponseHeaders, that.allowedResponseHeaders) &&
            Objects.equals(allowedManagedKeys, that.allowedManagedKeys) &&
            Objects.equals(delegatedAuthAccessors, that.delegatedAuthAccessors) &&
            Objects.equals(userLockoutConfig, that.userLockoutConfig);
    }
    @Override
    public int hashCode() {
        return Objects.hash(defaultLeaseTtl, maxLeaseTtl, forceNoCache, tokenType, auditNonHmacRequestKeys,
            auditNonHmacResponseKeys, listingVisibility, passthroughRequestHeaders, allowedResponseHeaders,
            allowedManagedKeys, delegatedAuthAccessors, userLockoutConfig);
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/SecretListWrapper.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/SecretListWrapper.java
@ -0,0 +1,42 @@
 package de.stklcode.jvault.connector.model.response.embedded;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import java.io.Serializable;
 import java.util.List;
 import java.util.Objects;
 /**
 * Wrapper object for secret key lists.
 *
 * @author Stefan Kalscheuer
 * @since 1.1
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public class SecretListWrapper implements Serializable {
    private static final long serialVersionUID = -8777605197063766125L;
    @JsonProperty("keys")
    private List<String> keys;
    public List<String> getKeys() {
        return keys;
    }
    @Override
    public boolean equals(Object o) {
        if (this == o) {
            return true;
        } else if (o == null || getClass() != o.getClass()) {
            return false;
        }
        SecretListWrapper that = (SecretListWrapper) o;
        return Objects.equals(keys, that.keys);
    }
    @Override
    public int hashCode() {
        return Objects.hash(keys);
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/SecretMetadata.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/SecretMetadata.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -19,23 +19,25 @@ package de.stklcode.jvault.connector.model.response.embedded;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import java.io.Serializable;
 import java.time.ZonedDateTime;
-import java.time.format.DateTimeFormatter;
+import java.util.HashMap;
 import java.time.format.DateTimeParseException;
 import java.util.Map;
 import java.util.Objects;
 /**
 * Embedded metadata for Key-Value v2 secrets.
 *
- * @author  Stefan Kalscheuer
+ * @author Stefan Kalscheuer
- * @since   0.8
+ * @since 0.8
 * @since 1.1 implements {@link Serializable}
 */
@JsonIgnoreProperties(ignoreUnknown = true)
-public final class SecretMetadata {
+public final class SecretMetadata implements Serializable {
-    private static final DateTimeFormatter TIME_FORMAT = DateTimeFormatter.ofPattern("yyyy-MM-dd'T'HH:mm:ss.SSSSSSSSSX");
+    private static final long serialVersionUID = -905059942871916214L;
    @JsonProperty("created_time")
-    private String createdTimeString;
+    private ZonedDateTime createdTime;
    @JsonProperty("current_version")
    private Integer currentVersion;
@ -47,31 +49,25 @@ public final class SecretMetadata {
    private Integer oldestVersion;
    @JsonProperty("updated_time")
-    private String updatedTime;
+    private ZonedDateTime updatedTime;
    @JsonProperty("versions")
    private Map<Integer, VersionMetadata> versions;
-    /**
+    @JsonProperty("cas_required")
-     * @return Time of secret creation as raw string representation.
+    private Boolean casRequired;
-     */
+
-    public String getCreatedTimeString() {
+    @JsonProperty("custom_metadata")
-        return createdTimeString;
+    private HashMap<String, String> customMetadata;
-    }
+
    @JsonProperty("delete_version_after")
    private String deleteVersionAfter;
    /**
     * @return Time of secret creation.
     */
    public ZonedDateTime getCreatedTime() {
-        if (createdTimeString != null && !createdTimeString.isEmpty()) {
+        return createdTime;
            try {
                return ZonedDateTime.parse(createdTimeString, TIME_FORMAT);
            } catch (DateTimeParseException e) {
                // Ignore.
            }
        }
        return null;
    }
    /**
@ -96,25 +92,10 @@ public final class SecretMetadata {
    }
    /**
-     * @return Time of secret update as raw string representation.
+     * @return Time of secret update.
     */
    public String getUpdatedTimeString() {
        return updatedTime;
    }
    /**
     * @return Time of secret update..
     */
    public ZonedDateTime getUpdatedTime() {
-        if (updatedTime != null && !updatedTime.isEmpty()) {
+        return updatedTime;
            try {
                return ZonedDateTime.parse(updatedTime, TIME_FORMAT);
            } catch (DateTimeParseException e) {
                // Ignore.
            }
        }
        return null;
    }
    /**
@ -124,4 +105,52 @@ public final class SecretMetadata {
        return versions;
    }
    /**
     * @return CAS required?
     * @since 1.3
     */
    public Boolean isCasRequired() {
        return casRequired;
    }
    /**
     * @return Custom metadata.
     * @since 1.3
     */
    public Map<String, String> getCustomMetadata() {
        return customMetadata;
    }
    /**
     * @return time duration to delete version
     * @since 1.3
     */
    public String getDeleteVersionAfter() {
        return deleteVersionAfter;
    }
    @Override
    public boolean equals(Object o) {
        if (this == o) {
            return true;
        } else if (o == null || getClass() != o.getClass()) {
            return false;
        }
        SecretMetadata that = (SecretMetadata) o;
        return Objects.equals(createdTime, that.createdTime) &&
            Objects.equals(currentVersion, that.currentVersion) &&
            Objects.equals(maxVersions, that.maxVersions) &&
            Objects.equals(oldestVersion, that.oldestVersion) &&
            Objects.equals(updatedTime, that.updatedTime) &&
            Objects.equals(versions, that.versions) &&
            Objects.equals(casRequired, that.casRequired) &&
            Objects.equals(customMetadata, that.customMetadata) &&
            Objects.equals(deleteVersionAfter, that.deleteVersionAfter);
    }
    @Override
    public int hashCode() {
        return Objects.hash(createdTime, currentVersion, maxVersions, oldestVersion, updatedTime, versions, casRequired,
            customMetadata, deleteVersionAfter);
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/SecretWrapper.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/SecretWrapper.java
@ -0,0 +1,49 @@
 package de.stklcode.jvault.connector.model.response.embedded;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import java.io.Serializable;
 import java.util.Map;
 import java.util.Objects;
 /**
 * Wrapper object for secret data and metadata.
 *
 * @author Stefan Kalscheuer
 * @since 1.1
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public class SecretWrapper implements Serializable {
    private static final long serialVersionUID = 8600413181758893378L;
    @JsonProperty("data")
    private Map<String, Serializable> data;
    @JsonProperty("metadata")
    private VersionMetadata metadata;
    public Map<String, Serializable> getData() {
        return data;
    }
    public VersionMetadata getMetadata() {
        return metadata;
    }
    @Override
    public boolean equals(Object o) {
        if (this == o) {
            return true;
        } else if (o == null || getClass() != o.getClass()) {
            return false;
        }
        SecretWrapper that = (SecretWrapper) o;
        return Objects.equals(data, that.data) && Objects.equals(metadata, that.metadata);
    }
    @Override
    public int hashCode() {
        return Objects.hash(data, metadata);
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/TokenData.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/TokenData.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -19,18 +19,23 @@ package de.stklcode.jvault.connector.model.response.embedded;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import java.io.Serializable;
 import java.time.ZonedDateTime;
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
 /**
 * Embedded token information inside Vault response.
 *
 * @author Stefan Kalscheuer
 * @since 0.1
 * @since 1.1 implements {@link Serializable}
 */
@JsonIgnoreProperties(ignoreUnknown = true)
-public final class TokenData {
+public final class TokenData implements Serializable {
    private static final long serialVersionUID = -5749716740973138916L;
    @JsonProperty("accessor")
    private String accessor;
@ -47,7 +52,7 @@ public final class TokenData {
    private String entityId;
    @JsonProperty("expire_time")
-    private String expireTime;
+    private ZonedDateTime expireTime;
    @JsonProperty("explicit_max_ttl")
    private Integer explicitMaxTtl;
@ -56,7 +61,7 @@ public final class TokenData {
    private String id;
    @JsonProperty("issue_time")
-    private String issueTime;
+    private ZonedDateTime issueTime;
    @JsonProperty("meta")
    private Map<String, Object> meta;
@ -118,24 +123,12 @@ public final class TokenData {
        return entityId;
    }
    /**
     * @return Expire time as raw string value
     * @since 0.9
     */
    public String getExpireTimeString() {
        return expireTime;
    }
    /**
     * @return Expire time (parsed)
     * @since 0.9
     */
    public ZonedDateTime getExpireTime() {
-        if (expireTime == null) {
+        return expireTime;
            return null;
        } else {
            return ZonedDateTime.parse(expireTime);
        }
    }
    /**
@ -153,24 +146,12 @@ public final class TokenData {
        return id;
    }
    /**
     * @return Issue time as raw string value
     * @since 0.9
     */
    public String getIssueTimeString() {
        return issueTime;
    }
    /**
     * @return Expire time (parsed)
     * @since 0.9
     */
    public ZonedDateTime getIssueTime() {
-        if (issueTime == null) {
+        return issueTime;
            return null;
        } else {
            return ZonedDateTime.parse(issueTime);
        }
    }
    /**
@ -231,4 +212,37 @@ public final class TokenData {
    public Map<String, Object> getMeta() {
        return meta;
    }
    @Override
    public boolean equals(Object o) {
        if (this == o) {
            return true;
        } else if (o == null || getClass() != o.getClass()) {
            return false;
        }
        TokenData tokenData = (TokenData) o;
        return orphan == tokenData.orphan &&
            renewable == tokenData.renewable &&
            Objects.equals(accessor, tokenData.accessor) &&
            Objects.equals(creationTime, tokenData.creationTime) &&
            Objects.equals(creationTtl, tokenData.creationTtl) &&
            Objects.equals(name, tokenData.name) &&
            Objects.equals(entityId, tokenData.entityId) &&
            Objects.equals(expireTime, tokenData.expireTime) &&
            Objects.equals(explicitMaxTtl, tokenData.explicitMaxTtl) &&
            Objects.equals(id, tokenData.id) &&
            Objects.equals(issueTime, tokenData.issueTime) &&
            Objects.equals(meta, tokenData.meta) &&
            Objects.equals(numUses, tokenData.numUses) &&
            Objects.equals(path, tokenData.path) &&
            Objects.equals(policies, tokenData.policies) &&
            Objects.equals(ttl, tokenData.ttl) &&
            Objects.equals(type, tokenData.type);
    }
    @Override
    public int hashCode() {
        return Objects.hash(accessor, creationTime, creationTtl, name, entityId, expireTime, explicitMaxTtl, id,
            issueTime, meta, numUses, orphan, path, policies, renewable, ttl, type);
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/UserLockoutConfig.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/UserLockoutConfig.java
@ -0,0 +1,77 @@
 package de.stklcode.jvault.connector.model.response.embedded;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import java.io.Serializable;
 import java.util.Objects;
 /**
 * Embedded user lockout config output.
 *
 * @author Stefan Kalscheuer
 * @since 1.2
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public class UserLockoutConfig implements Serializable {
    private static final long serialVersionUID = -8051060041593140550L;
    @JsonProperty("lockout_threshold")
    private Integer lockoutThreshold;
    @JsonProperty("lockout_duration")
    private Integer lockoutDuration;
    @JsonProperty("lockout_counter_reset_duration")
    private Integer lockoutCounterResetDuration;
    @JsonProperty("lockout_disable")
    private Boolean lockoutDisable;
    /**
     * @return Lockout threshold
     */
    public Integer getLockoutThreshold() {
        return lockoutThreshold;
    }
    /**
     * @return Lockout duration
     */
    public Integer getLockoutDuration() {
        return lockoutDuration;
    }
    /**
     * @return Lockout counter reset duration
     */
    public Integer getLockoutCounterResetDuration() {
        return lockoutCounterResetDuration;
    }
    /**
     * @return Lockout disabled?
     */
    public Boolean getLockoutDisable() {
        return lockoutDisable;
    }
    @Override
    public boolean equals(Object o) {
        if (this == o) {
            return true;
        } else if (o == null || getClass() != o.getClass()) {
            return false;
        }
        UserLockoutConfig that = (UserLockoutConfig) o;
        return Objects.equals(lockoutThreshold, that.lockoutThreshold) &&
            Objects.equals(lockoutDuration, that.lockoutDuration) &&
            Objects.equals(lockoutCounterResetDuration, that.lockoutCounterResetDuration) &&
            Objects.equals(lockoutDisable, that.lockoutDisable);
    }
    @Override
    public int hashCode() {
        return Objects.hash(lockoutThreshold, lockoutDuration, lockoutCounterResetDuration, lockoutDisable);
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/VersionMetadata.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/VersionMetadata.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -19,25 +19,28 @@ package de.stklcode.jvault.connector.model.response.embedded;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import java.io.Serializable;
 import java.time.ZonedDateTime;
-import java.time.format.DateTimeFormatter;
+import java.util.HashMap;
-import java.time.format.DateTimeParseException;
+import java.util.Map;
 import java.util.Objects;
 /**
 * Embedded metadata for a single Key-Value v2 version.
 *
- * @author  Stefan Kalscheuer
+ * @author Stefan Kalscheuer
- * @since   0.8
+ * @since 0.8
 * @since 1.1 implements {@link Serializable}
 */
@JsonIgnoreProperties(ignoreUnknown = true)
-public final class VersionMetadata {
+public final class VersionMetadata implements Serializable {
-    private static final DateTimeFormatter TIME_FORMAT = DateTimeFormatter.ofPattern("yyyy-MM-dd'T'HH:mm:ss.SSSSSSSSSX");
+    private static final long serialVersionUID = 8495687554714216478L;
    @JsonProperty("created_time")
-    private String createdTimeString;
+    private ZonedDateTime createdTime;
    @JsonProperty("deletion_time")
-    private String deletionTimeString;
+    private ZonedDateTime deletionTime;
    @JsonProperty("destroyed")
    private boolean destroyed;
@ -45,48 +48,21 @@ public final class VersionMetadata {
    @JsonProperty("version")
    private Integer version;
-    /**
+    @JsonProperty("custom_metadata")
-     * @return Time of secret creation as raw string representation.
+    private HashMap<String, String> customMetadata;
     */
    public String getCreatedTimeString() {
        return createdTimeString;
    }
    /**
     * @return Time of secret creation.
     */
    public ZonedDateTime getCreatedTime() {
-        if (createdTimeString != null && !createdTimeString.isEmpty()) {
+        return createdTime;
            try {
                return ZonedDateTime.parse(createdTimeString, TIME_FORMAT);
            } catch (DateTimeParseException e) {
                // Ignore.
            }
        }
        return null;
    }
    /**
     * @return Time for secret deletion as raw string representation.
     */
    public String getDeletionTimeString() {
        return deletionTimeString;
    }
    /**
     * @return Time for secret deletion.
     */
    public ZonedDateTime getDeletionTime() {
-        if (deletionTimeString != null && !deletionTimeString.isEmpty()) {
+        return deletionTime;
            try {
                return ZonedDateTime.parse(deletionTimeString, TIME_FORMAT);
            } catch (DateTimeParseException e) {
                // Ignore.
            }
        }
        return null;
    }
    /**
@ -103,4 +79,31 @@ public final class VersionMetadata {
        return version;
    }
    /**
     * @return Custom metadata.
     * @since 1.3
     */
    public Map<String, String> getCustomMetadata() {
        return customMetadata;
    }
    @Override
    public boolean equals(Object o) {
        if (this == o) {
            return true;
        } else if (o == null || getClass() != o.getClass()) {
            return false;
        }
        VersionMetadata that = (VersionMetadata) o;
        return destroyed == that.destroyed &&
            Objects.equals(createdTime, that.createdTime) &&
            Objects.equals(deletionTime, that.deletionTime) &&
            Objects.equals(version, that.version) &&
            Objects.equals(customMetadata, that.customMetadata);
    }
    @Override
    public int hashCode() {
        return Objects.hash(createdTime, deletionTime, destroyed, version, customMetadata);
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/WrapInfo.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/WrapInfo.java
@ -0,0 +1,92 @@
 /*
 * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package de.stklcode.jvault.connector.model.response.embedded;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import java.io.Serializable;
 import java.time.ZonedDateTime;
 import java.util.Objects;
 /**
 * Wrapping information object.
 *
 * @author Stefan Kalscheuer
 * @since 1.1
 */
 public class WrapInfo implements Serializable {
    private static final long serialVersionUID = 4864973237090355607L;
    @JsonProperty("token")
    private String token;
    @JsonProperty("ttl")
    private Integer ttl;
    @JsonProperty("creation_time")
    private ZonedDateTime creationTime;
    @JsonProperty("creation_path")
    private String creationPath;
    /**
     * @return Token
     */
    public String getToken() {
        return token;
    }
    /**
     * @return TTL (in seconds)
     */
    public Integer getTtl() {
        return ttl;
    }
    /**
     * @return Creation time
     */
    public ZonedDateTime getCreationTime() {
        return creationTime;
    }
    /**
     * @return Creation path
     */
    public String getCreationPath() {
        return creationPath;
    }
    @Override
    public boolean equals(Object o) {
        if (this == o) {
            return true;
        } else if (o == null || getClass() != o.getClass()) {
            return false;
        }
        WrapInfo that = (WrapInfo) o;
        return Objects.equals(token, that.token) &&
            Objects.equals(ttl, that.ttl) &&
            Objects.equals(creationTime, that.creationTime) &&
            Objects.equals(creationPath, that.creationPath);
    }
    @Override
    public int hashCode() {
        return Objects.hash(token, ttl, creationTime, creationPath);
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/package-info.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/package-info.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/model/response/package-info.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/package-info.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/package-info.java
+++ b/src/main/java/de/stklcode/jvault/connector/package-info.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/module-info.java
+++ b/src/main/java/module-info.java
@ -0,0 +1,37 @@
 /*
 * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 /**
 * JVaultConnector module.
 *
 * @author Stefan Kalscheuer
 */
 module de.stklcode.jvault.connector {
    exports de.stklcode.jvault.connector;
    exports de.stklcode.jvault.connector.exception;
    exports de.stklcode.jvault.connector.model;
    exports de.stklcode.jvault.connector.model.response;
    exports de.stklcode.jvault.connector.model.response.embedded;
    opens de.stklcode.jvault.connector.model to com.fasterxml.jackson.databind;
    opens de.stklcode.jvault.connector.model.response to com.fasterxml.jackson.databind;
    opens de.stklcode.jvault.connector.model.response.embedded to com.fasterxml.jackson.databind;
    requires java.net.http;
    requires com.fasterxml.jackson.annotation;
    requires com.fasterxml.jackson.databind;
    requires com.fasterxml.jackson.datatype.jsr310;
 }
--- a/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorBuilderTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorBuilderTest.java
@ -0,0 +1,249 @@
 /*
 * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package de.stklcode.jvault.connector;
 import com.github.stefanbirkner.systemlambda.SystemLambda;
 import de.stklcode.jvault.connector.exception.ConnectionException;
 import de.stklcode.jvault.connector.exception.TlsException;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.io.TempDir;
 import java.io.File;
 import java.lang.reflect.Field;
 import java.net.URISyntaxException;
 import java.nio.file.Files;
 import java.nio.file.NoSuchFileException;
 import java.nio.file.Paths;
 import java.util.concurrent.atomic.AtomicReference;
 import static com.github.stefanbirkner.systemlambda.SystemLambda.withEnvironmentVariable;
 import static org.junit.jupiter.api.Assertions.*;
 /**
 * JUnit test for HTTP Vault connector factory
 *
 * @author Stefan Kalscheuer
 * @since 0.8.0
 */
 class HTTPVaultConnectorBuilderTest {
    private static final String VAULT_ADDR = "https://localhost:8201";
    private static final String VAULT_ADDR_2 = "http://localhost";
    private static final String VAULT_ADDR_3 = "https://localhost/vault/";
    private static final Integer VAULT_MAX_RETRIES = 13;
    private static final String VAULT_TOKEN = "00001111-2222-3333-4444-555566667777";
    @TempDir
    File tempDir;
    /**
     * Test the builder.
     */
    @Test
    void builderTest() throws Exception {
        // Minimal configuration.
        HTTPVaultConnector connector = HTTPVaultConnector.builder().withHost("vault.example.com").build();
        assertEquals("https://vault.example.com:8200/v1/", getRequestHelperPrivate(connector, "baseURL"), "URL not set correctly");
        assertNull(getRequestHelperPrivate(connector, "trustedCaCert"), "Trusted CA cert set when no cert provided");
        assertEquals(0, getRequestHelperPrivate(connector, "retries"), "Number of retries unexpectedly set");
        // Specify all options.
        HTTPVaultConnectorBuilder builder = HTTPVaultConnector.builder()
                .withHost("vault2.example.com")
                .withoutTLS()
                .withPort(1234)
                .withPrefix("/foo/")
                .withTimeout(5678)
                .withNumberOfRetries(9);
        connector = builder.build();
        assertEquals("http://vault2.example.com:1234/foo/", getRequestHelperPrivate(connector, "baseURL"), "URL not set correctly");
        assertNull(getRequestHelperPrivate(connector, "trustedCaCert"), "Trusted CA cert set when no cert provided");
        assertEquals(9, getRequestHelperPrivate(connector, "retries"), "Unexpected number of retries");
        assertEquals(5678, getRequestHelperPrivate(connector, "timeout"), "Number timeout value");
        assertThrows(ConnectionException.class, builder::buildAndAuth, "Immediate authentication should throw exception without token");
        // Initialization from URL.
        assertThrows(
                URISyntaxException.class,
                () -> HTTPVaultConnector.builder().withBaseURL("foo:/\\1nv4l1d_UrL"),
                "Initialization from invalid URL should fail"
        );
        connector = assertDoesNotThrow(
                () -> HTTPVaultConnector.builder().withBaseURL("https://vault3.example.com:5678/bar/").build(),
                "Initialization from valid URL should not fail"
        );
        assertEquals("https://vault3.example.com:5678/bar/", getRequestHelperPrivate(connector, "baseURL"), "URL not set correctly");
        // Port numbers.
        assertThrows(IllegalArgumentException.class, () -> HTTPVaultConnector.builder().withPort(65536), "Too large port number should throw an exception");
        assertThrows(IllegalArgumentException.class, () -> HTTPVaultConnector.builder().withPort(0), "Port number 0 should throw an exception");
        builder = assertDoesNotThrow(() -> HTTPVaultConnector.builder().withPort(-1), "Port number -1 should not throw an exception");
        assertNull(builder.getPort(), "Port number -1 should be omitted");
        builder = assertDoesNotThrow(() -> HTTPVaultConnector.builder().withPort(null), "Port number NULL should not throw an exception");
        assertNull(builder.getPort(), "Port number NULL should be passed through");
    }
    /**
     * Test building from environment variables
     */
    @Test
    void testFromEnv() throws Exception {
        // Provide address only should be enough.
        withVaultEnv(VAULT_ADDR, null, null, null).execute(() -> {
            HTTPVaultConnectorBuilder builder = assertDoesNotThrow(
                    () -> HTTPVaultConnector.builder().fromEnv(),
                    "Factory creation from minimal environment failed"
            );
            HTTPVaultConnector connector = builder.build();
            assertEquals(VAULT_ADDR + "/v1/", getRequestHelperPrivate(connector, "baseURL"), "URL not set correctly");
            assertNull(getRequestHelperPrivate(connector, "trustedCaCert"), "Trusted CA cert set when no cert provided");
            assertEquals(0, getRequestHelperPrivate(connector, "retries"), "Non-default number of retries, when none set");
            return null;
        });
        withVaultEnv(VAULT_ADDR_2, null, null, null).execute(() -> {
            HTTPVaultConnectorBuilder builder = assertDoesNotThrow(
                    () -> HTTPVaultConnector.builder().fromEnv(),
                    "Factory creation from minimal environment failed"
            );
            assertEquals(VAULT_ADDR_2 + "/v1/", getRequestHelperPrivate(builder.build(), "baseURL"), "URL without port not set correctly");
            return null;
        });
        withVaultEnv(VAULT_ADDR_3, null, null, null).execute(() -> {
            HTTPVaultConnectorBuilder builder = assertDoesNotThrow(
                    () -> HTTPVaultConnector.builder().fromEnv(),
                    "Factory creation from minimal environment failed"
            );
            assertEquals(VAULT_ADDR_3, getRequestHelperPrivate(builder.build(), "baseURL"), "URL with custom path not set correctly");
            return null;
        });
        // Provide address and number of retries.
        withVaultEnv(VAULT_ADDR, null, VAULT_MAX_RETRIES.toString(), null).execute(() -> {
            HTTPVaultConnectorBuilder builder = assertDoesNotThrow(
                    () -> HTTPVaultConnector.builder().fromEnv(),
                    "Factory creation from environment failed"
            );
            HTTPVaultConnector connector = builder.build();
            assertEquals(VAULT_ADDR + "/v1/", getRequestHelperPrivate(connector, "baseURL"), "URL not set correctly");
            assertNull(getRequestHelperPrivate(connector, "trustedCaCert"), "Trusted CA cert set when no cert provided");
            assertEquals(VAULT_MAX_RETRIES, getRequestHelperPrivate(connector, "retries"), "Number of retries not set correctly");
            return null;
        });
        // Automatic authentication.
        withVaultEnv(VAULT_ADDR, null, VAULT_MAX_RETRIES.toString(), VAULT_TOKEN).execute(() -> {
            HTTPVaultConnectorBuilder builder = assertDoesNotThrow(
                    () -> HTTPVaultConnector.builder().fromEnv(),
                    "Factory creation from minimal environment failed"
            );
            assertEquals(VAULT_TOKEN, getPrivate(builder, "token"), "Token not set correctly");
            return null;
        });
        // Invalid URL.
        withVaultEnv("This is not a valid URL!", null, VAULT_MAX_RETRIES.toString(), VAULT_TOKEN).execute(() -> {
            assertThrows(
                    ConnectionException.class,
                    () -> HTTPVaultConnector.builder().fromEnv(),
                    "Invalid URL from environment should raise an exception"
            );
            return null;
        });
    }
    /**
     * Test CA certificate handling from environment variables
     */
    @Test
    void testCertificateFromEnv() throws Exception {
        // From direct PEM content
        String pem = Files.readString(Paths.get(getClass().getResource("/tls/ca.pem").toURI()));
        AtomicReference<Object> certFromPem = new AtomicReference<>();
        withVaultEnv(VAULT_ADDR, pem, null, null).execute(() -> {
            HTTPVaultConnectorBuilder builder = assertDoesNotThrow(
                    () -> HTTPVaultConnector.builder().fromEnv(),
                    "Builder with PEM certificate from environment failed"
            );
            HTTPVaultConnector connector = builder.build();
            certFromPem.set(getRequestHelperPrivate(connector, "trustedCaCert"));
            assertNotNull(certFromPem.get(), "Trusted CA cert from PEM not set");
            return null;
        });
        // From file path
        String file = Paths.get(getClass().getResource("/tls/ca.pem").toURI()).toString();
        AtomicReference<Object> certFromFile = new AtomicReference<>();
        withVaultEnv(VAULT_ADDR, file, null, null).execute(() -> {
            HTTPVaultConnectorBuilder builder = assertDoesNotThrow(
                    () -> HTTPVaultConnector.builder().fromEnv(),
                    "Builder with certificate path from environment failed"
            );
            HTTPVaultConnector connector = builder.build();
            certFromFile.set(getRequestHelperPrivate(connector, "trustedCaCert"));
            assertNotNull(certFromFile.get(), "Trusted CA cert from file not set");
            return null;
        });
        assertEquals(certFromPem.get(), certFromFile.get(), "Certificates from PEM and file should be equal");
        // Non-existing path CA certificate path
        String doesNotExist = tempDir.toString() + "/doesnotexist";
        withVaultEnv(VAULT_ADDR, doesNotExist, VAULT_MAX_RETRIES.toString(), null).execute(() -> {
            TlsException e = assertThrows(
                    TlsException.class,
                    () -> HTTPVaultConnector.builder().fromEnv(),
                    "Creation with unknown cert path failed"
            );
            assertEquals(doesNotExist, assertInstanceOf(NoSuchFileException.class, e.getCause()).getFile());
            return null;
        });
    }
    private SystemLambda.WithEnvironmentVariables withVaultEnv(String vaultAddr, String vaultCacert, String vaultMaxRetries, String vaultToken) {
        return withEnvironmentVariable("VAULT_ADDR", vaultAddr)
                .and("VAULT_CACERT", vaultCacert)
                .and("VAULT_MAX_RETRIES", vaultMaxRetries)
                .and("VAULT_TOKEN", vaultToken);
    }
    private Object getRequestHelperPrivate(HTTPVaultConnector connector, String fieldName) throws NoSuchFieldException, IllegalAccessException {
        return getPrivate(getPrivate(connector, "request"), fieldName);
    }
    private Object getPrivate(Object target, String fieldName) throws NoSuchFieldException, IllegalAccessException {
        Field field = target.getClass().getDeclaredField(fieldName);
        if (field.canAccess(target)) {
            return field.get(target);
        }
        field.setAccessible(true);
        Object value = field.get(target);
        field.setAccessible(false);
        return value;
    }
 }
--- a/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorIT.java
+++ b/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorIT.java
--- a/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorOfflineTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorOfflineTest.java
@ -1,380 +0,0 @@
 /*
 * Copyright 2016-2021 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package de.stklcode.jvault.connector;
 import de.stklcode.jvault.connector.exception.InvalidRequestException;
 import de.stklcode.jvault.connector.exception.InvalidResponseException;
 import de.stklcode.jvault.connector.exception.PermissionDeniedException;
 import de.stklcode.jvault.connector.exception.VaultConnectorException;
 import org.apache.http.ProtocolVersion;
 import org.apache.http.client.methods.CloseableHttpResponse;
 import org.apache.http.entity.ContentType;
 import org.apache.http.entity.StringEntity;
 import org.apache.http.impl.client.CloseableHttpClient;
 import org.apache.http.impl.client.HttpClientBuilder;
 import org.apache.http.message.BasicStatusLine;
 import org.junit.jupiter.api.*;
 import org.junit.jupiter.api.function.Executable;
 import org.mockito.MockedStatic;
 import java.io.IOException;
 import java.io.InputStream;
 import java.lang.reflect.Field;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.util.Collections;
 import static org.hamcrest.CoreMatchers.instanceOf;
 import static org.hamcrest.CoreMatchers.nullValue;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.core.Is.is;
 import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.*;
 /**
 * JUnit test for HTTP Vault connector.
 * This test suite contains tests that do not require connection to an actual Vault instance.
 *
 * @author Stefan Kalscheuer
 * @since 0.7.0
 */
 class HTTPVaultConnectorOfflineTest {
    private static final String INVALID_URL = "foo:/\\1nv4l1d_UrL";
    private static MockedStatic<HttpClientBuilder> hcbMock;
    private static CloseableHttpClient httpMock;
    private final CloseableHttpResponse responseMock = mock(CloseableHttpResponse.class);
    @BeforeAll
    static void prepare() {
        // Mock the static HTTPClient creation.
        hcbMock = mockStatic(HttpClientBuilder.class);
        hcbMock.when(HttpClientBuilder::create).thenReturn(new MockedHttpClientBuilder());
    }
     @AfterAll
     static void tearDown() {
         hcbMock.close();
     }
    @BeforeEach
    void init() {
        // Re-initialize HTTP mock to ensure fresh (empty) results.
        httpMock = mock(CloseableHttpClient.class);
    }
    /**
     * Test exceptions thrown during request.
     */
    @Test
    void requestExceptionTest() throws IOException {
        HTTPVaultConnector connector = new HTTPVaultConnector("http://127.0.0.1", null, 0, 250);
        // Test invalid response code.
        final int responseCode = 400;
        mockResponse(responseCode, "", ContentType.APPLICATION_JSON);
        InvalidResponseException e = assertThrows(
                InvalidResponseException.class,
                connector::getHealth,
                "Querying health status succeeded on invalid instance"
        );
        assertThat("Unexpected exception message", e.getMessage(), is("Invalid response code"));
        assertThat("Unexpected status code in exception", ((InvalidResponseException) e).getStatusCode(), is(responseCode));
        assertThat("Response message where none was expected", ((InvalidResponseException) e).getResponse(), is(nullValue()));
        // Simulate permission denied response.
        mockResponse(responseCode, "{\"errors\":[\"permission denied\"]}", ContentType.APPLICATION_JSON);
        assertThrows(
                PermissionDeniedException.class,
                connector::getHealth,
                "Querying health status succeeded on invalid instance"
        );
        // Test exception thrown during request.
        when(httpMock.execute(any())).thenThrow(new IOException("Test Exception"));
        e = assertThrows(
                InvalidResponseException.class,
                connector::getHealth,
                "Querying health status succeeded on invalid instance"
        );
        assertThat("Unexpected exception message", e.getMessage(), is("Unable to read response"));
        assertThat("Unexpected cause", e.getCause(), instanceOf(IOException.class));
        // Now simulate a failing request that succeeds on second try.
        connector = new HTTPVaultConnector("https://127.0.0.1", null, 1, 250);
        doReturn(responseMock).doReturn(responseMock).when(httpMock).execute(any());
        doReturn(new BasicStatusLine(new ProtocolVersion("HTTP", 1, 1), 500, ""))
                .doReturn(new BasicStatusLine(new ProtocolVersion("HTTP", 1, 1), 500, ""))
                .doReturn(new BasicStatusLine(new ProtocolVersion("HTTP", 1, 1), 500, ""))
                .doReturn(new BasicStatusLine(new ProtocolVersion("HTTP", 1, 1), 200, ""))
                .when(responseMock).getStatusLine();
        when(responseMock.getEntity()).thenReturn(new StringEntity("{}", ContentType.APPLICATION_JSON));
        assertDoesNotThrow(connector::getHealth, "Request failed unexpectedly");
    }
    /**
     * Test constructors of the {@link HTTPVaultConnector} class.
     */
    @Test
    void constructorTest() throws IOException, CertificateException {
        final String url = "https://vault.example.net/test/";
        final String hostname = "vault.example.com";
        final Integer port = 1337;
        final String prefix = "/custom/prefix/";
        final int retries = 42;
        final String expectedNoTls = "http://" + hostname + "/v1/";
        final String expectedCustomPort = "https://" + hostname + ":" + port + "/v1/";
        final String expectedCustomPrefix = "https://" + hostname + ":" + port + prefix;
        X509Certificate trustedCaCert;
        try (InputStream is = getClass().getResourceAsStream("/tls/ca.pem")) {
            trustedCaCert = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(is);
        }
        // Most basic constructor expects complete URL.
        HTTPVaultConnector connector = new HTTPVaultConnector(url);
        assertThat("Unexpected base URL", getRequestHelperPrivate(connector, "baseURL"), is(url));
        // Now override TLS usage.
        connector = new HTTPVaultConnector(hostname, false);
        assertThat("Unexpected base URL with TLS disabled", getRequestHelperPrivate(connector, "baseURL"), is(expectedNoTls));
        // Specify custom port.
        connector = new HTTPVaultConnector(hostname, true, port);
        assertThat("Unexpected base URL with custom port", getRequestHelperPrivate(connector, "baseURL"), is(expectedCustomPort));
        // Specify custom prefix.
        connector = new HTTPVaultConnector(hostname, true, port, prefix);
        assertThat("Unexpected base URL with custom prefix", getRequestHelperPrivate(connector, "baseURL"), is(expectedCustomPrefix));
        assertThat("Trusted CA cert set, but not specified", getRequestHelperPrivate(connector, "trustedCaCert"), is(nullValue()));
        // Provide custom SSL context.
        connector = new HTTPVaultConnector(hostname, true, port, prefix, trustedCaCert);
        assertThat("Unexpected base URL with custom prefix", getRequestHelperPrivate(connector, "baseURL"), is(expectedCustomPrefix));
        assertThat("Trusted CA cert not filled correctly", getRequestHelperPrivate(connector, "trustedCaCert"), is(trustedCaCert));
        // Specify number of retries.
        connector = new HTTPVaultConnector(url, trustedCaCert, retries);
        assertThat("Number of retries not set correctly", getRequestHelperPrivate(connector, "retries"), is(retries));
        // Test TLS version (#22).
        assertThat("TLS version should be 1.2 if not specified", getRequestHelperPrivate(connector, "tlsVersion"), is("TLSv1.2"));
        // Now override.
        connector = new HTTPVaultConnector(url, trustedCaCert, retries, null, "TLSv1.1");
        assertThat("Overridden TLS version 1.1 not correct", getRequestHelperPrivate(connector, "tlsVersion"), is("TLSv1.1"));
    }
    /**
     * This test is designed to test exceptions caught and thrown by seal-methods if Vault is not reachable.
     */
    @Test
    void sealExceptionTest() {
        HTTPVaultConnector connector = new HTTPVaultConnector(INVALID_URL);
        VaultConnectorException e = assertThrows(
                InvalidRequestException.class,
                connector::sealStatus,
                "Querying seal status succeeded on invalid URL"
        );
        assertThat("Unexpected exception message", e.getMessage(), is("Invalid URI format"));
        // Simulate NULL response (mock not supplied with data).
        connector = new HTTPVaultConnector("https://127.0.0.1", null, 0, 250);
        e = assertThrows(
                InvalidResponseException.class,
                connector::sealStatus,
                "Querying seal status succeeded on invalid instance"
        );
        assertThat("Unexpected exception message", e.getMessage(), is("Response unavailable"));
    }
    /**
     * This test is designed to test exceptions caught and thrown by seal-methods if Vault is not reachable.
     */
    @Test
    void healthExceptionTest() {
        HTTPVaultConnector connector = new HTTPVaultConnector(INVALID_URL);
        VaultConnectorException e = assertThrows(
                InvalidRequestException.class,
                connector::getHealth,
                "Querying health status succeeded on invalid URL"
        );
        assertThat("Unexpected exception message", e.getMessage(), is("Invalid URI format"));
        // Simulate NULL response (mock not supplied with data).
        connector = new HTTPVaultConnector("https://127.0.0.1", null, 0, 250);
        e = assertThrows(
                InvalidResponseException.class,
                connector::getHealth,
                "Querying health status succeeded on invalid instance"
        );
        assertThat("Unexpected exception message", e.getMessage(), is("Response unavailable"));
    }
    /**
     * Test behavior on unparsable responses.
     */
    @Test
    void parseExceptionTest() throws IOException {
        HTTPVaultConnector connector = new HTTPVaultConnector("https://127.0.0.1", null, 0, 250);
        // Mock authorization.
        setPrivate(connector, "authorized", true);
        // Mock response.
        mockResponse(200, "invalid", ContentType.APPLICATION_JSON);
        // Now test the methods.
        assertParseError(connector::sealStatus, "sealStatus() succeeded on invalid instance");
        assertParseError(() -> connector.unseal("key"), "unseal() succeeded on invalid instance");
        assertParseError(connector::getHealth, "getHealth() succeeded on invalid instance");
        assertParseError(connector::getAuthBackends, "getAuthBackends() succeeded on invalid instance");
        assertParseError(() -> connector.authToken("token"), "authToken() succeeded on invalid instance");
        assertParseError(() -> connector.lookupAppRole("roleName"), "lookupAppRole() succeeded on invalid instance");
        assertParseError(() -> connector.getAppRoleID("roleName"), "getAppRoleID() succeeded on invalid instance");
        assertParseError(() -> connector.createAppRoleSecret("roleName"), "createAppRoleSecret() succeeded on invalid instance");
        assertParseError(() -> connector.lookupAppRoleSecret("roleName", "secretID"), "lookupAppRoleSecret() succeeded on invalid instance");
        assertParseError(connector::listAppRoles, "listAppRoles() succeeded on invalid instance");
        assertParseError(() -> connector.listAppRoleSecrets("roleName"), "listAppRoleSecrets() succeeded on invalid instance");
        assertParseError(() -> connector.read("key"), "read() succeeded on invalid instance");
        assertParseError(() -> connector.list("path"), "list() succeeded on invalid instance");
        assertParseError(() -> connector.renew("leaseID"), "renew() succeeded on invalid instance");
        assertParseError(() -> connector.lookupToken("token"), "lookupToken() succeeded on invalid instance");
    }
    private void assertParseError(Executable executable, String message) {
        InvalidResponseException e = assertThrows(InvalidResponseException.class, executable, message);
        assertThat("Unexpected exception message", e.getMessage(), is("Unable to parse response"));
    }
    /**
     * Test requests that expect an empty response with code 204, but receive a 200 body.
     */
    @Test
    void nonEmpty204ResponseTest() throws IOException {
        HTTPVaultConnector connector = new HTTPVaultConnector("https://127.0.0.1", null, 0, 250);
        // Mock authorization.
        setPrivate(connector, "authorized", true);
        // Mock response.
        mockResponse(200, "{}", ContentType.APPLICATION_JSON);
        // Now test the methods expecting a 204.
        assertThrows(
                InvalidResponseException.class,
                () -> connector.registerAppId("appID", "policy", "displayName"),
                "registerAppId() with 200 response succeeded"
        );
        assertThrows(
                InvalidResponseException.class,
                () -> connector.registerUserId("appID", "userID"),
                "registerUserId() with 200 response succeeded"
        );
        assertThrows(
                InvalidResponseException.class,
                () -> connector.createAppRole("appID", Collections.singletonList("policy")),
                "createAppRole() with 200 response succeeded"
        );
        assertThrows(
                InvalidResponseException.class,
                () -> connector.deleteAppRole("roleName"),
                "deleteAppRole() with 200 response succeeded"
        );
        assertThrows(
                InvalidResponseException.class,
                () -> connector.setAppRoleID("roleName", "roleID"),
                "setAppRoleID() with 200 response succeeded"
        );
        assertThrows(
                InvalidResponseException.class,
                () -> connector.destroyAppRoleSecret("roleName", "secretID"),
                "destroyAppRoleSecret() with 200 response succeeded"
        );
        assertThrows(
                InvalidResponseException.class,
                () -> connector.destroyAppRoleSecret("roleName", "secretUD"),
                "destroyAppRoleSecret() with 200 response succeeded"
        );
        assertThrows(
                InvalidResponseException.class,
                () -> connector.delete("key"),
                "delete() with 200 response succeeded"
        );
        assertThrows(
                InvalidResponseException.class,
                () -> connector.revoke("leaseID"),
                "destroyAppRoleSecret() with 200 response succeeded"
        );
    }
    private Object getRequestHelperPrivate(HTTPVaultConnector connector, String fieldName) {
        try {
            return getPrivate(getPrivate(connector, "request"), fieldName);
        } catch (NoSuchFieldException | IllegalAccessException e) {
            return null;
        }
    }
    private Object getPrivate(Object target, String fieldName) throws NoSuchFieldException, IllegalAccessException {
        Field field = target.getClass().getDeclaredField(fieldName);
        if (field.isAccessible()) {
            return field.get(target);
        }
        field.setAccessible(true);
        Object value = field.get(target);
        field.setAccessible(false);
        return value;
    }
    private void setPrivate(Object target, String fieldName, Object value) {
        try {
            Field field = target.getClass().getDeclaredField(fieldName);
            boolean accessible = field.isAccessible();
            field.setAccessible(true);
            field.set(target, value);
            field.setAccessible(accessible);
        } catch (NoSuchFieldException | IllegalAccessException e) {
            // Should not occur, to be taken care of in test code.
        }
    }
    private void mockResponse(int status, String body, ContentType type) throws IOException {
        when(httpMock.execute(any())).thenReturn(responseMock);
        when(responseMock.getStatusLine()).thenReturn(new BasicStatusLine(new ProtocolVersion("HTTP", 1, 1), status, ""));
        when(responseMock.getEntity()).thenReturn(new StringEntity(body, type));
    }
    /**
     * Mocked {@link HttpClientBuilder} that always returns the mocked client.
     */
    private static class MockedHttpClientBuilder extends HttpClientBuilder {
        @Override
        public CloseableHttpClient build() {
            return httpMock;
        }
    }
 }
--- a/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorTest.java
--- a/src/test/java/de/stklcode/jvault/connector/builder/HTTPVaultConnectorBuilderTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/builder/HTTPVaultConnectorBuilderTest.java
@ -1,132 +0,0 @@
 /*
 * Copyright 2016-2021 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package de.stklcode.jvault.connector.builder;
 import com.github.stefanbirkner.systemlambda.SystemLambda;
 import de.stklcode.jvault.connector.HTTPVaultConnector;
 import de.stklcode.jvault.connector.exception.TlsException;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.io.TempDir;
 import java.io.File;
 import java.lang.reflect.Field;
 import java.nio.file.NoSuchFileException;
 import java.util.concurrent.Callable;
 import static com.github.stefanbirkner.systemlambda.SystemLambda.withEnvironmentVariable;
 import static org.hamcrest.CoreMatchers.*;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 /**
 * JUnit test for HTTP Vault connector factory
 *
 * @author Stefan Kalscheuer
 * @since 0.8.0
 */
 class HTTPVaultConnectorBuilderTest {
    private static final String VAULT_ADDR = "https://localhost:8201";
    private static final Integer VAULT_MAX_RETRIES = 13;
    private static final String VAULT_TOKEN = "00001111-2222-3333-4444-555566667777";
    @TempDir
    File tempDir;
    /**
     * Test building from environment variables
     */
    @Test
    void testFromEnv() throws Exception {
        /* Provide address only should be enough */
        withVaultEnv(VAULT_ADDR, null, null, null).execute(() -> {
            HTTPVaultConnectorBuilder builder = assertDoesNotThrow(
                    () -> VaultConnectorBuilder.http().fromEnv(),
                    "Factory creation from minimal environment failed"
            );
            HTTPVaultConnector connector = builder.build();
            assertThat("URL nor set correctly", getRequestHelperPrivate(connector, "baseURL"), is(equalTo(VAULT_ADDR + "/v1/")));
            assertThat("Trusted CA cert set when no cert provided", getRequestHelperPrivate(connector, "trustedCaCert"), is(nullValue()));
            assertThat("Non-default number of retries, when none set", getRequestHelperPrivate(connector, "retries"), is(0));
            return null;
        });
        /* Provide address and number of retries */
        withVaultEnv(VAULT_ADDR, null, VAULT_MAX_RETRIES.toString(), null).execute(() -> {
            HTTPVaultConnectorBuilder builder = assertDoesNotThrow(
                    () -> VaultConnectorBuilder.http().fromEnv(),
                    "Factory creation from environment failed"
            );
            HTTPVaultConnector connector = builder.build();
            assertThat("URL nor set correctly", getRequestHelperPrivate(connector, "baseURL"), is(equalTo(VAULT_ADDR + "/v1/")));
            assertThat("Trusted CA cert set when no cert provided", getRequestHelperPrivate(connector, "trustedCaCert"), is(nullValue()));
            assertThat("Number of retries not set correctly", getRequestHelperPrivate(connector, "retries"), is(VAULT_MAX_RETRIES));
            return null;
        });
        /* Provide CA certificate */
        String VAULT_CACERT = tempDir.toString() + "/doesnotexist";
        withVaultEnv(VAULT_ADDR, VAULT_CACERT, VAULT_MAX_RETRIES.toString(), null).execute(() -> {
            TlsException e = assertThrows(
                    TlsException.class,
                    () -> VaultConnectorBuilder.http().fromEnv(),
                    "Creation with unknown cert path failed."
            );
            assertThat(e.getCause(), is(instanceOf(NoSuchFileException.class)));
            assertThat(((NoSuchFileException) e.getCause()).getFile(), is(VAULT_CACERT));
            return null;
        });
        /* Automatic authentication */
        withVaultEnv(VAULT_ADDR, null, VAULT_MAX_RETRIES.toString(), VAULT_TOKEN).execute(() -> {
            HTTPVaultConnectorBuilder builder = assertDoesNotThrow(
                    () -> VaultConnectorBuilder.http().fromEnv(),
                    "Factory creation from minimal environment failed"
            );
            assertThat("Token nor set correctly", getPrivate(builder, "token"), is(equalTo(VAULT_TOKEN)));
            return null;
        });
    }
    private SystemLambda.WithEnvironmentVariables withVaultEnv(String vault_addr, String vault_cacert, String vault_max_retries, String vault_token) {
        return withEnvironmentVariable("VAULT_ADDR", vault_addr)
                .and("VAULT_CACERT", vault_cacert)
                .and("VAULT_MAX_RETRIES", vault_max_retries)
                .and("VAULT_TOKEN", vault_token);
    }
    private Object getRequestHelperPrivate(HTTPVaultConnector connector, String fieldName) throws NoSuchFieldException, IllegalAccessException {
        return getPrivate(getPrivate(connector, "request"), fieldName);
    }
    private Object getPrivate(Object target, String fieldName) throws NoSuchFieldException, IllegalAccessException {
        Field field = target.getClass().getDeclaredField(fieldName);
        if (field.isAccessible()) {
            return field.get(target);
        }
        field.setAccessible(true);
        Object value = field.get(target);
        field.setAccessible(false);
        return value;
    }
 }
--- a/src/test/java/de/stklcode/jvault/connector/exception/VaultConnectorExceptionTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/exception/VaultConnectorExceptionTest.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -18,10 +18,8 @@ package de.stklcode.jvault.connector.exception;
 import org.junit.jupiter.api.Test;
-import static org.hamcrest.MatcherAssert.assertThat;
+import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.hamcrest.Matchers.instanceOf;
+import static org.junit.jupiter.api.Assertions.assertNull;
 import static org.hamcrest.Matchers.nullValue;
 import static org.hamcrest.core.Is.is;
 /**
 * Common JUnit test for Exceptions extending {@link VaultConnectorException}.
@ -65,42 +63,39 @@ class VaultConnectorExceptionTest {
        // Constructor with message and status code.
        InvalidResponseException e = new InvalidResponseException(MSG, STATUS_CODE);
-        assertThat(e.getMessage(), is(MSG));
+        assertEquals(MSG, e.getMessage());
-        assertThat(e.getCause(), is(nullValue()));
+        assertNull(e.getCause());
-        assertThat(e.getStatusCode(), is(STATUS_CODE));
+        assertEquals(STATUS_CODE, e.getStatusCode());
-        assertThat(e.getResponse(), is(nullValue()));
+        assertNull(e.getResponse());
        // Constructor with message, status code and cause.
        e = new InvalidResponseException(MSG, STATUS_CODE, CAUSE);
-        assertThat(e.getMessage(), is(MSG));
+        assertEquals(MSG, e.getMessage());
-        assertThat(e.getCause(), is(CAUSE));
+        assertEquals(CAUSE, e.getCause());
-        assertThat(e.getStatusCode(), is(STATUS_CODE));
+        assertEquals(STATUS_CODE, e.getStatusCode());
-        assertThat(e.getResponse(), is(nullValue()));
+        assertNull(e.getResponse());
        // Constructor with message, status code and response.
        e = new InvalidResponseException(MSG, STATUS_CODE, RESPONSE);
-        assertThat(e.getMessage(), is(MSG));
+        assertEquals(MSG, e.getMessage());
-        assertThat(e.getCause(), is(nullValue()));
+        assertNull(e.getCause());
-        assertThat(e.getStatusCode(), is(STATUS_CODE));
+        assertEquals(STATUS_CODE, e.getStatusCode());
-        assertThat(e.getResponse(), is(RESPONSE));
+        assertEquals(RESPONSE, e.getResponse());
        // Constructor with message, status code, response and cause.
        e = new InvalidResponseException(MSG, STATUS_CODE, RESPONSE, CAUSE);
-        assertThat(e.getMessage(), is(MSG));
+        assertEquals(MSG, e.getMessage());
-        assertThat(e.getCause(), is(CAUSE));
+        assertEquals(CAUSE, e.getCause());
-        assertThat(e.getStatusCode(), is(STATUS_CODE));
+        assertEquals(STATUS_CODE, e.getStatusCode());
-        assertThat(e.getResponse(), is(RESPONSE));
+        assertEquals(RESPONSE, e.getResponse());
    }
    @Test
    void permissionDeniedExceptionTest() {
        // Default message overwritten.
        PermissionDeniedException e = new PermissionDeniedException();
-        assertThat(e, is(instanceOf(VaultConnectorException.class)));
+        assertEquals("Permission denied", e.getMessage());
-        assertThat(e, is(instanceOf(Exception.class)));
+        assertNull(e.getCause());
        assertThat(e, is(instanceOf(Throwable.class)));
        assertThat(e.getMessage(), is("Permission denied"));
        assertThat(e.getCause(), is(nullValue()));
        assertMsgConstructor(new PermissionDeniedException(MSG));
        assertCauseConstructor(new PermissionDeniedException(CAUSE));
@ -121,11 +116,8 @@ class VaultConnectorExceptionTest {
     * @param e the exception
     */
    private void assertEmptyConstructor(VaultConnectorException e) {
-        assertThat(e, is(instanceOf(VaultConnectorException.class)));
+        assertNull(e.getMessage());
-        assertThat(e, is(instanceOf(Exception.class)));
+        assertNull(e.getCause());
        assertThat(e, is(instanceOf(Throwable.class)));
        assertThat(e.getMessage(), is(nullValue()));
        assertThat(e.getCause(), is(nullValue()));
    }
    /**
@ -134,8 +126,8 @@ class VaultConnectorExceptionTest {
     * @param e the exception
     */
    private void assertMsgConstructor(VaultConnectorException e) {
-        assertThat(e.getMessage(), is(MSG));
+        assertEquals(MSG, e.getMessage());
-        assertThat(e.getCause(), is(nullValue()));
+        assertNull(e.getCause());
    }
    /**
@ -144,8 +136,8 @@ class VaultConnectorExceptionTest {
     * @param e the exception
     */
    private void assertCauseConstructor(VaultConnectorException e) {
-        assertThat(e.getMessage(), is(CAUSE.toString()));
+        assertEquals(CAUSE.toString(), e.getMessage());
-        assertThat(e.getCause(), is(CAUSE));
+        assertEquals(CAUSE, e.getCause());
    }
    /**
@ -154,7 +146,7 @@ class VaultConnectorExceptionTest {
     * @param e the exception
     */
    private void assertMsgCauseConstructor(VaultConnectorException e) {
-        assertThat(e.getMessage(), is(MSG));
+        assertEquals(MSG, e.getMessage());
-        assertThat(e.getCause(), is(CAUSE));
+        assertEquals(CAUSE, e.getCause());
    }
 }
--- a/src/test/java/de/stklcode/jvault/connector/factory/HTTPVaultConnectorFactoryTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/factory/HTTPVaultConnectorFactoryTest.java
@ -1,131 +0,0 @@
 /*
 * Copyright 2016-2021 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package de.stklcode.jvault.connector.factory;
 import com.github.stefanbirkner.systemlambda.SystemLambda;
 import de.stklcode.jvault.connector.HTTPVaultConnector;
 import de.stklcode.jvault.connector.exception.TlsException;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.io.TempDir;
 import java.io.File;
 import java.lang.reflect.Field;
 import java.nio.file.NoSuchFileException;
 import static com.github.stefanbirkner.systemlambda.SystemLambda.withEnvironmentVariable;
 import static org.hamcrest.CoreMatchers.*;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 /**
 * JUnit test for HTTP Vault connector factory
 *
 * @author Stefan Kalscheuer
 * @since 0.6.0
 */
 class HTTPVaultConnectorFactoryTest {
    private static String VAULT_ADDR = "https://localhost:8201";
    private static Integer VAULT_MAX_RETRIES = 13;
    private static String VAULT_TOKEN = "00001111-2222-3333-4444-555566667777";
    @TempDir
    File tempDir;
    /**
     * Test building from environment variables
     */
    @Test
    void testFromEnv() throws Exception {
        /* Provide address only should be enough */
        withVaultEnv(VAULT_ADDR, null, null, null).execute(() -> {
            HTTPVaultConnectorFactory factory = assertDoesNotThrow(
                    () -> VaultConnectorFactory.httpFactory().fromEnv(),
                    "Factory creation from minimal environment failed"
            );
            HTTPVaultConnector connector = factory.build();
            assertThat("URL nor set correctly", getRequestHelperPrivate(connector, "baseURL"), is(equalTo(VAULT_ADDR + "/v1/")));
            assertThat("Trusted CA cert set when no cert provided", getRequestHelperPrivate(connector, "trustedCaCert"), is(nullValue()));
            assertThat("Non-default number of retries, when none set", getRequestHelperPrivate(connector, "retries"), is(0));
            return null;
        });
        /* Provide address and number of retries */
        withVaultEnv(VAULT_ADDR, null, VAULT_MAX_RETRIES.toString(), null).execute(() -> {
            HTTPVaultConnectorFactory factory = assertDoesNotThrow(
                    () -> VaultConnectorFactory.httpFactory().fromEnv(),
                    "Factory creation from environment failed"
            );
            HTTPVaultConnector connector = factory.build();
            assertThat("URL nor set correctly", getRequestHelperPrivate(connector, "baseURL"), is(equalTo(VAULT_ADDR + "/v1/")));
            assertThat("Trusted CA cert set when no cert provided", getRequestHelperPrivate(connector, "trustedCaCert"), is(nullValue()));
            assertThat("Number of retries not set correctly", getRequestHelperPrivate(connector, "retries"), is(VAULT_MAX_RETRIES));
            return null;
        });
        /* Provide CA certificate */
        String VAULT_CACERT = tempDir.toString() + "/doesnotexist";
        withVaultEnv(VAULT_ADDR, VAULT_CACERT, VAULT_MAX_RETRIES.toString(), null).execute(() -> {
            TlsException e = assertThrows(
                    TlsException.class,
                    () -> VaultConnectorFactory.httpFactory().fromEnv(),
                    "Creation with unknown cert path failed."
            );
            assertThat(e.getCause(), is(instanceOf(NoSuchFileException.class)));
            assertThat(((NoSuchFileException) e.getCause()).getFile(), is(VAULT_CACERT));
            return null;
        });
        /* Automatic authentication */
        withVaultEnv(VAULT_ADDR, null, VAULT_MAX_RETRIES.toString(), VAULT_TOKEN).execute(() -> {
            HTTPVaultConnectorFactory factory = assertDoesNotThrow(
                    () -> VaultConnectorFactory.httpFactory().fromEnv(),
                    "Factory creation from minimal environment failed"
            );
            assertThat("Token nor set correctly", getPrivate(getPrivate(factory, "delegate"), "token"), is(equalTo(VAULT_TOKEN)));
            return null;
        });
    }
    private SystemLambda.WithEnvironmentVariables withVaultEnv(String vault_addr, String vault_cacert, String vault_max_retries, String vault_token) {
        return withEnvironmentVariable("VAULT_ADDR", vault_addr)
                .and("VAULT_CACERT", vault_cacert)
                .and("VAULT_MAX_RETRIES", vault_max_retries)
                .and("VAULT_TOKEN", vault_token);
    }
    private Object getRequestHelperPrivate(HTTPVaultConnector connector, String fieldName) throws NoSuchFieldException, IllegalAccessException {
        return getPrivate(getPrivate(connector, "request"), fieldName);
    }
    private Object getPrivate(Object target, String fieldName) throws NoSuchFieldException, IllegalAccessException {
        Field field = target.getClass().getDeclaredField(fieldName);
        if (field.isAccessible()) {
            return field.get(target);
        }
        field.setAccessible(true);
        Object value = field.get(target);
        field.setAccessible(false);
        return value;
    }
 }
--- a/src/test/java/de/stklcode/jvault/connector/model/AbstractModelTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/AbstractModelTest.java
@ -0,0 +1,81 @@
 package de.stklcode.jvault.connector.model;
 import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.SerializationFeature;
 import com.fasterxml.jackson.databind.json.JsonMapper;
 import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
 import nl.jqno.equalsverifier.EqualsVerifier;
 import org.junit.jupiter.api.Test;
 import java.io.*;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.fail;
 /**
 * Abstract testcase for model classes.
 *
 * @author Stefan Kalscheuer
 * @since 1.1
 */
 public abstract class AbstractModelTest<T> {
    protected final Class<?> modelClass;
    protected final ObjectMapper objectMapper;
    /**
     * Test case constructor.
     *
     * @param modelClass Target class to test.
     */
    protected AbstractModelTest(Class<T> modelClass) {
        this.modelClass = modelClass;
        this.objectMapper = JsonMapper.builder()
            .addModule(new JavaTimeModule())
            .enable(SerializationFeature.WRITE_DATES_AS_TIMESTAMPS)
            .disable(DeserializationFeature.ADJUST_DATES_TO_CONTEXT_TIME_ZONE)
            .build();
    }
    /**
     * Create a "full" model instance.
     *
     * @return Model instance.
     */
    protected abstract T createFull();
    /**
     * Test if {@link Object#equals(Object)} and {@link Object#hashCode()} are implemented, s.t. all fields are covered.
     */
    @Test
    void testEqualsHashcode() {
        EqualsVerifier.simple().forClass(modelClass).verify();
    }
    /**
     * Test Java serialization of a full model instance.
     * Serialization and deserialization must not fail and the resulting object should equal the original object.
     */
    @Test
    void serializationTest() {
        T original = createFull();
        byte[] bytes;
        try (var bos = new ByteArrayOutputStream();
             var oos = new ObjectOutputStream(bos)) {
            oos.writeObject(original);
            bytes = bos.toByteArray();
        } catch (IOException e) {
            fail("Serialization failed", e);
            return;
        }
        try (var bis = new ByteArrayInputStream(bytes);
             var ois = new ObjectInputStream(bis)) {
            Object copy = ois.readObject();
            assertEquals(modelClass, copy.getClass(), "Invalid class after deserialization");
            assertEquals(original, copy, "Deserialized object should be equal to the original");
        } catch (IOException | ClassNotFoundException e) {
            fail("Deserialization failed", e);
        }
    }
 }
--- a/src/test/java/de/stklcode/jvault/connector/model/AppRoleBuilderTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/AppRoleBuilderTest.java
@ -1,299 +0,0 @@
 /*
 * Copyright 2016-2021 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package de.stklcode.jvault.connector.model;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
 import java.util.ArrayList;
 import java.util.List;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.*;
 /**
 * JUnit Test for AppRole Builder.
 *
 * @author Stefan Kalscheuer
 * @since 0.4.0
 */
 class AppRoleBuilderTest {
    private static final String NAME = "TestRole";
    private static final String ID = "test-id";
    private static final Boolean BIND_SECRET_ID = true;
    private static final List<String> BOUND_CIDR_LIST = new ArrayList<>();
    private static final String CIDR_1 = "192.168.1.0/24";
    private static final String CIDR_2 = "172.16.0.0/16";
    private static final List<String> POLICIES = new ArrayList<>();
    private static final String POLICY = "policy";
    private static final String POLICY_2 = "policy2";
    private static final Integer SECRET_ID_NUM_USES = 10;
    private static final Integer SECRET_ID_TTL = 7200;
    private static final Boolean ENABLE_LOCAL_SECRET_IDS = false;
    private static final Integer TOKEN_TTL = 4800;
    private static final Integer TOKEN_MAX_TTL = 9600;
    private static final Integer TOKEN_EXPLICIT_MAX_TTL = 14400;
    private static final Boolean TOKEN_NO_DEFAULT_POLICY = false;
    private static final Integer TOKEN_NUM_USES = 42;
    private static final Integer TOKEN_PERIOD = 1234;
    private static final Token.Type TOKEN_TYPE = Token.Type.DEFAULT_SERVICE;
    private static final String JSON_MIN = "{\"role_name\":\"" + NAME + "\"}";
    private static final String JSON_FULL = String.format("{\"role_name\":\"%s\",\"role_id\":\"%s\",\"bind_secret_id\":%s,\"secret_id_bound_cidrs\":\"%s\",\"secret_id_num_uses\":%d,\"secret_id_ttl\":%d,\"enable_local_secret_ids\":%s,\"token_ttl\":%d,\"token_max_ttl\":%d,\"token_policies\":\"%s\",\"token_bound_cidrs\":\"%s\",\"token_explicit_max_ttl\":%d,\"token_no_default_policy\":%s,\"token_num_uses\":%d,\"token_period\":%d,\"token_type\":\"%s\"}",
            NAME, ID, BIND_SECRET_ID, CIDR_1, SECRET_ID_NUM_USES, SECRET_ID_TTL, ENABLE_LOCAL_SECRET_IDS, TOKEN_TTL, TOKEN_MAX_TTL, POLICY, CIDR_1, TOKEN_EXPLICIT_MAX_TTL, TOKEN_NO_DEFAULT_POLICY, TOKEN_NUM_USES, TOKEN_PERIOD, TOKEN_TYPE.value());
    @BeforeAll
    static void init() {
        BOUND_CIDR_LIST.add(CIDR_1);
        POLICIES.add(POLICY);
    }
    /**
     * Build role with only a name.
     */
    @Test
    void buildDefaultTest() throws JsonProcessingException {
        AppRole role = AppRole.builder(NAME).build();
        assertThat(role.getId(), is(nullValue()));
        assertThat(role.getBindSecretId(), is(nullValue()));
        assertThat(role.getSecretIdBoundCidrs(), is(nullValue()));
        assertThat(role.getTokenPolicies(), is(nullValue()));
        assertThat(role.getPolicies(), is(nullValue()));
        assertThat(role.getSecretIdNumUses(), is(nullValue()));
        assertThat(role.getSecretIdTtl(), is(nullValue()));
        assertThat(role.getEnableLocalSecretIds(), is(nullValue()));
        assertThat(role.getTokenTtl(), is(nullValue()));
        assertThat(role.getTokenMaxTtl(), is(nullValue()));
        assertThat(role.getTokenBoundCidrs(), is(nullValue()));
        assertThat(role.getTokenExplicitMaxTtl(), is(nullValue()));
        assertThat(role.getTokenNoDefaultPolicy(), is(nullValue()));
        assertThat(role.getTokenNumUses(), is(nullValue()));
        assertThat(role.getTokenPeriod(), is(nullValue()));
        assertThat(role.getPeriod(), is(nullValue()));
        assertThat(role.getTokenType(), is(nullValue()));
        /* optional fields should be ignored, so JSON string should only contain role_name */
        assertThat(new ObjectMapper().writeValueAsString(role), is(JSON_MIN));
    }
    /**
     * Build role with only a name.
     */
    @Test
    void legacyBuildDefaultTest() throws JsonProcessingException {
        AppRole role = new AppRoleBuilder(NAME).build();
        assertThat(role.getId(), is(nullValue()));
        assertThat(role.getBindSecretId(), is(nullValue()));
        assertThat(role.getSecretIdBoundCidrs(), is(nullValue()));
        assertThat(role.getTokenPolicies(), is(nullValue()));
        assertThat(role.getPolicies(), is(nullValue()));
        assertThat(role.getSecretIdNumUses(), is(nullValue()));
        assertThat(role.getSecretIdTtl(), is(nullValue()));
        assertThat(role.getEnableLocalSecretIds(), is(nullValue()));
        assertThat(role.getTokenTtl(), is(nullValue()));
        assertThat(role.getTokenMaxTtl(), is(nullValue()));
        assertThat(role.getTokenBoundCidrs(), is(nullValue()));
        assertThat(role.getTokenExplicitMaxTtl(), is(nullValue()));
        assertThat(role.getTokenNoDefaultPolicy(), is(nullValue()));
        assertThat(role.getTokenNumUses(), is(nullValue()));
        assertThat(role.getTokenPeriod(), is(nullValue()));
        assertThat(role.getPeriod(), is(nullValue()));
        assertThat(role.getTokenType(), is(nullValue()));
        /* optional fields should be ignored, so JSON string should only contain role_name */
        assertThat(new ObjectMapper().writeValueAsString(role), is(JSON_MIN));
    }
    /**
     * Build token without all parameters set.
     */
    @Test
    void buildFullTest() throws JsonProcessingException {
        AppRole role = AppRole.builder(NAME)
                .withId(ID)
                .withBindSecretID(BIND_SECRET_ID)
                .withSecretIdBoundCidrs(BOUND_CIDR_LIST)
                .withTokenPolicies(POLICIES)
                .withSecretIdNumUses(SECRET_ID_NUM_USES)
                .withSecretIdTtl(SECRET_ID_TTL)
                .withEnableLocalSecretIds(ENABLE_LOCAL_SECRET_IDS)
                .withTokenTtl(TOKEN_TTL)
                .withTokenMaxTtl(TOKEN_MAX_TTL)
                .withTokenBoundCidrs(BOUND_CIDR_LIST)
                .withTokenExplicitMaxTtl(TOKEN_EXPLICIT_MAX_TTL)
                .withTokenNoDefaultPolicy(TOKEN_NO_DEFAULT_POLICY)
                .withTokenNumUses(TOKEN_NUM_USES)
                .wit0hTokenPeriod(TOKEN_PERIOD)
                .withTokenType(TOKEN_TYPE)
                .build();
        assertThat(role.getName(), is(NAME));
        assertThat(role.getId(), is(ID));
        assertThat(role.getBindSecretId(), is(BIND_SECRET_ID));
        assertThat(role.getSecretIdBoundCidrs(), is(BOUND_CIDR_LIST));
        assertThat(role.getTokenPolicies(), is(POLICIES));
        assertThat(role.getPolicies(), is(role.getTokenPolicies()));
        assertThat(role.getSecretIdNumUses(), is(SECRET_ID_NUM_USES));
        assertThat(role.getSecretIdTtl(), is(SECRET_ID_TTL));
        assertThat(role.getEnableLocalSecretIds(), is(ENABLE_LOCAL_SECRET_IDS));
        assertThat(role.getTokenTtl(), is(TOKEN_TTL));
        assertThat(role.getTokenMaxTtl(), is(TOKEN_MAX_TTL));
        assertThat(role.getTokenBoundCidrs(), is(BOUND_CIDR_LIST));
        assertThat(role.getTokenExplicitMaxTtl(), is(TOKEN_EXPLICIT_MAX_TTL));
        assertThat(role.getTokenNoDefaultPolicy(), is(TOKEN_NO_DEFAULT_POLICY));
        assertThat(role.getTokenNumUses(), is(TOKEN_NUM_USES));
        assertThat(role.getTokenPeriod(), is(TOKEN_PERIOD));
        assertThat(role.getPeriod(), is(TOKEN_PERIOD));
        assertThat(role.getTokenType(), is(TOKEN_TYPE.value()));
        /* Verify that all parameters are included in JSON string */
        assertThat(new ObjectMapper().writeValueAsString(role), is(JSON_FULL));
    }
    /**
     * Build token without all parameters set.
     */
    @Test
    void legacyBuildFullTest() throws JsonProcessingException {
        AppRole role = new AppRoleBuilder(NAME)
                .withId(ID)
                .withBindSecretID(BIND_SECRET_ID)
                .withSecretIdBoundCidrs(BOUND_CIDR_LIST)
                .withTokenPolicies(POLICIES)
                .withSecretIdNumUses(SECRET_ID_NUM_USES)
                .withSecretIdTtl(SECRET_ID_TTL)
                .withEnableLocalSecretIds(ENABLE_LOCAL_SECRET_IDS)
                .withTokenTtl(TOKEN_TTL)
                .withTokenMaxTtl(TOKEN_MAX_TTL)
                .withTokenBoundCidrs(BOUND_CIDR_LIST)
                .withTokenExplicitMaxTtl(TOKEN_EXPLICIT_MAX_TTL)
                .withTokenNoDefaultPolicy(TOKEN_NO_DEFAULT_POLICY)
                .withTokenNumUses(TOKEN_NUM_USES)
                .wit0hTokenPeriod(TOKEN_PERIOD)
                .withTokenType(TOKEN_TYPE)
                .build();
        assertThat(role.getName(), is(NAME));
        assertThat(role.getId(), is(ID));
        assertThat(role.getBindSecretId(), is(BIND_SECRET_ID));
        assertThat(role.getSecretIdBoundCidrs(), is(BOUND_CIDR_LIST));
        assertThat(role.getTokenPolicies(), is(POLICIES));
        assertThat(role.getPolicies(), is(role.getTokenPolicies()));
        assertThat(role.getSecretIdNumUses(), is(SECRET_ID_NUM_USES));
        assertThat(role.getSecretIdTtl(), is(SECRET_ID_TTL));
        assertThat(role.getEnableLocalSecretIds(), is(ENABLE_LOCAL_SECRET_IDS));
        assertThat(role.getTokenTtl(), is(TOKEN_TTL));
        assertThat(role.getTokenMaxTtl(), is(TOKEN_MAX_TTL));
        assertThat(role.getTokenBoundCidrs(), is(BOUND_CIDR_LIST));
        assertThat(role.getTokenExplicitMaxTtl(), is(TOKEN_EXPLICIT_MAX_TTL));
        assertThat(role.getTokenNoDefaultPolicy(), is(TOKEN_NO_DEFAULT_POLICY));
        assertThat(role.getTokenNumUses(), is(TOKEN_NUM_USES));
        assertThat(role.getTokenPeriod(), is(TOKEN_PERIOD));
        assertThat(role.getPeriod(), is(TOKEN_PERIOD));
        assertThat(role.getTokenType(), is(TOKEN_TYPE.value()));
        /* Verify that all parameters are included in JSON string */
        assertThat(new ObjectMapper().writeValueAsString(role), is(JSON_FULL));
    }
    /**
     * Test convenience methods
     */
    @Test
    void convenienceMethodsTest() {
        /* bind_secret_id */
        AppRole role = AppRole.builder(NAME).build();
        assertThat(role.getBindSecretId(), is(nullValue()));
        role = AppRole.builder(NAME).withBindSecretID().build();
        assertThat(role.getBindSecretId(), is(true));
        role = AppRole.builder(NAME).withoutBindSecretID().build();
        assertThat(role.getBindSecretId(), is(false));
        /* Add single CIDR subnet */
        role = AppRole.builder(NAME).withSecretBoundCidr(CIDR_2).withTokenBoundCidr(CIDR_2).build();
        assertThat(role.getSecretIdBoundCidrs(), hasSize(1));
        assertThat(role.getSecretIdBoundCidrs(), contains(CIDR_2));
        assertThat(role.getTokenBoundCidrs(), hasSize(1));
        assertThat(role.getTokenBoundCidrs(), contains(CIDR_2));
        role = AppRole.builder(NAME)
                .withSecretIdBoundCidrs(BOUND_CIDR_LIST)
                .withSecretBoundCidr(CIDR_2)
                .withTokenBoundCidrs(BOUND_CIDR_LIST)
                .withTokenBoundCidr(CIDR_2)
                .build();
        assertThat(role.getSecretIdBoundCidrs(), hasSize(2));
        assertThat(role.getSecretIdBoundCidrs(), contains(CIDR_1, CIDR_2));
        assertThat(role.getTokenBoundCidrs(), hasSize(2));
        assertThat(role.getSecretIdBoundCidrs(), contains(CIDR_1, CIDR_2));
        /* Add single policy */
        role = AppRole.builder(NAME).withTokenPolicy(POLICY_2).build();
        assertThat(role.getTokenPolicies(), hasSize(1));
        assertThat(role.getTokenPolicies(), contains(POLICY_2));
        assertThat(role.getPolicies(), is(role.getTokenPolicies()));
        role = AppRole.builder(NAME)
                .withTokenPolicies(POLICIES)
                .withTokenPolicy(POLICY_2)
                .build();
        assertThat(role.getTokenPolicies(), hasSize(2));
        assertThat(role.getTokenPolicies(), contains(POLICY, POLICY_2));
        assertThat(role.getPolicies(), is(role.getTokenPolicies()));
    }
    /**
     * Test convenience methods
     */
    @Test
    void legacyConvenienceMethodsTest() {
        /* bind_secret_id */
        AppRole role = new AppRoleBuilder(NAME).build();
        assertThat(role.getBindSecretId(), is(nullValue()));
        role = new AppRoleBuilder(NAME).withBindSecretID().build();
        assertThat(role.getBindSecretId(), is(true));
        role = new AppRoleBuilder(NAME).withoutBindSecretID().build();
        assertThat(role.getBindSecretId(), is(false));
        /* Add single CIDR subnet */
        role = new AppRoleBuilder(NAME).withSecretBoundCidr(CIDR_2).withTokenBoundCidr(CIDR_2).build();
        assertThat(role.getSecretIdBoundCidrs(), hasSize(1));
        assertThat(role.getSecretIdBoundCidrs(), contains(CIDR_2));
        assertThat(role.getTokenBoundCidrs(), hasSize(1));
        assertThat(role.getTokenBoundCidrs(), contains(CIDR_2));
        role = new AppRoleBuilder(NAME)
                .withSecretIdBoundCidrs(BOUND_CIDR_LIST)
                .withSecretBoundCidr(CIDR_2)
                .withTokenBoundCidrs(BOUND_CIDR_LIST)
                .withTokenBoundCidr(CIDR_2)
                .build();
        assertThat(role.getSecretIdBoundCidrs(), hasSize(2));
        assertThat(role.getSecretIdBoundCidrs(), contains(CIDR_1, CIDR_2));
        assertThat(role.getTokenBoundCidrs(), hasSize(2));
        assertThat(role.getSecretIdBoundCidrs(), contains(CIDR_1, CIDR_2));
        /* Add single policy */
        role = new AppRoleBuilder(NAME).withTokenPolicy(POLICY_2).build();
        assertThat(role.getTokenPolicies(), hasSize(1));
        assertThat(role.getTokenPolicies(), contains(POLICY_2));
        assertThat(role.getPolicies(), is(role.getTokenPolicies()));
        role = new AppRoleBuilder(NAME)
                .withTokenPolicies(POLICIES)
                .withTokenPolicy(POLICY_2)
                .build();
        assertThat(role.getTokenPolicies(), hasSize(2));
        assertThat(role.getTokenPolicies(), contains(POLICY, POLICY_2));
        assertThat(role.getPolicies(), is(role.getTokenPolicies()));
    }
 }
--- a/src/test/java/de/stklcode/jvault/connector/model/AppRoleSecretTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/AppRoleSecretTest.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -16,18 +16,13 @@
 package de.stklcode.jvault.connector.model;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import org.junit.jupiter.api.Test;
 import java.lang.reflect.Field;
 import java.util.Arrays;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-import static org.hamcrest.MatcherAssert.assertThat;
+import static org.junit.jupiter.api.Assertions.*;
 import static org.hamcrest.Matchers.*;
 import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
 import static org.junit.jupiter.api.Assumptions.assumeTrue;
@ -37,15 +32,21 @@ import static org.junit.jupiter.api.Assumptions.assumeTrue;
 * @author Stefan Kalscheuer
 * @since 0.5.0
 */
-class AppRoleSecretTest {
+class AppRoleSecretTest extends AbstractModelTest<AppRoleSecret> {
    private static final String TEST_ID = "abc123";
-    private static final Map<String, Object> TEST_META = new HashMap<>();
+    private static final Map<String, Object> TEST_META = Map.of(
-    private static final List<String> TEST_CIDR = Arrays.asList("203.0.113.0/24", "198.51.100.0/24");
+            "foo", "bar",
            "number", 1337
    );
    private static final List<String> TEST_CIDR = List.of("203.0.113.0/24", "198.51.100.0/24");
-    static {
+    AppRoleSecretTest() {
-        TEST_META.put("foo", "bar");
+        super(AppRoleSecret.class);
-        TEST_META.put("number", 1337);
+    }
    @Override
    protected AppRoleSecret createFull() {
        return new AppRoleSecret(TEST_ID, TEST_META, TEST_CIDR);
    }
    /**
@ -53,44 +54,44 @@ class AppRoleSecretTest {
     */
    @Test
    void constructorTest() {
-        /* Empty constructor */
+        // Empty constructor.
        AppRoleSecret secret = new AppRoleSecret();
-        assertThat(secret.getId(), is(nullValue()));
+        assertNull(secret.getId());
-        assertThat(secret.getAccessor(), is(nullValue()));
+        assertNull(secret.getAccessor());
-        assertThat(secret.getMetadata(), is(nullValue()));
+        assertNull(secret.getMetadata());
-        assertThat(secret.getCidrList(), is(nullValue()));
+        assertNull(secret.getCidrList());
-        assertThat(secret.getCidrListString(), is(emptyString()));
+        assertEquals("", secret.getCidrListString());
-        assertThat(secret.getCreationTime(), is(nullValue()));
+        assertNull(secret.getCreationTime());
-        assertThat(secret.getExpirationTime(), is(nullValue()));
+        assertNull(secret.getExpirationTime());
-        assertThat(secret.getLastUpdatedTime(), is(nullValue()));
+        assertNull(secret.getLastUpdatedTime());
-        assertThat(secret.getNumUses(), is(nullValue()));
+        assertNull(secret.getNumUses());
-        assertThat(secret.getTtl(), is(nullValue()));
+        assertNull(secret.getTtl());
-        /* Constructor with ID */
+        // Constructor with ID.
        secret = new AppRoleSecret(TEST_ID);
-        assertThat(secret.getId(), is(TEST_ID));
+        assertEquals(TEST_ID, secret.getId());
-        assertThat(secret.getAccessor(), is(nullValue()));
+        assertNull(secret.getAccessor());
-        assertThat(secret.getMetadata(), is(nullValue()));
+        assertNull(secret.getMetadata());
-        assertThat(secret.getCidrList(), is(nullValue()));
+        assertNull(secret.getCidrList());
-        assertThat(secret.getCidrListString(), is(emptyString()));
+        assertEquals("", secret.getCidrListString());
-        assertThat(secret.getCreationTime(), is(nullValue()));
+        assertNull(secret.getCreationTime());
-        assertThat(secret.getExpirationTime(), is(nullValue()));
+        assertNull(secret.getExpirationTime());
-        assertThat(secret.getLastUpdatedTime(), is(nullValue()));
+        assertNull(secret.getLastUpdatedTime());
-        assertThat(secret.getNumUses(), is(nullValue()));
+        assertNull(secret.getNumUses());
-        assertThat(secret.getTtl(), is(nullValue()));
+        assertNull(secret.getTtl());
-        /* Constructor with Metadata and CIDR bindings */
+        // Constructor with Metadata and CIDR bindings.
        secret = new AppRoleSecret(TEST_ID, TEST_META, TEST_CIDR);
-        assertThat(secret.getId(), is(TEST_ID));
+        assertEquals(TEST_ID, secret.getId());
-        assertThat(secret.getAccessor(), is(nullValue()));
+        assertNull(secret.getAccessor());
-        assertThat(secret.getMetadata(), is(TEST_META));
+        assertEquals(TEST_META, secret.getMetadata());
-        assertThat(secret.getCidrList(), is(TEST_CIDR));
+        assertEquals(TEST_CIDR, secret.getCidrList());
-        assertThat(secret.getCidrListString(), is(String.join(",", TEST_CIDR)));
+        assertEquals(String.join(",", TEST_CIDR), secret.getCidrListString());
-        assertThat(secret.getCreationTime(), is(nullValue()));
+        assertNull(secret.getCreationTime());
-        assertThat(secret.getExpirationTime(), is(nullValue()));
+        assertNull(secret.getExpirationTime());
-        assertThat(secret.getLastUpdatedTime(), is(nullValue()));
+        assertNull(secret.getLastUpdatedTime());
-        assertThat(secret.getNumUses(), is(nullValue()));
+        assertNull(secret.getNumUses());
-        assertThat(secret.getTtl(), is(nullValue()));
+        assertNull(secret.getTtl());
    }
    /**
@ -99,14 +100,14 @@ class AppRoleSecretTest {
    @Test
    void setterTest() {
        AppRoleSecret secret = new AppRoleSecret(TEST_ID);
-        assertThat(secret.getCidrList(), is(nullValue()));
+        assertNull(secret.getCidrList());
-        assertThat(secret.getCidrListString(), is(emptyString()));
+        assertEquals("", secret.getCidrListString());
        secret.setCidrList(TEST_CIDR);
-        assertThat(secret.getCidrList(), is(TEST_CIDR));
+        assertEquals(TEST_CIDR, secret.getCidrList());
-        assertThat(secret.getCidrListString(), is(String.join(",", TEST_CIDR)));
+        assertEquals(String.join(",", TEST_CIDR), secret.getCidrListString());
        secret.setCidrList(null);
-        assertThat(secret.getCidrList(), is(nullValue()));
+        assertNull(secret.getCidrList());
-        assertThat(secret.getCidrListString(), is(emptyString()));
+        assertEquals("", secret.getCidrListString());
    }
    /**
@ -114,23 +115,21 @@ class AppRoleSecretTest {
     */
    @Test
    void jsonTest() throws NoSuchFieldException, IllegalAccessException {
-        ObjectMapper mapper = new ObjectMapper();
+        // A simple roundtrip first. All set fields should be present afterward.
        /* A simple roundtrip first. All set fields should be present afterwards. */
        AppRoleSecret secret = new AppRoleSecret(TEST_ID, TEST_META, TEST_CIDR);
-        String secretJson = assertDoesNotThrow(() -> mapper.writeValueAsString(secret), "Serialization failed");
+        String secretJson = assertDoesNotThrow(() -> objectMapper.writeValueAsString(secret), "Serialization failed");
-        /* CIDR list is comma-separated when used as input, but List otherwise, hence convert string to list */
+        // CIDR list is comma-separated when used as input, but List otherwise, hence convert string to list.
        String secretJson2 = commaSeparatedToList(secretJson);
        AppRoleSecret secret2 = assertDoesNotThrow(
-                () -> mapper.readValue(secretJson2, AppRoleSecret.class),
+                () -> objectMapper.readValue(secretJson2, AppRoleSecret.class),
                "Deserialization failed"
        );
-        assertThat(secret.getId(), is(secret2.getId()));
+        assertEquals(secret2.getId(), secret.getId());
-        assertThat(secret.getMetadata(), is(secret2.getMetadata()));
+        assertEquals(secret2.getMetadata(), secret.getMetadata());
-        assertThat(secret.getCidrList(), is(secret2.getCidrList()));
+        assertEquals(secret2.getCidrList(), secret.getCidrList());
-        /* Test fields, that should not be written to JSON */
+        // Test fields, that should not be written to JSON.
        setPrivateField(secret, "accessor", "TEST_ACCESSOR");
        assumeTrue("TEST_ACCESSOR".equals(secret.getAccessor()));
        setPrivateField(secret, "creationTime", "TEST_CREATION");
@ -143,47 +142,45 @@ class AppRoleSecretTest {
        assumeTrue(secret.getNumUses() == 678);
        setPrivateField(secret, "ttl", 12345);
        assumeTrue(secret.getTtl() == 12345);
-        String secretJson3 = assertDoesNotThrow(() -> mapper.writeValueAsString(secret), "Serialization failed");
+        String secretJson3 = assertDoesNotThrow(() -> objectMapper.writeValueAsString(secret), "Serialization failed");
        secret2 = assertDoesNotThrow(
-                () -> mapper.readValue(commaSeparatedToList(secretJson3), AppRoleSecret.class),
+                () -> objectMapper.readValue(commaSeparatedToList(secretJson3), AppRoleSecret.class),
                "Deserialization failed"
        );
-        assertThat(secret.getId(), is(secret2.getId()));
+        assertEquals(secret2.getId(), secret.getId());
-        assertThat(secret.getMetadata(), is(secret2.getMetadata()));
+        assertEquals(secret2.getMetadata(), secret.getMetadata());
-        assertThat(secret.getCidrList(), is(secret2.getCidrList()));
+        assertEquals(secret2.getCidrList(), secret.getCidrList());
-        assertThat(secret2.getAccessor(), is(nullValue()));
+        assertNull(secret2.getAccessor());
-        assertThat(secret2.getCreationTime(), is(nullValue()));
+        assertNull(secret2.getCreationTime());
-        assertThat(secret2.getExpirationTime(), is(nullValue()));
+        assertNull(secret2.getExpirationTime());
-        assertThat(secret2.getLastUpdatedTime(), is(nullValue()));
+        assertNull(secret2.getLastUpdatedTime());
-        assertThat(secret2.getNumUses(), is(nullValue()));
+        assertNull(secret2.getNumUses());
-        assertThat(secret2.getTtl(), is(nullValue()));
+        assertNull(secret2.getTtl());
-        /* Those fields should be deserialized from JSON though */
+        // Those fields should be deserialized from JSON though.
        String secretJson4 = "{\"secret_id\":\"abc123\",\"metadata\":{\"number\":1337,\"foo\":\"bar\"}," +
                "\"cidr_list\":[\"203.0.113.0/24\",\"198.51.100.0/24\"],\"secret_id_accessor\":\"TEST_ACCESSOR\"," +
                "\"creation_time\":\"TEST_CREATION\",\"expiration_time\":\"TEST_EXPIRATION\"," +
                "\"last_updated_time\":\"TEST_LASTUPDATE\",\"secret_id_num_uses\":678,\"secret_id_ttl\":12345}";
-        secret2 = assertDoesNotThrow(() -> mapper.readValue(secretJson4, AppRoleSecret.class), "Deserialization failed");
+        secret2 = assertDoesNotThrow(() -> objectMapper.readValue(secretJson4, AppRoleSecret.class), "Deserialization failed");
-        assertThat(secret2.getAccessor(), is("TEST_ACCESSOR"));
+        assertEquals("TEST_ACCESSOR", secret2.getAccessor());
-        assertThat(secret2.getCreationTime(), is("TEST_CREATION"));
+        assertEquals("TEST_CREATION", secret2.getCreationTime());
-        assertThat(secret2.getExpirationTime(), is("TEST_EXPIRATION"));
+        assertEquals("TEST_EXPIRATION", secret2.getExpirationTime());
-        assertThat(secret2.getLastUpdatedTime(), is("TEST_LASTUPDATE"));
+        assertEquals("TEST_LASTUPDATE", secret2.getLastUpdatedTime());
-        assertThat(secret2.getNumUses(), is(678));
+        assertEquals(678, secret2.getNumUses());
-        assertThat(secret2.getTtl(), is(12345));
+        assertEquals(12345, secret2.getTtl());
    }
    private static void setPrivateField(Object object, String fieldName, Object value) throws NoSuchFieldException, IllegalAccessException {
        Field field = object.getClass().getDeclaredField(fieldName);
-        boolean accessible = field.isAccessible();
+        boolean accessible = field.canAccess(object);
        field.setAccessible(true);
        field.set(object, value);
        field.setAccessible(accessible);
    }
    private static String commaSeparatedToList(String json) {
-        return json.replaceAll("\"cidr_list\":\"([^\"]*)\"", "\"cidr_list\":\\[$1\\]")
+        return json.replaceAll("\"cidr_list\":\"([^\"]*)\"", "\"cidr_list\":[$1]")
                .replaceAll("(\\d+\\.\\d+\\.\\d+\\.\\d+/\\d+)", "\"$1\"");
    }
 }
--- a/src/test/java/de/stklcode/jvault/connector/model/AppRoleTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/AppRoleTest.java
@ -0,0 +1,183 @@
 /*
 * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package de.stklcode.jvault.connector.model;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
 import java.util.ArrayList;
 import java.util.List;
 import static org.junit.jupiter.api.Assertions.*;
 /**
 * JUnit Test for {@link AppRole} and {@link AppRole.Builder}.
 *
 * @author Stefan Kalscheuer
 * @since 0.4.0
 */
 class AppRoleTest extends AbstractModelTest<AppRole> {
    private static final String NAME = "TestRole";
    private static final String ID = "test-id";
    private static final Boolean BIND_SECRET_ID = true;
    private static final List<String> BOUND_CIDR_LIST = new ArrayList<>();
    private static final String CIDR_1 = "192.168.1.0/24";
    private static final String CIDR_2 = "172.16.0.0/16";
    private static final List<String> POLICIES = new ArrayList<>();
    private static final String POLICY = "policy";
    private static final String POLICY_2 = "policy2";
    private static final Integer SECRET_ID_NUM_USES = 10;
    private static final Integer SECRET_ID_TTL = 7200;
    private static final Boolean LOCAL_SECRET_IDS = false;
    private static final Integer TOKEN_TTL = 4800;
    private static final Integer TOKEN_MAX_TTL = 9600;
    private static final Integer TOKEN_EXPLICIT_MAX_TTL = 14400;
    private static final Boolean TOKEN_NO_DEFAULT_POLICY = false;
    private static final Integer TOKEN_NUM_USES = 42;
    private static final Integer TOKEN_PERIOD = 1234;
    private static final Token.Type TOKEN_TYPE = Token.Type.DEFAULT_SERVICE;
    private static final String JSON_MIN = "{\"role_name\":\"" + NAME + "\"}";
    private static final String JSON_FULL = String.format("{\"role_name\":\"%s\",\"role_id\":\"%s\",\"bind_secret_id\":%s,\"secret_id_bound_cidrs\":\"%s\",\"secret_id_num_uses\":%d,\"secret_id_ttl\":%d,\"local_secret_ids\":%s,\"token_ttl\":%d,\"token_max_ttl\":%d,\"token_policies\":\"%s\",\"token_bound_cidrs\":\"%s\",\"token_explicit_max_ttl\":%d,\"token_no_default_policy\":%s,\"token_num_uses\":%d,\"token_period\":%d,\"token_type\":\"%s\"}",
            NAME, ID, BIND_SECRET_ID, CIDR_1, SECRET_ID_NUM_USES, SECRET_ID_TTL, LOCAL_SECRET_IDS, TOKEN_TTL, TOKEN_MAX_TTL, POLICY, CIDR_1, TOKEN_EXPLICIT_MAX_TTL, TOKEN_NO_DEFAULT_POLICY, TOKEN_NUM_USES, TOKEN_PERIOD, TOKEN_TYPE.value());
    AppRoleTest() {
        super(AppRole.class);
    }
    @Override
    protected AppRole createFull() {
        return AppRole.builder(NAME)
                .withId(ID)
                .withBindSecretID(BIND_SECRET_ID)
                .withSecretIdBoundCidrs(BOUND_CIDR_LIST)
                .withTokenPolicies(POLICIES)
                .withSecretIdNumUses(SECRET_ID_NUM_USES)
                .withSecretIdTtl(SECRET_ID_TTL)
                .withLocalSecretIds(LOCAL_SECRET_IDS)
                .withTokenTtl(TOKEN_TTL)
                .withTokenMaxTtl(TOKEN_MAX_TTL)
                .withTokenBoundCidrs(BOUND_CIDR_LIST)
                .withTokenExplicitMaxTtl(TOKEN_EXPLICIT_MAX_TTL)
                .withTokenNoDefaultPolicy(TOKEN_NO_DEFAULT_POLICY)
                .withTokenNumUses(TOKEN_NUM_USES)
                .withTokenPeriod(TOKEN_PERIOD)
                .withTokenType(TOKEN_TYPE)
                .build();
    }
    @BeforeAll
    static void init() {
        BOUND_CIDR_LIST.add(CIDR_1);
        POLICIES.add(POLICY);
    }
    /**
     * Build role with only a name.
     */
    @Test
    void buildDefaultTest() throws JsonProcessingException {
        AppRole role = AppRole.builder(NAME).build();
        assertNull(role.getId());
        assertNull(role.getBindSecretId());
        assertNull(role.getSecretIdBoundCidrs());
        assertNull(role.getTokenPolicies());
        assertNull(role.getSecretIdNumUses());
        assertNull(role.getSecretIdTtl());
        assertNull(role.getLocalSecretIds());
        assertNull(role.getTokenTtl());
        assertNull(role.getTokenMaxTtl());
        assertNull(role.getTokenBoundCidrs());
        assertNull(role.getTokenExplicitMaxTtl());
        assertNull(role.getTokenNoDefaultPolicy());
        assertNull(role.getTokenNumUses());
        assertNull(role.getTokenPeriod());
        assertNull(role.getTokenType());
        // Optional fields should be ignored, so JSON string should only contain role_name.
        assertEquals(JSON_MIN, objectMapper.writeValueAsString(role));
    }
    /**
     * Build token without all parameters set.
     */
    @Test
    void buildFullTest() throws JsonProcessingException {
        AppRole role = createFull();
        assertEquals(NAME, role.getName());
        assertEquals(ID, role.getId());
        assertEquals(BIND_SECRET_ID, role.getBindSecretId());
        assertEquals(BOUND_CIDR_LIST, role.getSecretIdBoundCidrs());
        assertEquals(POLICIES, role.getTokenPolicies());
        assertEquals(SECRET_ID_NUM_USES, role.getSecretIdNumUses());
        assertEquals(SECRET_ID_TTL, role.getSecretIdTtl());
        assertEquals(LOCAL_SECRET_IDS, role.getLocalSecretIds());
        assertEquals(TOKEN_TTL, role.getTokenTtl());
        assertEquals(TOKEN_MAX_TTL, role.getTokenMaxTtl());
        assertEquals(BOUND_CIDR_LIST, role.getTokenBoundCidrs());
        assertEquals(TOKEN_EXPLICIT_MAX_TTL, role.getTokenExplicitMaxTtl());
        assertEquals(TOKEN_NO_DEFAULT_POLICY, role.getTokenNoDefaultPolicy());
        assertEquals(TOKEN_NUM_USES, role.getTokenNumUses());
        assertEquals(TOKEN_PERIOD, role.getTokenPeriod());
        assertEquals(TOKEN_TYPE.value(), role.getTokenType());
        // Verify that all parameters are included in JSON string.
        assertEquals(JSON_FULL, objectMapper.writeValueAsString(role));
    }
    /**
     * Test convenience methods
     */
    @Test
    void convenienceMethodsTest() {
        // bind_secret_id.
        AppRole role = AppRole.builder(NAME).build();
        assertNull(role.getBindSecretId());
        role = AppRole.builder(NAME).withBindSecretID().build();
        assertEquals(true, role.getBindSecretId());
        role = AppRole.builder(NAME).withoutBindSecretID().build();
        assertEquals(false, role.getBindSecretId());
        // Add single CIDR subnet.
        role = AppRole.builder(NAME).withSecretBoundCidr(CIDR_2).withTokenBoundCidr(CIDR_2).build();
        assertEquals(1, role.getSecretIdBoundCidrs().size());
        assertEquals(CIDR_2, role.getSecretIdBoundCidrs().get(0));
        assertEquals(1, role.getTokenBoundCidrs().size());
        assertEquals(CIDR_2, role.getTokenBoundCidrs().get(0));
        role = AppRole.builder(NAME)
                .withSecretIdBoundCidrs(BOUND_CIDR_LIST)
                .withSecretBoundCidr(CIDR_2)
                .withTokenBoundCidrs(BOUND_CIDR_LIST)
                .withTokenBoundCidr(CIDR_2)
                .build();
        assertEquals(2, role.getSecretIdBoundCidrs().size());
        assertTrue(role.getSecretIdBoundCidrs().containsAll(List.of(CIDR_1, CIDR_2)));
        assertEquals(2, role.getTokenBoundCidrs().size());
        assertTrue(role.getSecretIdBoundCidrs().containsAll(List.of(CIDR_1, CIDR_2)));
        // Add single policy.
        role = AppRole.builder(NAME).withTokenPolicy(POLICY_2).build();
        assertEquals(1, role.getTokenPolicies().size());
        assertEquals(POLICY_2, role.getTokenPolicies().get(0));
        role = AppRole.builder(NAME)
                .withTokenPolicies(POLICIES)
                .withTokenPolicy(POLICY_2)
                .build();
        assertEquals(2, role.getTokenPolicies().size());
        assertTrue(role.getTokenPolicies().containsAll(List.of(POLICY, POLICY_2)));
    }
 }
--- a/src/test/java/de/stklcode/jvault/connector/model/AuthBackendTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/AuthBackendTest.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -18,8 +18,8 @@ package de.stklcode.jvault.connector.model;
 import org.junit.jupiter.api.Test;
-import static org.hamcrest.MatcherAssert.assertThat;
+import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.hamcrest.Matchers.is;
+
 /**
 * JUnit Test for AuthBackend model.
@ -34,12 +34,10 @@ class AuthBackendTest {
     */
    @Test
    void forTypeTest() {
-        assertThat(AuthBackend.forType("token"), is(AuthBackend.TOKEN));
+        assertEquals(AuthBackend.TOKEN, AuthBackend.forType("token"));
-        assertThat(AuthBackend.forType("app-id"), is(AuthBackend.APPID));
+        assertEquals(AuthBackend.USERPASS, AuthBackend.forType("userpass"));
-        assertThat(AuthBackend.forType("userpass"), is(AuthBackend.USERPASS));
+        assertEquals(AuthBackend.GITHUB, AuthBackend.forType("github"));
-        assertThat(AuthBackend.forType("github"), is(AuthBackend.GITHUB));
+        assertEquals(AuthBackend.UNKNOWN, AuthBackend.forType(""));
-        assertThat(AuthBackend.forType(""), is(AuthBackend.UNKNOWN));
+        assertEquals(AuthBackend.UNKNOWN, AuthBackend.forType("foobar"));
        assertThat(AuthBackend.forType("foobar"), is(AuthBackend.UNKNOWN));
    }
 }
--- a/src/test/java/de/stklcode/jvault/connector/model/TokenBuilderTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/TokenBuilderTest.java
@ -1,276 +0,0 @@
 /*
 * Copyright 2016-2021 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package de.stklcode.jvault.connector.model;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.*;
 /**
 * JUnit Test for Token Builder.
 *
 * @author Stefan Kalscheuer
 * @since 0.4.0
 */
 class TokenBuilderTest {
    private static final String ID = "test-id";
    private static final String DISPLAY_NAME = "display-name";
    private static final Boolean NO_PARENT = false;
    private static final Boolean NO_DEFAULT_POLICY = false;
    private static final Integer TTL = 123;
    private static final Integer EXPLICIT_MAX_TTL = 456;
    private static final Integer NUM_USES = 4;
    private static final List<String> POLICIES = new ArrayList<>();
    private static final String POLICY = "policy";
    private static final String POLICY_2 = "policy2";
    private static final String POLICY_3 = "policy3";
    private static final Map<String, String> META = new HashMap<>();
    private static final String META_KEY = "key";
    private static final String META_VALUE = "value";
    private static final String META_KEY_2 = "key2";
    private static final String META_VALUE_2 = "value2";
    private static final Boolean RENEWABLE = true;
    private static final Integer PERIOD = 3600;
    private static final String ENTITY_ALIAS = "alias-value";
    private static final String LEGACY_JSON_FULL = "{\"id\":\"test-id\",\"type\":\"service\",\"display_name\":\"display-name\",\"no_parent\":false,\"no_default_policy\":false,\"ttl\":123,\"num_uses\":4,\"policies\":[\"policy\"],\"meta\":{\"key\":\"value\"},\"renewable\":true}";
    private static final String JSON_FULL = "{\"id\":\"test-id\",\"type\":\"service\",\"display_name\":\"display-name\",\"no_parent\":false,\"no_default_policy\":false,\"ttl\":123,\"explicit_max_ttl\":456,\"num_uses\":4,\"policies\":[\"policy\"],\"meta\":{\"key\":\"value\"},\"renewable\":true,\"period\":3600,\"entity_alias\":\"alias-value\"}";
    @BeforeAll
    static void init() {
        POLICIES.add(POLICY);
        META.put(META_KEY, META_VALUE);
    }
    /**
     * Build token without any parameters.
     */
    @Test
    void buildDefaultTest() throws JsonProcessingException {
        Token token = Token.builder().build();
        assertThat(token.getId(), is(nullValue()));
        assertThat(token.getType(), is(nullValue()));
        assertThat(token.getDisplayName(), is(nullValue()));
        assertThat(token.getNoParent(), is(nullValue()));
        assertThat(token.getNoDefaultPolicy(), is(nullValue()));
        assertThat(token.getTtl(), is(nullValue()));
        assertThat(token.getExplicitMaxTtl(), is(nullValue()));
        assertThat(token.getNumUses(), is(nullValue()));
        assertThat(token.getPolicies(), is(nullValue()));
        assertThat(token.getMeta(), is(nullValue()));
        assertThat(token.isRenewable(), is(nullValue()));
        assertThat(token.getPeriod(), is(nullValue()));
        assertThat(token.getEntityAlias(), is(nullValue()));
        /* optional fields should be ignored, so JSON string should be empty */
        assertThat(new ObjectMapper().writeValueAsString(token), is("{}"));
    }
    /**
     * Build token without any parameters.
     */
    @Test
    void legacyBuildDefaultTest() throws JsonProcessingException {
        Token token = new TokenBuilder().build();
        assertThat(token.getId(), is(nullValue()));
        assertThat(token.getType(), is(nullValue()));
        assertThat(token.getDisplayName(), is(nullValue()));
        assertThat(token.getNoParent(), is(nullValue()));
        assertThat(token.getNoDefaultPolicy(), is(nullValue()));
        assertThat(token.getTtl(), is(nullValue()));
        assertThat(token.getNumUses(), is(nullValue()));
        assertThat(token.getPolicies(), is(nullValue()));
        assertThat(token.getMeta(), is(nullValue()));
        assertThat(token.isRenewable(), is(nullValue()));
        /* optional fields should be ignored, so JSON string should be empty */
        assertThat(new ObjectMapper().writeValueAsString(token), is("{}"));
    }
    /**
     * Build token without all parameters set.
     */
    @Test
    void buildFullTest() throws JsonProcessingException {
        Token token = Token.builder()
                .withId(ID)
                .withType(Token.Type.SERVICE)
                .withDisplayName(DISPLAY_NAME)
                .withNoParent(NO_PARENT)
                .withNoDefaultPolicy(NO_DEFAULT_POLICY)
                .withTtl(TTL)
                .withExplicitMaxTtl(EXPLICIT_MAX_TTL)
                .withNumUses(NUM_USES)
                .withPolicies(POLICIES)
                .withMeta(META)
                .withRenewable(RENEWABLE)
                .withPeriod(PERIOD)
                .withEntityAlias(ENTITY_ALIAS)
                .build();
        assertThat(token.getId(), is(ID));
        assertThat(token.getType(), is(Token.Type.SERVICE.value()));
        assertThat(token.getDisplayName(), is(DISPLAY_NAME));
        assertThat(token.getNoParent(), is(NO_PARENT));
        assertThat(token.getNoDefaultPolicy(), is(NO_DEFAULT_POLICY));
        assertThat(token.getTtl(), is(TTL));
        assertThat(token.getExplicitMaxTtl(), is(EXPLICIT_MAX_TTL));
        assertThat(token.getNumUses(), is(NUM_USES));
        assertThat(token.getPolicies(), is(POLICIES));
        assertThat(token.getMeta(), is(META));
        assertThat(token.isRenewable(), is(RENEWABLE));
        assertThat(token.getPeriod(), is(PERIOD));
        /* Verify that all parameters are included in JSON string */
        assertThat(new ObjectMapper().writeValueAsString(token), is(JSON_FULL));
    }
    /**
     * Build token without all parameters set.
     */
    @Test
    void legacyBuildFullTest() throws JsonProcessingException {
        Token token = new TokenBuilder()
                .withId(ID)
                .withType(Token.Type.SERVICE)
                .withDisplayName(DISPLAY_NAME)
                .withNoParent(NO_PARENT)
                .withNoDefaultPolicy(NO_DEFAULT_POLICY)
                .withTtl(TTL)
                .withNumUses(NUM_USES)
                .withPolicies(POLICIES)
                .withMeta(META)
                .withRenewable(RENEWABLE)
                .build();
        assertThat(token.getId(), is(ID));
        assertThat(token.getType(), is(Token.Type.SERVICE.value()));
        assertThat(token.getDisplayName(), is(DISPLAY_NAME));
        assertThat(token.getNoParent(), is(NO_PARENT));
        assertThat(token.getNoDefaultPolicy(), is(NO_DEFAULT_POLICY));
        assertThat(token.getTtl(), is(TTL));
        assertThat(token.getNumUses(), is(NUM_USES));
        assertThat(token.getPolicies(), is(POLICIES));
        assertThat(token.getMeta(), is(META));
        assertThat(token.isRenewable(), is(RENEWABLE));
        /* Verify that all parameters are included in JSON string */
        assertThat(new ObjectMapper().writeValueAsString(token), is(LEGACY_JSON_FULL));
    }
    /**
     * Test convenience methods
     */
    @Test
    void convenienceMethodsTest() {
        /* Parent */
        Token token = Token.builder().asOrphan().build();
        assertThat(token.getNoParent(), is(true));
        token = Token.builder().withParent().build();
        assertThat(token.getNoParent(), is(false));
        /* Default policy */
        token = Token.builder().withDefaultPolicy().build();
        assertThat(token.getNoDefaultPolicy(), is(false));
        token = Token.builder().withoutDefaultPolicy().build();
        assertThat(token.getNoDefaultPolicy(), is(true));
        /* Renewability */
        token = Token.builder().renewable().build();
        assertThat(token.isRenewable(), is(true));
        token = Token.builder().notRenewable().build();
        assertThat(token.isRenewable(), is(false));
        /* Add single policy */
        token = Token.builder().withPolicy(POLICY_2).build();
        assertThat(token.getPolicies(), hasSize(1));
        assertThat(token.getPolicies(), contains(POLICY_2));
        token = Token.builder()
                .withPolicies(POLICY, POLICY_2)
                .withPolicy(POLICY_3)
                .build();
        assertThat(token.getPolicies(), hasSize(3));
        assertThat(token.getPolicies(), contains(POLICY, POLICY_2, POLICY_3));
        /* Add single metadata */
        token = Token.builder().withMeta(META_KEY_2, META_VALUE_2).build();
        assertThat(token.getMeta().size(), is(1));
        assertThat(token.getMeta().keySet(), contains(META_KEY_2));
        assertThat(token.getMeta().get(META_KEY_2), is(META_VALUE_2));
        token = Token.builder()
                .withMeta(META)
                .withMeta(META_KEY_2, META_VALUE_2)
                .build();
        assertThat(token.getMeta().size(), is(2));
        assertThat(token.getMeta().get(META_KEY), is(META_VALUE));
        assertThat(token.getMeta().get(META_KEY_2), is(META_VALUE_2));
    }
    /**
     * Test convenience methods
     */
    @Test
    void legacyConvenienceMethodsTest() {
        /* Parent */
        Token token = new TokenBuilder().asOrphan().build();
        assertThat(token.getNoParent(), is(true));
        token = new TokenBuilder().withParent().build();
        assertThat(token.getNoParent(), is(false));
        /* Default policy */
        token = new TokenBuilder().withDefaultPolicy().build();
        assertThat(token.getNoDefaultPolicy(), is(false));
        token = new TokenBuilder().withoutDefaultPolicy().build();
        assertThat(token.getNoDefaultPolicy(), is(true));
        /* Renewability */
        token = new TokenBuilder().renewable().build();
        assertThat(token.isRenewable(), is(true));
        token = new TokenBuilder().notRenewable().build();
        assertThat(token.isRenewable(), is(false));
        /* Add single policy */
        token = new TokenBuilder().withPolicy(POLICY_2).build();
        assertThat(token.getPolicies(), hasSize(1));
        assertThat(token.getPolicies(), contains(POLICY_2));
        token = new TokenBuilder()
                .withPolicies(POLICY, POLICY_2)
                .withPolicy(POLICY_3)
                .build();
        assertThat(token.getPolicies(), hasSize(3));
        assertThat(token.getPolicies(), contains(POLICY, POLICY_2, POLICY_3));
        /* Add single metadata */
        token = new TokenBuilder().withMeta(META_KEY_2, META_VALUE_2).build();
        assertThat(token.getMeta().size(), is(1));
        assertThat(token.getMeta().keySet(), contains(META_KEY_2));
        assertThat(token.getMeta().get(META_KEY_2), is(META_VALUE_2));
        token = new TokenBuilder()
                .withMeta(META)
                .withMeta(META_KEY_2, META_VALUE_2)
                .build();
        assertThat(token.getMeta().size(), is(2));
        assertThat(token.getMeta().get(META_KEY), is(META_VALUE));
        assertThat(token.getMeta().get(META_KEY_2), is(META_VALUE_2));
    }
 }
--- a/src/test/java/de/stklcode/jvault/connector/model/TokenRoleBuilderTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/TokenRoleBuilderTest.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -17,31 +17,37 @@
 package de.stklcode.jvault.connector.model;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import org.junit.jupiter.api.Test;
 import java.util.Arrays;
 import java.util.List;
-import static org.hamcrest.MatcherAssert.assertThat;
+import static org.junit.jupiter.api.Assertions.*;
 import static org.hamcrest.Matchers.*;
 /**
- * Unit Test for {@link Token.Builder}
+ * Unit Test for {@link TokenRole} and {@link TokenRole.Builder}.
 *
 * @author Stefan Kalscheuer
 * @since 0.9
 */
-class TokenRoleBuilderTest {
+class TokenRoleTest extends AbstractModelTest<TokenRole> {
    private static final String NAME = "test-role";
    private static final String ALLOWED_POLICY_1 = "apol-1";
    private static final String ALLOWED_POLICY_2 = "apol-2";
    private static final String ALLOWED_POLICY_3 = "apol-3";
    private static final List<String> ALLOWED_POLICIES = Arrays.asList(ALLOWED_POLICY_1, ALLOWED_POLICY_2);
    private static final String ALLOWED_POLICY_GLOB_1 = "apol-g1*";
    private static final String ALLOWED_POLICY_GLOB_2 = "apol-g2*";
    private static final String ALLOWED_POLICY_GLOB_3 = "apol-g3*";
    private static final List<String> ALLOWED_POLICIES_GLOB = Arrays.asList(ALLOWED_POLICY_GLOB_2, ALLOWED_POLICY_GLOB_3);
    private static final String DISALLOWED_POLICY_1 = "dpol-1";
    private static final String DISALLOWED_POLICY_2 = "dpol-2";
    private static final String DISALLOWED_POLICY_3 = "dpol-3";
    private static final List<String> DISALLOWED_POLICIES = Arrays.asList(DISALLOWED_POLICY_2, DISALLOWED_POLICY_3);
    private static final String DISALLOWED_POLICY_GLOB_1 = "dpol-g1*";
    private static final String DISALLOWED_POLICY_GLOB_2 = "dpol-g2*";
    private static final String DISALLOWED_POLICY_GLOB_3 = "dpol-g3*";
    private static final List<String> DISALLOWED_POLICIES_GLOB = Arrays.asList(DISALLOWED_POLICY_GLOB_1, DISALLOWED_POLICY_GLOB_2);
    private static final Boolean ORPHAN = false;
    private static final Boolean RENEWABLE = true;
    private static final String PATH_SUFFIX = "ps";
@ -62,7 +68,9 @@ class TokenRoleBuilderTest {
    private static final String JSON_FULL = "{" +
            "\"name\":\"" + NAME + "\"," +
            "\"allowed_policies\":[\"" + ALLOWED_POLICY_1 + "\",\"" + ALLOWED_POLICY_2 + "\",\"" + ALLOWED_POLICY_3 + "\"]," +
            "\"allowed_policies_glob\":[\"" + ALLOWED_POLICY_GLOB_1 + "\",\"" + ALLOWED_POLICY_GLOB_2 + "\",\"" + ALLOWED_POLICY_GLOB_3 + "\"]," +
            "\"disallowed_policies\":[\"" + DISALLOWED_POLICY_1 + "\",\"" + DISALLOWED_POLICY_2 + "\",\"" + DISALLOWED_POLICY_3 + "\"]," +
            "\"disallowed_policies_glob\":[\"" + DISALLOWED_POLICY_GLOB_1 + "\",\"" + DISALLOWED_POLICY_GLOB_2 + "\",\"" + DISALLOWED_POLICY_GLOB_3 + "\"]," +
            "\"orphan\":" + ORPHAN + "," +
            "\"renewable\":" + RENEWABLE + "," +
            "\"path_suffix\":\"" + PATH_SUFFIX + "\"," +
@ -74,26 +82,57 @@ class TokenRoleBuilderTest {
            "\"token_period\":" + TOKEN_PERIOD + "," +
            "\"token_type\":\"" + TOKEN_TYPE.value() + "\"}";
    TokenRoleTest() {
        super(TokenRole.class);
    }
    @Override
    protected TokenRole createFull() {
        return TokenRole.builder()
                .forName(NAME)
                .withAllowedPolicies(ALLOWED_POLICIES)
                .withAllowedPolicy(ALLOWED_POLICY_3)
                .withAllowedPolicyGlob(ALLOWED_POLICY_GLOB_1)
                .withAllowedPoliciesGlob(ALLOWED_POLICIES_GLOB)
                .withDisallowedPolicy(DISALLOWED_POLICY_1)
                .withDisallowedPolicies(DISALLOWED_POLICIES)
                .withDisallowedPoliciesGlob(DISALLOWED_POLICIES_GLOB)
                .withDisallowedPolicyGlob(DISALLOWED_POLICY_GLOB_3)
                .orphan(ORPHAN)
                .renewable(RENEWABLE)
                .withPathSuffix(PATH_SUFFIX)
                .withAllowedEntityAliases(ALLOWED_ENTITY_ALIASES)
                .withAllowedEntityAlias(ALLOWED_ENTITY_ALIAS_2)
                .withTokenBoundCidr(TOKEN_BOUND_CIDR_3)
                .withTokenBoundCidrs(TOKEN_BOUND_CIDRS)
                .withTokenExplicitMaxTtl(TOKEN_EXPLICIT_MAX_TTL)
                .withTokenNoDefaultPolicy(TOKEN_NO_DEFAULT_POLICY)
                .withTokenNumUses(TOKEN_NUM_USES)
                .withTokenPeriod(TOKEN_PERIOD)
                .withTokenType(TOKEN_TYPE)
                .build();
    }
    /**
     * Build token without any parameters.
     */
    @Test
    void buildDefaultTest() throws JsonProcessingException {
        TokenRole role = TokenRole.builder().build();
-        assertThat(role.getAllowedPolicies(), is(nullValue()));
+        assertNull(role.getAllowedPolicies());
-        assertThat(role.getDisallowedPolicies(), is(nullValue()));
+        assertNull(role.getDisallowedPolicies());
-        assertThat(role.getOrphan(), is(nullValue()));
+        assertNull(role.getOrphan());
-        assertThat(role.getRenewable(), is(nullValue()));
+        assertNull(role.getRenewable());
-        assertThat(role.getAllowedEntityAliases(), is(nullValue()));
+        assertNull(role.getAllowedEntityAliases());
-        assertThat(role.getTokenBoundCidrs(), is(nullValue()));
+        assertNull(role.getTokenBoundCidrs());
-        assertThat(role.getTokenExplicitMaxTtl(), is(nullValue()));
+        assertNull(role.getTokenExplicitMaxTtl());
-        assertThat(role.getTokenNoDefaultPolicy(), is(nullValue()));
+        assertNull(role.getTokenNoDefaultPolicy());
-        assertThat(role.getTokenNumUses(), is(nullValue()));
+        assertNull(role.getTokenNumUses());
-        assertThat(role.getTokenPeriod(), is(nullValue()));
+        assertNull(role.getTokenPeriod());
-        assertThat(role.getTokenType(), is(nullValue()));
+        assertNull(role.getTokenType());
-        /* optional fields should be ignored, so JSON string should be empty */
+        // Optional fields should be ignored, so JSON string should be empty.
-        assertThat(new ObjectMapper().writeValueAsString(role), is("{}"));
+        assertEquals("{}", objectMapper.writeValueAsString(role));
    }
    /**
@ -121,20 +160,23 @@ class TokenRoleBuilderTest {
                .withTokenType(null)
                .build();
-        assertThat(role.getAllowedPolicies(), is(nullValue()));
+        assertNull(role.getAllowedPolicies());
-        assertThat(role.getDisallowedPolicies(), is(nullValue()));
+        assertNull(role.getDisallowedPolicies());
-        assertThat(role.getOrphan(), is(nullValue()));
+        assertNull(role.getOrphan());
-        assertThat(role.getRenewable(), is(nullValue()));
+        assertNull(role.getRenewable());
-        assertThat(role.getAllowedEntityAliases(), is(nullValue()));
+        assertNull(role.getAllowedEntityAliases());
-        assertThat(role.getTokenBoundCidrs(), is(nullValue()));
+        assertNull(role.getTokenBoundCidrs());
-        assertThat(role.getTokenExplicitMaxTtl(), is(nullValue()));
+        assertNull(role.getTokenExplicitMaxTtl());
-        assertThat(role.getTokenNoDefaultPolicy(), is(nullValue()));
+        assertNull(role.getTokenNoDefaultPolicy());
-        assertThat(role.getTokenNumUses(), is(nullValue()));
+        assertNull(role.getTokenNumUses());
-        assertThat(role.getTokenPeriod(), is(nullValue()));
+        assertNull(role.getTokenPeriod());
-        assertThat(role.getTokenType(), is(nullValue()));
+        assertNull(role.getTokenType());
-        /* optional fields should be ignored, so JSON string should be empty */
+        // Empty builder should be equal to no-arg construction.
-        assertThat(new ObjectMapper().writeValueAsString(role), is("{}"));
+        assertEquals(new TokenRole(), role);
        // Optional fields should be ignored, so JSON string should be empty.
        assertEquals("{}", objectMapper.writeValueAsString(role));
    }
    /**
@ -142,43 +184,29 @@ class TokenRoleBuilderTest {
     */
    @Test
    void buildFullTest() throws JsonProcessingException {
-        TokenRole role = TokenRole.builder()
+        TokenRole role = createFull();
-                .forName(NAME)
+        assertEquals(NAME, role.getName());
-                .withAllowedPolicies(ALLOWED_POLICIES)
+        assertEquals(ALLOWED_POLICIES.size() + 1, role.getAllowedPolicies().size());
-                .withAllowedPolicy(ALLOWED_POLICY_3)
+        assertTrue(role.getAllowedPolicies().containsAll(List.of(ALLOWED_POLICY_1, ALLOWED_POLICY_2, ALLOWED_POLICY_3)));
-                .withDisallowedPolicy(DISALLOWED_POLICY_1)
+        assertEquals(ALLOWED_POLICIES_GLOB.size() + 1, role.getAllowedPoliciesGlob().size());
-                .withDisallowedPolicies(DISALLOWED_POLICIES)
+        assertTrue(role.getAllowedPoliciesGlob().containsAll(List.of(ALLOWED_POLICY_GLOB_1, ALLOWED_POLICY_GLOB_2, ALLOWED_POLICY_GLOB_3)));
-                .orphan(ORPHAN)
+        assertEquals(DISALLOWED_POLICIES.size() + 1, role.getDisallowedPolicies().size());
-                .renewable(RENEWABLE)
+        assertTrue(role.getDisallowedPolicies().containsAll(List.of(DISALLOWED_POLICY_1, DISALLOWED_POLICY_2, DISALLOWED_POLICY_3)));
-                .withPathSuffix(PATH_SUFFIX)
+        assertEquals(DISALLOWED_POLICIES_GLOB.size() + 1, role.getDisallowedPoliciesGlob().size());
-                .withAllowedEntityAliases(ALLOWED_ENTITY_ALIASES)
+        assertTrue(role.getDisallowedPoliciesGlob().containsAll(List.of(DISALLOWED_POLICY_GLOB_1, DISALLOWED_POLICY_GLOB_2, DISALLOWED_POLICY_GLOB_3)));
-                .withAllowedEntityAlias(ALLOWED_ENTITY_ALIAS_2)
+        assertEquals(ORPHAN, role.getOrphan());
-                .withTokenBoundCidr(TOKEN_BOUND_CIDR_3)
+        assertEquals(RENEWABLE, role.getRenewable());
-                .withTokenBoundCidrs(TOKEN_BOUND_CIDRS)
+        assertEquals(PATH_SUFFIX, role.getPathSuffix());
-                .withTokenExplicitMaxTtl(TOKEN_EXPLICIT_MAX_TTL)
+        assertEquals(ALLOWED_ENTITY_ALIASES.size() + 1, role.getAllowedEntityAliases().size());
-                .withTokenNoDefaultPolicy(TOKEN_NO_DEFAULT_POLICY)
+        assertTrue(role.getAllowedEntityAliases().containsAll(List.of(ALLOWED_ENTITY_ALIAS_1, ALLOWED_ENTITY_ALIAS_2, ALLOWED_ENTITY_ALIAS_3)));
-                .withTokenNumUses(TOKEN_NUM_USES)
+        assertEquals(TOKEN_BOUND_CIDRS.size() + 1, role.getTokenBoundCidrs().size());
-                .withTokenPeriod(TOKEN_PERIOD)
+        assertTrue(role.getTokenBoundCidrs().containsAll(List.of(TOKEN_BOUND_CIDR_1, TOKEN_BOUND_CIDR_2, TOKEN_BOUND_CIDR_3)));
-                .withTokenType(TOKEN_TYPE)
+        assertEquals(TOKEN_NO_DEFAULT_POLICY, role.getTokenNoDefaultPolicy());
-                .build();
+        assertEquals(TOKEN_NUM_USES, role.getTokenNumUses());
-        assertThat(role.getName(), is(NAME));
+        assertEquals(TOKEN_PERIOD, role.getTokenPeriod());
-        assertThat(role.getAllowedPolicies(), hasSize(ALLOWED_POLICIES.size() + 1));
+        assertEquals(TOKEN_TYPE.value(), role.getTokenType());
        assertThat(role.getAllowedPolicies(), containsInAnyOrder(ALLOWED_POLICY_1, ALLOWED_POLICY_2, ALLOWED_POLICY_3));
        assertThat(role.getDisallowedPolicies(), hasSize(DISALLOWED_POLICIES.size() + 1));
        assertThat(role.getDisallowedPolicies(), containsInAnyOrder(DISALLOWED_POLICY_1, DISALLOWED_POLICY_2, DISALLOWED_POLICY_3));
        assertThat(role.getOrphan(), is(ORPHAN));
        assertThat(role.getRenewable(), is(RENEWABLE));
        assertThat(role.getPathSuffix(), is(PATH_SUFFIX));
        assertThat(role.getAllowedEntityAliases(), hasSize(ALLOWED_ENTITY_ALIASES.size() + 1));
        assertThat(role.getAllowedEntityAliases(), containsInAnyOrder(ALLOWED_ENTITY_ALIAS_1, ALLOWED_ENTITY_ALIAS_2, ALLOWED_ENTITY_ALIAS_3));
        assertThat(role.getTokenBoundCidrs(), hasSize(TOKEN_BOUND_CIDRS.size() + 1));
        assertThat(role.getTokenBoundCidrs(), containsInAnyOrder(TOKEN_BOUND_CIDR_1, TOKEN_BOUND_CIDR_2, TOKEN_BOUND_CIDR_3));
        assertThat(role.getTokenNoDefaultPolicy(), is(TOKEN_NO_DEFAULT_POLICY));
        assertThat(role.getTokenNumUses(), is(TOKEN_NUM_USES));
        assertThat(role.getTokenPeriod(), is(TOKEN_PERIOD));
        assertThat(role.getTokenType(), is(TOKEN_TYPE.value()));
-        /* Verify that all parameters are included in JSON string */
+        // Verify that all parameters are included in JSON string.
-        assertThat(new ObjectMapper().writeValueAsString(role), is(JSON_FULL));
+        assertEquals(JSON_FULL, objectMapper.writeValueAsString(role));
    }
 }
--- a/src/test/java/de/stklcode/jvault/connector/model/TokenTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/TokenTest.java
@ -0,0 +1,181 @@
 /*
 * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package de.stklcode.jvault.connector.model;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
 import java.util.*;
 import static org.junit.jupiter.api.Assertions.*;
 /**
 * JUnit Test for {@link Token} and {@link Token.Builder}.
 *
 * @author Stefan Kalscheuer
 * @since 0.4.0
 */
 class TokenTest extends AbstractModelTest<Token> {
    private static final String ID = "test-id";
    private static final String DISPLAY_NAME = "display-name";
    private static final Boolean NO_PARENT = false;
    private static final Boolean NO_DEFAULT_POLICY = false;
    private static final Integer TTL = 123;
    private static final Integer EXPLICIT_MAX_TTL = 456;
    private static final Integer NUM_USES = 4;
    private static final List<String> POLICIES = new ArrayList<>();
    private static final String POLICY = "policy";
    private static final String POLICY_2 = "policy2";
    private static final String POLICY_3 = "policy3";
    private static final Map<String, String> META = new HashMap<>();
    private static final String META_KEY = "key";
    private static final String META_VALUE = "value";
    private static final String META_KEY_2 = "key2";
    private static final String META_VALUE_2 = "value2";
    private static final Boolean RENEWABLE = true;
    private static final Integer PERIOD = 3600;
    private static final String ENTITY_ALIAS = "alias-value";
    private static final String JSON_FULL = "{\"id\":\"test-id\",\"type\":\"service\",\"display_name\":\"display-name\",\"no_parent\":false,\"no_default_policy\":false,\"ttl\":123,\"explicit_max_ttl\":456,\"num_uses\":4,\"policies\":[\"policy\"],\"meta\":{\"key\":\"value\"},\"renewable\":true,\"period\":3600,\"entity_alias\":\"alias-value\"}";
    TokenTest() {
        super(Token.class);
    }
    @Override
    protected Token createFull() {
        return Token.builder()
                .withId(ID)
                .withType(Token.Type.SERVICE)
                .withDisplayName(DISPLAY_NAME)
                .withNoParent(NO_PARENT)
                .withNoDefaultPolicy(NO_DEFAULT_POLICY)
                .withTtl(TTL)
                .withExplicitMaxTtl(EXPLICIT_MAX_TTL)
                .withNumUses(NUM_USES)
                .withPolicies(POLICIES)
                .withMeta(META)
                .withRenewable(RENEWABLE)
                .withPeriod(PERIOD)
                .withEntityAlias(ENTITY_ALIAS)
                .build();
    }
    @BeforeAll
    static void init() {
        POLICIES.add(POLICY);
        META.put(META_KEY, META_VALUE);
    }
    /**
     * Build token without any parameters.
     */
    @Test
    void buildDefaultTest() throws JsonProcessingException {
        Token token = Token.builder().build();
        assertNull(token.getId());
        assertNull(token.getType());
        assertNull(token.getDisplayName());
        assertNull(token.getNoParent());
        assertNull(token.getNoDefaultPolicy());
        assertNull(token.getTtl());
        assertNull(token.getExplicitMaxTtl());
        assertNull(token.getNumUses());
        assertNull(token.getPolicies());
        assertNull(token.getMeta());
        assertNull(token.isRenewable());
        assertNull(token.getPeriod());
        assertNull(token.getEntityAlias());
        // Optional fields should be ignored, so JSON string should be empty.
        assertEquals("{}", objectMapper.writeValueAsString(token));
        // Empty builder should be equal to no-arg construction.
        assertEquals(new Token(), token);
    }
    /**
     * Build token without all parameters set.
     */
    @Test
    void buildFullTest() throws JsonProcessingException {
        Token token = createFull();
        assertEquals(ID, token.getId());
        assertEquals(Token.Type.SERVICE.value(), token.getType());
        assertEquals(DISPLAY_NAME, token.getDisplayName());
        assertEquals(NO_PARENT, token.getNoParent());
        assertEquals(NO_DEFAULT_POLICY, token.getNoDefaultPolicy());
        assertEquals(TTL, token.getTtl());
        assertEquals(EXPLICIT_MAX_TTL, token.getExplicitMaxTtl());
        assertEquals(NUM_USES, token.getNumUses());
        assertEquals(POLICIES, token.getPolicies());
        assertEquals(META, token.getMeta());
        assertEquals(RENEWABLE, token.isRenewable());
        assertEquals(PERIOD, token.getPeriod());
        // Verify that all parameters are included in JSON string.
        assertEquals(JSON_FULL, objectMapper.writeValueAsString(token));
    }
    /**
     * Test convenience methods
     */
    @Test
    void convenienceMethodsTest() {
        // Parent.
        Token token = Token.builder().asOrphan().build();
        assertEquals(true, token.getNoParent());
        token = Token.builder().withParent().build();
        assertEquals(false, token.getNoParent());
        // Default policy.
        token = Token.builder().withDefaultPolicy().build();
        assertEquals(false, token.getNoDefaultPolicy());
        token = Token.builder().withoutDefaultPolicy().build();
        assertEquals(true, token.getNoDefaultPolicy());
        // Renewability.
        token = Token.builder().renewable().build();
        assertEquals(true, token.isRenewable());
        token = Token.builder().notRenewable().build();
        assertEquals(false, token.isRenewable());
        // Add single policy.
        token = Token.builder().withPolicy(POLICY_2).build();
        assertEquals(1, token.getPolicies().size());
        assertEquals(List.of(POLICY_2), token.getPolicies());
        token = Token.builder()
                .withPolicies(POLICY, POLICY_2)
                .withPolicy(POLICY_3)
                .build();
        assertEquals(3, token.getPolicies().size());
        assertTrue(token.getPolicies().containsAll(List.of(POLICY, POLICY_2, POLICY_3)));
        // Add single metadata.
        token = Token.builder().withMeta(META_KEY_2, META_VALUE_2).build();
        assertEquals(1, token.getMeta().size());
        assertEquals(Set.of(META_KEY_2), token.getMeta().keySet());
        assertEquals(META_VALUE_2, token.getMeta().get(META_KEY_2));
        token = Token.builder()
                .withMeta(META)
                .withMeta(META_KEY_2, META_VALUE_2)
                .build();
        assertEquals(2, token.getMeta().size());
        assertEquals(META_VALUE, token.getMeta().get(META_KEY));
        assertEquals(META_VALUE_2, token.getMeta().get(META_KEY_2));
    }
 }
--- a/src/test/java/de/stklcode/jvault/connector/model/response/AppRoleResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/AppRoleResponseTest.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -16,18 +16,14 @@
 package de.stklcode.jvault.connector.model.response;
-import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.core.JsonProcessingException;
-import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import de.stklcode.jvault.connector.model.AbstractModelTest;
 import de.stklcode.jvault.connector.model.AppRole;
 import org.junit.jupiter.api.Test;
-import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
-import static org.hamcrest.MatcherAssert.assertThat;
+import static org.junit.jupiter.api.Assertions.*;
 import static org.hamcrest.Matchers.*;
 import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 /**
 * JUnit Test for {@link AppRoleResponse} model.
@ -35,7 +31,7 @@ import static org.junit.jupiter.api.Assertions.assertThrows;
 * @author Stefan Kalscheuer
 * @since 0.6.2
 */
-class AppRoleResponseTest {
+class AppRoleResponseTest extends AbstractModelTest<AppRoleResponse> {
    private static final Integer ROLE_TOKEN_TTL = 1200;
    private static final Integer ROLE_TOKEN_MAX_TTL = 1800;
    private static final Integer ROLE_SECRET_TTL = 600;
@ -65,10 +61,18 @@ class AppRoleResponseTest {
            "  \"lease_id\": \"\"\n" +
            "}";
-    private static final Map<String, Object> INVALID_DATA = new HashMap<>();
+    AppRoleResponseTest() {
        super(AppRoleResponse.class);
    }
-    static {
+    @Override
-        INVALID_DATA.put("token_policies", "fancy-policy");
+    protected AppRoleResponse createFull() {
        try {
            return objectMapper.readValue(RES_JSON, AppRoleResponse.class);
        } catch (JsonProcessingException e) {
            fail("Creation of full model instance failed", e);
            return null;
        }
    }
    /**
@ -78,14 +82,7 @@ class AppRoleResponseTest {
    void getDataRoundtrip() {
        // Create empty Object.
        AppRoleResponse res = new AppRoleResponse();
-        assertThat("Initial data should be empty", res.getRole(), is(nullValue()));
+        assertNull(res.getRole(), "Initial data should be empty");
        // Parsing invalid auth data map should fail.
        assertThrows(
                InvalidResponseException.class,
                () -> res.setData(INVALID_DATA),
                "Parsing invalid data succeeded"
        );
    }
    /**
@ -94,25 +91,21 @@ class AppRoleResponseTest {
    @Test
    void jsonRoundtrip() {
        AppRoleResponse res = assertDoesNotThrow(
-                () -> new ObjectMapper().readValue(RES_JSON, AppRoleResponse.class),
+                () -> objectMapper.readValue(RES_JSON, AppRoleResponse.class),
-                "AuthResponse deserialization failed."
+                "AuthResponse deserialization failed"
        );
-        assertThat("Parsed response is NULL", res, is(notNullValue()));
+        assertNotNull(res, "Parsed response is NULL");
        // Extract role data.
        AppRole role = res.getRole();
-        assertThat("Role data is NULL", role, is(notNullValue()));
+        assertNotNull(role, "Role data is NULL");
-        assertThat("Incorrect token TTL", role.getTokenTtl(), is(ROLE_TOKEN_TTL));
+        assertEquals(ROLE_TOKEN_TTL, role.getTokenTtl(), "Incorrect token TTL");
-        assertThat("Incorrect token max TTL", role.getTokenMaxTtl(), is(ROLE_TOKEN_MAX_TTL));
+        assertEquals(ROLE_TOKEN_MAX_TTL, role.getTokenMaxTtl(), "Incorrect token max TTL");
-        assertThat("Incorrect secret ID TTL", role.getSecretIdTtl(), is(ROLE_SECRET_TTL));
+        assertEquals(ROLE_SECRET_TTL, role.getSecretIdTtl(), "Incorrect secret ID TTL");
-        assertThat("Incorrect secret ID umber of uses", role.getSecretIdNumUses(), is(ROLE_SECRET_NUM_USES));
+        assertEquals(ROLE_SECRET_NUM_USES, role.getSecretIdNumUses(), "Incorrect secret ID umber of uses");
-        assertThat("Incorrect number of policies", role.getTokenPolicies(), hasSize(1));
+        assertEquals(List.of(ROLE_POLICY), role.getTokenPolicies(), "Incorrect policies");
-        assertThat("Incorrect role policies", role.getTokenPolicies(), contains(ROLE_POLICY));
+        assertEquals(ROLE_PERIOD, role.getTokenPeriod(), "Incorrect role period");
-        assertThat("Incorrect number of policies", role.getPolicies(), hasSize(1));
+        assertEquals(ROLE_BIND_SECRET, role.getBindSecretId(), "Incorrect role bind secret ID flag");
-        assertThat("Incorrect role policies", role.getPolicies(), contains(ROLE_POLICY));
+        assertNull(role.getTokenBoundCidrs(), "Incorrect bound CIDR list");
-        assertThat("Incorrect role period", role.getTokenPeriod(), is(ROLE_PERIOD));
+        assertEquals("", role.getTokenBoundCidrsString(), "Incorrect bound CIDR list string");
        assertThat("Incorrect role period", role.getPeriod(), is(ROLE_PERIOD));
        assertThat("Incorrect role bind secret ID flag", role.getBindSecretId(), is(ROLE_BIND_SECRET));
        assertThat("Incorrect bound CIDR list", role.getTokenBoundCidrs(), is(nullValue()));
        assertThat("Incorrect bound CIDR list string", role.getTokenBoundCidrsString(), is(emptyString()));
    }
 }
--- a/src/test/java/de/stklcode/jvault/connector/model/response/AuthMethodsResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/AuthMethodsResponseTest.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -16,19 +16,17 @@
 package de.stklcode.jvault.connector.model.response;
-import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.core.JsonProcessingException;
-import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import de.stklcode.jvault.connector.model.AbstractModelTest;
 import de.stklcode.jvault.connector.model.AuthBackend;
 import de.stklcode.jvault.connector.model.response.embedded.AuthMethod;
 import org.junit.jupiter.api.Test;
-import java.util.HashMap;
+import java.util.Collections;
 import java.util.Map;
 import java.util.Set;
-import static org.hamcrest.MatcherAssert.assertThat;
+import static org.junit.jupiter.api.Assertions.*;
 import static org.hamcrest.Matchers.*;
 import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 /**
 * JUnit Test for {@link AuthMethodsResponse} model.
@ -36,37 +34,68 @@ import static org.junit.jupiter.api.Assertions.assertThrows;
 * @author Stefan Kalscheuer
 * @since 0.6.2
 */
-class AuthMethodsResponseTest {
+class AuthMethodsResponseTest extends AbstractModelTest<AuthMethodsResponse> {
    private static final String GH_PATH = "github/";
    private static final String GH_TYPE = "github";
    private static final String GH_UUID = "4b42d1a4-0a0d-3c88-ae90-997e0c8b41be";
    private static final String GH_ACCESSOR = "auth_github_badd7fd0";
    private static final String GH_DESCR = "GitHub auth";
    private static final String TK_PATH = "token/";
    private static final String TK_TYPE = "token";
    private static final String TK_UUID = "32ea9681-6bd6-6cec-eec3-d11260ba9741";
    private static final String TK_ACCESSOR = "auth_token_ac0dd95a";
    private static final String TK_DESCR = "token based credentials";
    private static final Integer TK_LEASE_TTL = 0;
    private static final Boolean TK_FORCE_NO_CACHE = false;
    private static final Integer TK_MAX_LEASE_TTL = 0;
    private static final String TK_TOKEN_TYPE = "default-service";
    private static final String TK_RUNNING_PLUGIN_VERSION = "v1.15.3+builtin.vault";
    private static final String RES_JSON = "{\n" +
            "  \"data\": {" +
            "    \"" + GH_PATH + "\": {\n" +
            "      \"uuid\": \"" + GH_UUID + "\",\n" +
            "      \"type\": \"" + GH_TYPE + "\",\n" +
-            "      \"description\": \"" + GH_DESCR + "\"\n" +
+            "      \"accessor\": \"" + GH_ACCESSOR + "\",\n" +
            "      \"description\": \"" + GH_DESCR + "\",\n" +
            "      \"external_entropy_access\": false,\n" +
            "      \"local\": false,\n" +
            "      \"seal_wrap\": false\n" +
            "    },\n" +
            "    \"" + TK_PATH + "\": {\n" +
            "      \"config\": {\n" +
            "        \"default_lease_ttl\": " + TK_LEASE_TTL + ",\n" +
-            "        \"max_lease_ttl\": " + TK_MAX_LEASE_TTL + "\n" +
+            "        \"force_no_cache\": " + TK_FORCE_NO_CACHE + ",\n" +
            "        \"max_lease_ttl\": " + TK_MAX_LEASE_TTL + ",\n" +
            "        \"token_type\": \"" + TK_TOKEN_TYPE + "\"\n" +
            "      },\n" +
            "      \"description\": \"" + TK_DESCR + "\",\n" +
-            "      \"type\": \"" + TK_TYPE + "\"\n" +
+            "      \"options\": null,\n" +
            "      \"plugin_version\": \"\",\n" +
            "      \"running_plugin_version\": \"" + TK_RUNNING_PLUGIN_VERSION + "\",\n" +
            "      \"running_sha256\": \"\",\n" +
            "      \"type\": \"" + TK_TYPE + "\",\n" +
            "      \"uuid\": \"" + TK_UUID + "\",\n" +
            "      \"accessor\": \"" + TK_ACCESSOR + "\",\n" +
            "      \"external_entropy_access\": false,\n" +
            "      \"local\": true,\n" +
            "      \"seal_wrap\": false\n" +
            "    }\n" +
            "  }\n" +
            "}";
-    private static final Map<String, Object> INVALID_DATA = new HashMap<>();
+    AuthMethodsResponseTest() {
        super(AuthMethodsResponse.class);
    }
-    static {
+    @Override
-        INVALID_DATA.put("dummy/", new Dummy());
+    protected AuthMethodsResponse createFull() {
        try {
            return objectMapper.readValue(RES_JSON, AuthMethodsResponse.class);
        } catch (JsonProcessingException e) {
            fail("Creation of full model instance failed", e);
            return null;
        }
    }
    /**
@ -76,14 +105,7 @@ class AuthMethodsResponseTest {
    void getDataRoundtrip() {
        // Create empty Object.
        AuthMethodsResponse res = new AuthMethodsResponse();
-        assertThat("Initial method map should be empty", res.getSupportedMethods(), is(anEmptyMap()));
+        assertEquals(Collections.emptyMap(), res.getSupportedMethods(), "Initial method map should be empty");
        // Parsing invalid data map should fail.
        assertThrows(
                InvalidResponseException.class,
                () -> res.setData(INVALID_DATA),
                "Parsing invalid data succeeded"
        );
    }
    /**
@ -92,35 +114,48 @@ class AuthMethodsResponseTest {
    @Test
    void jsonRoundtrip() {
        AuthMethodsResponse res = assertDoesNotThrow(
-                () -> new ObjectMapper().readValue(RES_JSON, AuthMethodsResponse.class),
+                () -> objectMapper.readValue(RES_JSON, AuthMethodsResponse.class),
                "AuthResponse deserialization failed"
        );
-        assertThat("Parsed response is NULL", res, is(notNullValue()));
+        assertNotNull(res, "Parsed response is NULL");
        // Extract auth data.
        Map<String, AuthMethod> supported = res.getSupportedMethods();
-        assertThat("Auth data is NULL", supported, is(notNullValue()));
+        assertNotNull(supported, "Auth data is NULL");
-        assertThat("Incorrect number of supported methods", supported.entrySet(), hasSize(2));
+        assertEquals(2, supported.size(), "Incorrect number of supported methods");
-        assertThat("Incorrect method paths", supported.keySet(), containsInAnyOrder(GH_PATH, TK_PATH));
+        assertTrue(supported.keySet().containsAll(Set.of(GH_PATH, TK_PATH)), "Incorrect method paths");
        // Verify first method.
        AuthMethod method = supported.get(GH_PATH);
-        assertThat("Incorrect raw type for GitHub", method.getRawType(), is(GH_TYPE));
+        assertEquals(GH_TYPE, method.getRawType(), "Incorrect raw type for GitHub");
-        assertThat("Incorrect parsed type for GitHub", method.getType(), is(AuthBackend.GITHUB));
+        assertEquals(AuthBackend.GITHUB, method.getType(), "Incorrect parsed type for GitHub");
-        assertThat("Incorrect description for GitHub", method.getDescription(), is(GH_DESCR));
+        assertEquals(GH_DESCR, method.getDescription(), "Incorrect description for GitHub");
-        assertThat("Unexpected config for GitHub", method.getConfig(), is(nullValue()));
+        assertNull(method.getConfig(), "Unexpected config for GitHub");
        assertEquals(GH_UUID, method.getUuid(), "Unexpected UUID for GitHub");
        assertEquals(GH_ACCESSOR, method.getAccessor(), "Unexpected accessor for GitHub");
        assertFalse(method.isLocal(), "Unexpected local flag for GitHub");
        assertFalse(method.isExternalEntropyAccess(), "Unexpected external entropy flag for GitHub");
        assertFalse(method.isSealWrap(), "Unexpected seal wrap flag for GitHub");
-        // Verify first method.
+        // Verify second method.
        method = supported.get(TK_PATH);
-        assertThat("Incorrect raw type for Token", method.getRawType(), is(TK_TYPE));
+        assertEquals(TK_TYPE, method.getRawType(), "Incorrect raw type for Token");
-        assertThat("Incorrect parsed type for Token", method.getType(), is(AuthBackend.TOKEN));
+        assertEquals(AuthBackend.TOKEN, method.getType(), "Incorrect parsed type for Token");
-        assertThat("Incorrect description for Token", method.getDescription(), is(TK_DESCR));
+        assertEquals(TK_DESCR, method.getDescription(), "Incorrect description for Token");
-        assertThat("Missing config for Token", method.getConfig(), is(notNullValue()));
+        assertEquals(TK_UUID, method.getUuid(), "Unexpected UUID for Token");
-        assertThat("Unexpected config size for Token", method.getConfig().keySet(), hasSize(2));
+        assertEquals(TK_ACCESSOR, method.getAccessor(), "Unexpected accessor for Token");
-        assertThat("Incorrect lease TTL config", method.getConfig().get("default_lease_ttl"), is(TK_LEASE_TTL.toString()));
+        assertTrue(method.isLocal(), "Unexpected local flag for Token");
-        assertThat("Incorrect max lease TTL config", method.getConfig().get("max_lease_ttl"), is(TK_MAX_LEASE_TTL.toString()));
+        assertFalse(method.isExternalEntropyAccess(), "Unexpected external entropy flag for Token");
-    }
+        assertFalse(method.isSealWrap(), "Unexpected seal wrap flag for GitHub");
        assertEquals("", method.getPluginVersion(), "Unexpected plugin version");
        assertEquals(TK_RUNNING_PLUGIN_VERSION, method.getRunningPluginVersion(), "Unexpected running plugin version");
        assertEquals("", method.getRunningSha256(), "Unexpected running SHA256");
-    private static class Dummy {
+        assertNotNull(method.getConfig(), "Missing config for Token");
        assertEquals(TK_LEASE_TTL, method.getConfig().getDefaultLeaseTtl(), "Unexpected default TTL");
        assertEquals(TK_MAX_LEASE_TTL, method.getConfig().getMaxLeaseTtl(), "Unexpected max TTL");
        assertEquals(TK_FORCE_NO_CACHE, method.getConfig().getForceNoCache(), "Unexpected force no cache flag");
        assertEquals(TK_TOKEN_TYPE, method.getConfig().getTokenType(), "Unexpected token type");
        assertNull(method.getOptions(), "Unexpected options");
    }
 }
--- a/src/test/java/de/stklcode/jvault/connector/model/response/AuthResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/AuthResponseTest.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -16,18 +16,19 @@
 package de.stklcode.jvault.connector.model.response;
-import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.core.JsonProcessingException;
-import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import de.stklcode.jvault.connector.model.AbstractModelTest;
 import de.stklcode.jvault.connector.model.response.embedded.AuthData;
 import de.stklcode.jvault.connector.model.response.embedded.MfaConstraintAny;
 import de.stklcode.jvault.connector.model.response.embedded.MfaMethodId;
 import de.stklcode.jvault.connector.model.response.embedded.MfaRequirement;
 import nl.jqno.equalsverifier.EqualsVerifier;
 import org.junit.jupiter.api.Test;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Set;
-import static org.hamcrest.MatcherAssert.assertThat;
+import static org.junit.jupiter.api.Assertions.*;
 import static org.hamcrest.Matchers.*;
 import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 /**
 * JUnit Test for {@link AuthResponse} model.
@ -35,7 +36,7 @@ import static org.junit.jupiter.api.Assertions.assertThrows;
 * @author Stefan Kalscheuer
 * @since 0.6.2
 */
-class AuthResponseTest {
+class AuthResponseTest extends AbstractModelTest<AuthResponse> {
    private static final String AUTH_ACCESSOR = "2c84f488-2133-4ced-87b0-570f93a76830";
    private static final String AUTH_CLIENT_TOKEN = "ABCD";
    private static final String AUTH_POLICY_1 = "web";
@ -47,55 +48,72 @@ class AuthResponseTest {
    private static final String AUTH_ENTITY_ID = "";
    private static final String AUTH_TOKEN_TYPE = "service";
    private static final Boolean AUTH_ORPHAN = false;
    private static final Integer AUTH_NUM_USES = 42;
    private static final String MFA_REQUEST_ID = "d0c9eec7-6921-8cc0-be62-202b289ef163";
    private static final String MFA_KEY = "enforcementConfigUserpass";
    private static final String MFA_METHOD_TYPE = "totp";
    private static final String MFA_METHOD_ID = "820997b3-110e-c251-7e8b-ff4aa428a6e1";
    private static final Boolean MFA_METHOD_USES_PASSCODE = true;
    private static final String MFA_METHOD_NAME = "sample_mfa_method_name";
    private static final String RES_JSON = "{\n" +
-            "  \"auth\": {\n" +
+        "  \"auth\": {\n" +
-            "    \"accessor\": \"" + AUTH_ACCESSOR + "\",\n" +
+        "    \"accessor\": \"" + AUTH_ACCESSOR + "\",\n" +
-            "    \"client_token\": \"" + AUTH_CLIENT_TOKEN + "\",\n" +
+        "    \"client_token\": \"" + AUTH_CLIENT_TOKEN + "\",\n" +
-            "    \"policies\": [\n" +
+        "    \"policies\": [\n" +
-            "      \"" + AUTH_POLICY_1 + "\", \n" +
+        "      \"" + AUTH_POLICY_1 + "\", \n" +
-            "      \"" + AUTH_POLICY_2 + "\"\n" +
+        "      \"" + AUTH_POLICY_2 + "\"\n" +
-            "    ],\n" +
+        "    ],\n" +
-            "    \"token_policies\": [\n" +
+        "    \"token_policies\": [\n" +
-            "      \"" + AUTH_POLICY_2 + "\",\n" +
+        "      \"" + AUTH_POLICY_2 + "\",\n" +
-            "      \"" + AUTH_POLICY_1 + "\" \n" +
+        "      \"" + AUTH_POLICY_1 + "\" \n" +
-            "    ],\n" +
+        "    ],\n" +
-            "    \"metadata\": {\n" +
+        "    \"metadata\": {\n" +
-            "      \"" + AUTH_META_KEY + "\": \"" + AUTH_META_VALUE + "\"\n" +
+        "      \"" + AUTH_META_KEY + "\": \"" + AUTH_META_VALUE + "\"\n" +
-            "    },\n" +
+        "    },\n" +
-            "    \"lease_duration\": " + AUTH_LEASE_DURATION + ",\n" +
+        "    \"lease_duration\": " + AUTH_LEASE_DURATION + ",\n" +
-            "    \"renewable\": " + AUTH_RENEWABLE + ",\n" +
+        "    \"renewable\": " + AUTH_RENEWABLE + ",\n" +
-            "    \"entity_id\": \"" + AUTH_ENTITY_ID + "\",\n" +
+        "    \"entity_id\": \"" + AUTH_ENTITY_ID + "\",\n" +
-            "    \"token_type\": \"" + AUTH_TOKEN_TYPE + "\",\n" +
+        "    \"token_type\": \"" + AUTH_TOKEN_TYPE + "\",\n" +
-            "    \"orphan\": " + AUTH_ORPHAN + "\n" +
+        "    \"orphan\": " + AUTH_ORPHAN + ",\n" +
-            "  }\n" +
+        "    \"num_uses\": " + AUTH_NUM_USES + ",\n" +
-            "}";
+        "    \"mfa_requirement\": {\n" +
        "      \"mfa_request_id\": \"" + MFA_REQUEST_ID + "\",\n" +
        "      \"mfa_constraints\": {\n" +
        "        \"" + MFA_KEY + "\": {\n" +
        "          \"any\": [\n" +
        "            {\n" +
        "              \"type\": \"" + MFA_METHOD_TYPE + "\",\n" +
        "              \"id\": \"" + MFA_METHOD_ID + "\",\n" +
        "              \"uses_passcode\": " + MFA_METHOD_USES_PASSCODE + ",\n" +
        "              \"name\": \"" + MFA_METHOD_NAME + "\"\n" +
        "            }\n" +
        "          ]\n" +
        "        }\n" +
        "      }\n" +
        "    }\n" +
        "  }\n" +
        "}";
-    private static final Map<String, Object> INVALID_AUTH_DATA = new HashMap<>();
+    AuthResponseTest() {
-
+        super(AuthResponse.class);
-    static {
+    }
-        INVALID_AUTH_DATA.put("policies", "fancy-policy");
+
    @Override
    protected AuthResponse createFull() {
        try {
            return objectMapper.readValue(RES_JSON, AuthResponse.class);
        } catch (JsonProcessingException e) {
            fail("Creation of full model instance failed", e);
            return null;
        }
    }
    /**
     * Test getter, setter and get-methods for response data.
     */
    @Test
-    void getDataRoundtrip() {
+    void testEqualsHashcodeMfa() {
-        // Create empty Object.
+        EqualsVerifier.simple().forClass(MfaRequirement.class).verify();
-        AuthResponse res = new AuthResponse();
+        EqualsVerifier.simple().forClass(MfaConstraintAny.class).verify();
-        assertThat("Initial data should be empty", res.getData(), is(nullValue()));
+        EqualsVerifier.simple().forClass(MfaMethodId.class).verify();
        // Parsing invalid auth data map should fail.
        assertThrows(
                InvalidResponseException.class,
                () -> res.setAuth(INVALID_AUTH_DATA),
                "Parsing invalid auth data succeeded"
        );
        // Data method should be agnostic.
        res.setData(INVALID_AUTH_DATA);
        assertThat("Data not passed through", res.getData(), is(INVALID_AUTH_DATA));
    }
    /**
@ -103,26 +121,35 @@ class AuthResponseTest {
     */
    @Test
    void jsonRoundtrip() {
-            AuthResponse res = assertDoesNotThrow(
+        AuthResponse res = assertDoesNotThrow(
-                    () -> new ObjectMapper().readValue(RES_JSON, AuthResponse.class),
+                () -> objectMapper.readValue(RES_JSON, AuthResponse.class),
-                    "AuthResponse deserialization failed."
+                "AuthResponse deserialization failed"
-            );
+        );
-            assertThat("Parsed response is NULL", res, is(notNullValue()));
+        assertNotNull(res, "Parsed response is NULL");
-            // Extract auth data.
+        // Extract auth data.
-            AuthData data = res.getAuth();
+        AuthData data = res.getAuth();
-            assertThat("Auth data is NULL", data, is(notNullValue()));
+        assertNotNull(data, "Auth data is NULL");
-            assertThat("Incorrect auth accessor", data.getAccessor(), is(AUTH_ACCESSOR));
+        assertEquals(AUTH_ACCESSOR, data.getAccessor(), "Incorrect auth accessor");
-            assertThat("Incorrect auth client token", data.getClientToken(), is(AUTH_CLIENT_TOKEN));
+        assertEquals(AUTH_CLIENT_TOKEN, data.getClientToken(), "Incorrect auth client token");
-            assertThat("Incorrect auth lease duration", data.getLeaseDuration(), is(AUTH_LEASE_DURATION));
+        assertEquals(AUTH_LEASE_DURATION, data.getLeaseDuration(), "Incorrect auth lease duration");
-            assertThat("Incorrect auth renewable flag", data.isRenewable(), is(AUTH_RENEWABLE));
+        assertEquals(AUTH_RENEWABLE, data.isRenewable(), "Incorrect auth renewable flag");
-            assertThat("Incorrect auth orphan flag", data.isOrphan(), is(AUTH_ORPHAN));
+        assertEquals(AUTH_ORPHAN, data.isOrphan(), "Incorrect auth orphan flag");
-            assertThat("Incorrect auth token type", data.getTokenType(), is(AUTH_TOKEN_TYPE));
+        assertEquals(AUTH_TOKEN_TYPE, data.getTokenType(), "Incorrect auth token type");
-            assertThat("Incorrect auth entity id", data.getEntityId(), is(AUTH_ENTITY_ID));
+        assertEquals(AUTH_ENTITY_ID, data.getEntityId(), "Incorrect auth entity id");
-            assertThat("Incorrect number of policies", data.getPolicies(), hasSize(2));
+        assertEquals(AUTH_NUM_USES, data.getNumUses(), "Incorrect auth num uses");
-            assertThat("Incorrect auth policies", data.getPolicies(), containsInRelativeOrder(AUTH_POLICY_1, AUTH_POLICY_2));
+        assertEquals(2, data.getPolicies().size(), "Incorrect number of policies");
-            assertThat("Incorrect number of token policies", data.getTokenPolicies(), hasSize(2));
+        assertTrue(data.getPolicies().containsAll(Set.of(AUTH_POLICY_1, AUTH_POLICY_2)));
-            assertThat("Incorrect token policies", data.getTokenPolicies(), containsInRelativeOrder(AUTH_POLICY_2, AUTH_POLICY_1));
+        assertEquals(2, data.getTokenPolicies().size(), "Incorrect number of token policies");
-            assertThat("Incorrect auth metadata size", data.getMetadata().entrySet(), hasSize(1));
+        assertTrue(data.getTokenPolicies().containsAll(Set.of(AUTH_POLICY_2, AUTH_POLICY_1)), "Incorrect token policies");
-            assertThat("Incorrect auth metadata", data.getMetadata().get(AUTH_META_KEY), is(AUTH_META_VALUE));
+        assertEquals(Map.of(AUTH_META_KEY, AUTH_META_VALUE), data.getMetadata(), "Incorrect auth metadata");
        assertEquals(MFA_REQUEST_ID, data.getMfaRequirement().getMfaRequestId(), "Incorrect MFA request ID");
        assertEquals(Set.of(MFA_KEY), data.getMfaRequirement().getMfaConstraints().keySet(), "Incorrect MFA constraint keys");
        var mfaConstraint = data.getMfaRequirement().getMfaConstraints().get(MFA_KEY);
        assertEquals(1, mfaConstraint.getAny().size(), "Incorrect number of any constraints");
        assertEquals(MFA_METHOD_TYPE, mfaConstraint.getAny().get(0).getType(), "Incorrect MFA method type");
        assertEquals(MFA_METHOD_ID, mfaConstraint.getAny().get(0).getId(), "Incorrect MFA method type");
        assertEquals(MFA_METHOD_USES_PASSCODE, mfaConstraint.getAny().get(0).getUsesPasscode(), "Incorrect MFA method uses passcode");
        assertEquals(MFA_METHOD_NAME, mfaConstraint.getAny().get(0).getName(), "Incorrect MFA method uses passcode");
    }
 }
--- a/src/test/java/de/stklcode/jvault/connector/model/response/CredentialsResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/CredentialsResponseTest.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -16,18 +16,11 @@
 package de.stklcode.jvault.connector.model.response;
-import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.core.JsonProcessingException;
-import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import de.stklcode.jvault.connector.model.AbstractModelTest;
 import org.junit.jupiter.api.Test;
-import java.io.IOException;
+import static org.junit.jupiter.api.Assertions.*;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.*;
 import static org.junit.jupiter.api.Assertions.fail;
 /**
 * JUnit Test for {@link CredentialsResponse} model.
@ -35,32 +28,50 @@ import static org.junit.jupiter.api.Assertions.fail;
 * @author Stefan Kalscheuer
 * @since 0.8
 */
-class CredentialsResponseTest {
+class CredentialsResponseTest extends AbstractModelTest<CredentialsResponse> {
    private static final Map<String, Object> DATA = new HashMap<>();
    private static final String VAL_USER = "testUserName";
    private static final String VAL_PASS = "5up3r5ecr3tP455";
    private static final String JSON = "{\n" +
            "    \"request_id\": \"68315073-6658-e3ff-2da7-67939fb91bbd\",\n" +
            "    \"lease_id\": \"\",\n" +
            "    \"lease_duration\": 2764800,\n" +
            "    \"renewable\": false,\n" +
            "    \"data\": {\n" +
            "        \"username\": \"" + VAL_USER + "\",\n" +
            "        \"password\": \"" + VAL_PASS + "\"\n" +
            "    },\n" +
            "    \"warnings\": null\n" +
            "}";
-    static {
+    CredentialsResponseTest() {
-        DATA.put("username", VAL_USER);
+        super(CredentialsResponse.class);
-        DATA.put("password", VAL_PASS);
+    }
    @Override
    protected CredentialsResponse createFull() {
        try {
            return objectMapper.readValue(JSON, CredentialsResponse.class);
        } catch (JsonProcessingException e) {
            fail("Creation of full model instance failed", e);
            return null;
        }
    }
    /**
     * Test getter, setter and get-methods for response data.
     *
     * @throws InvalidResponseException Should not occur
     */
    @Test
-    @SuppressWarnings("unchecked")
+    void getCredentialsTest() {
    void getCredentialsTest() throws InvalidResponseException {
        // Create empty Object.
        CredentialsResponse res = new CredentialsResponse();
-        assertThat("Username not present in data map should not return anything", res.getUsername(), is(nullValue()));
+        assertNull(res.getUsername(), "Username not present in data map should not return anything");
-        assertThat("Password not present in data map should not return anything", res.getPassword(), is(nullValue()));
+        assertNull(res.getPassword(), "Password not present in data map should not return anything");
-        // Fill data map.
+        res = assertDoesNotThrow(
-        res.setData(DATA);
+                () -> objectMapper.readValue(JSON, CredentialsResponse.class),
-        assertThat("Incorrect username", res.getUsername(), is(VAL_USER));
+                "Deserialization of CredentialsResponse failed"
-        assertThat("Incorrect password", res.getPassword(), is(VAL_PASS));
+        );
        assertEquals(VAL_USER, res.getUsername(), "Incorrect username");
        assertEquals(VAL_PASS, res.getPassword(), "Incorrect password");
    }
 }
--- a/src/test/java/de/stklcode/jvault/connector/model/response/ErrorResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/ErrorResponseTest.java
@ -0,0 +1,88 @@
 /*
 * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package de.stklcode.jvault.connector.model.response;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import de.stklcode.jvault.connector.model.AbstractModelTest;
 import org.junit.jupiter.api.Test;
 import java.util.List;
 import static org.junit.jupiter.api.Assertions.*;
 /**
 * JUnit Test for {@link ErrorResponse} model.
 *
 * @author Stefan Kalscheuer
 */
 class ErrorResponseTest extends AbstractModelTest<ErrorResponse> {
    private static final String ERROR_1 = "Error #1";
    private static final String ERROR_2 = "Error #2";
    private static final String JSON = "{\"errors\":[\"" + ERROR_1 + "\",\"" + ERROR_2 + "\"]}";
    private static final String JSON_EMPTY = "{\"errors\":[]}";
    ErrorResponseTest() {
        super(ErrorResponse.class);
    }
    @Override
    protected ErrorResponse createFull() {
        try {
            return objectMapper.readValue(JSON, ErrorResponse.class);
        } catch (JsonProcessingException e) {
            fail("Creation of full model instance failed", e);
            return null;
        }
    }
    /**
     * Test creation from JSON value as returned by Vault.
     */
    @Test
    void jsonRoundtrip() {
        ErrorResponse res = assertDoesNotThrow(
                () -> objectMapper.readValue(JSON, ErrorResponse.class),
                "ErrorResponse deserialization failed"
        );
        assertNotNull(res, "Parsed response is NULL");
        assertEquals(List.of(ERROR_1, ERROR_2), res.getErrors(), "Unexpected error messages");
        assertEquals(
                JSON,
                assertDoesNotThrow(() -> objectMapper.writeValueAsString(res), "ErrorResponse serialization failed"),
                "Unexpected JSON string after serialization"
        );
    }
    @Test
    void testToString() {
        ErrorResponse res = assertDoesNotThrow(
                () -> objectMapper.readValue(JSON, ErrorResponse.class),
                "ErrorResponse deserialization failed"
        );
        assertEquals(ERROR_1, res.toString());
        res = assertDoesNotThrow(
                () -> objectMapper.readValue(JSON_EMPTY, ErrorResponse.class),
                "ErrorResponse deserialization failed with empty list"
        );
        assertEquals("error response", res.toString());
        assertEquals("error response", new ErrorResponse().toString());
    }
 }
--- a/src/test/java/de/stklcode/jvault/connector/model/response/HealthResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/HealthResponseTest.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -16,13 +16,11 @@
 package de.stklcode.jvault.connector.model.response;
-import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.core.JsonProcessingException;
 import de.stklcode.jvault.connector.model.AbstractModelTest;
 import org.junit.jupiter.api.Test;
-import static org.hamcrest.CoreMatchers.is;
+import static org.junit.jupiter.api.Assertions.*;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.notNullValue;
 import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
 /**
 * JUnit Test for {@link AuthResponse} model.
@ -30,10 +28,10 @@ import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
 * @author Stefan Kalscheuer
 * @since 0.7.0
 */
-class HealthResponseTest {
+class HealthResponseTest extends AbstractModelTest<HealthResponse> {
    private static final String CLUSTER_ID = "c9abceea-4f46-4dab-a688-5ce55f89e228";
    private static final String CLUSTER_NAME = "vault-cluster-5515c810";
-    private static final String VERSION = "0.9.2";
+    private static final String VERSION = "0.17.0";
    private static final Long SERVER_TIME_UTC = 1469555798L;
    private static final Boolean STANDBY = false;
    private static final Boolean SEALED = false;
@ -41,6 +39,10 @@ class HealthResponseTest {
    private static final Boolean PERF_STANDBY = false;
    private static final String REPL_PERF_MODE = "disabled";
    private static final String REPL_DR_MODE = "disabled";
    private static final Long ECHO_DURATION = 1L;
    private static final Long CLOCK_SKEW = 0L;
    private static final Long REPL_PRIM_CANARY_AGE = 2L;
    private static final Boolean ENTERPRISE = false;
    private static final String RES_JSON = "{\n" +
            "  \"cluster_id\": \"" + CLUSTER_ID + "\",\n" +
@ -50,30 +52,52 @@ class HealthResponseTest {
            "  \"standby\": " + STANDBY + ",\n" +
            "  \"sealed\": " + SEALED + ",\n" +
            "  \"initialized\": " + INITIALIZED + ",\n" +
-            "  \"replication_perf_mode\": \"" + REPL_PERF_MODE + "\",\n" +
+            "  \"replication_performance_mode\": \"" + REPL_PERF_MODE + "\",\n" +
            "  \"replication_dr_mode\": \"" + REPL_DR_MODE + "\",\n" +
-            "  \"performance_standby\": " + PERF_STANDBY + "\n" +
+            "  \"performance_standby\": " + PERF_STANDBY + ",\n" +
            "  \"echo_duration_ms\": " + ECHO_DURATION + ",\n" +
            "  \"clock_skew_ms\": " + CLOCK_SKEW + ",\n" +
            "  \"replication_primary_canary_age_ms\": " + REPL_PRIM_CANARY_AGE + ",\n" +
            "  \"enterprise\": " + ENTERPRISE + "\n" +
            "}";
    HealthResponseTest() {
        super(HealthResponse.class);
    }
    @Override
    protected HealthResponse createFull() {
        try {
            return objectMapper.readValue(RES_JSON, HealthResponse.class);
        } catch (JsonProcessingException e) {
            fail("Creation of full model instance failed", e);
            return null;
        }
    }
    /**
     * Test creation from JSON value as returned by Vault (JSON example copied from Vault documentation).
     */
    @Test
    void jsonRoundtrip() {
        HealthResponse res = assertDoesNotThrow(
-                () -> new ObjectMapper().readValue(RES_JSON, HealthResponse.class),
+                () -> objectMapper.readValue(RES_JSON, HealthResponse.class),
-                "Health deserialization failed."
+                "Health deserialization failed"
        );
-        assertThat("Parsed response is NULL", res, is(notNullValue()));
+        assertNotNull(res, "Parsed response is NULL");
-        assertThat("Incorrect cluster ID", res.getClusterID(), is(CLUSTER_ID));
+        assertEquals(CLUSTER_ID, res.getClusterID(), "Incorrect cluster ID");
-        assertThat("Incorrect cluster name", res.getClusterName(), is(CLUSTER_NAME));
+        assertEquals(CLUSTER_NAME, res.getClusterName(), "Incorrect cluster name");
-        assertThat("Incorrect version", res.getVersion(), is(VERSION));
+        assertEquals(VERSION, res.getVersion(), "Incorrect version");
-        assertThat("Incorrect server time", res.getServerTimeUTC(), is(SERVER_TIME_UTC));
+        assertEquals(SERVER_TIME_UTC, res.getServerTimeUTC(), "Incorrect server time");
-        assertThat("Incorrect standby state", res.isStandby(), is(STANDBY));
+        assertEquals(STANDBY, res.isStandby(), "Incorrect standby state");
-        assertThat("Incorrect seal state", res.isSealed(), is(SEALED));
+        assertEquals(SEALED, res.isSealed(), "Incorrect seal state");
-        assertThat("Incorrect initialization state", res.isInitialized(), is(INITIALIZED));
+        assertEquals(INITIALIZED, res.isInitialized(), "Incorrect initialization state");
-        assertThat("Incorrect performance standby state", res.isPerformanceStandby(), is(PERF_STANDBY));
+        assertEquals(PERF_STANDBY, res.isPerformanceStandby(), "Incorrect performance standby state");
-        assertThat("Incorrect replication perf mode", res.getReplicationPerfMode(), is(REPL_PERF_MODE));
+        assertEquals(REPL_PERF_MODE, res.getReplicationPerfMode(), "Incorrect replication perf mode");
-        assertThat("Incorrect replication DR mode", res.getReplicationDrMode(), is(REPL_DR_MODE));
+        assertEquals(REPL_DR_MODE, res.getReplicationDrMode(), "Incorrect replication DR mode");
        assertEquals(ECHO_DURATION, res.getEchoDurationMs(), "Incorrect echo duration");
        assertEquals(CLOCK_SKEW, res.getClockSkewMs(), "Incorrect clock skew");
        assertEquals(REPL_PRIM_CANARY_AGE, res.getReplicationPrimaryCanaryAgeMs(), "Incorrect canary age");
        assertEquals(ENTERPRISE, res.isEnterprise(), "Incorrect enterprise flag");
    }
 }
--- a/src/test/java/de/stklcode/jvault/connector/model/response/HelpResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/HelpResponseTest.java
@ -0,0 +1,66 @@
 /*
 * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package de.stklcode.jvault.connector.model.response;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import de.stklcode.jvault.connector.model.AbstractModelTest;
 import org.junit.jupiter.api.Test;
 import static org.junit.jupiter.api.Assertions.*;
 /**
 * JUnit Test for {@link HelpResponse} model.
 *
 * @author Stefan Kalscheuer
 */
 class HelpResponseTest extends AbstractModelTest<HelpResponse> {
    private static final String HELP = "Help Text.";
    private static final String JSON = "{\"help\":\"" + HELP + "\"}";
    HelpResponseTest() {
        super(HelpResponse.class);
    }
    @Override
    protected HelpResponse createFull() {
        try {
            return objectMapper.readValue(JSON, HelpResponse.class);
        } catch (JsonProcessingException e) {
            fail("Creation of full model instance failed", e);
            return null;
        }
    }
    /**
     * Test creation from JSON value as returned by Vault.
     */
    @Test
    void jsonRoundtrip() {
        HelpResponse res = assertDoesNotThrow(
                () -> objectMapper.readValue(JSON, HelpResponse.class),
                "HelpResponse deserialization failed"
        );
        assertNotNull(res, "Parsed response is NULL");
        assertEquals(HELP, res.getHelp(), "Unexpected help text");
        assertEquals(
                JSON,
                assertDoesNotThrow(() -> objectMapper.writeValueAsString(res), "HelpResponse serialization failed"),
                "Unexpected JSON string after serialization"
        );
    }
 }
--- a/src/test/java/de/stklcode/jvault/connector/model/response/MetaSecretResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/MetaSecretResponseTest.java
@ -0,0 +1,148 @@
 /*
 * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package de.stklcode.jvault.connector.model.response;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import de.stklcode.jvault.connector.model.AbstractModelTest;
 import org.junit.jupiter.api.Test;
 import java.util.List;
 import java.util.Map;
 import static org.junit.jupiter.api.Assertions.*;
 /**
 * JUnit Test for {@link MetaSecretResponse} model.
 *
 * @author Stefan Kalscheuer
 * @since 0.6.2
 */
 class MetaSecretResponseTest extends AbstractModelTest<MetaSecretResponse> {
    private static final String SECRET_REQUEST_ID = "68315073-6658-e3ff-2da7-67939fb91bbd";
    private static final String SECRET_LEASE_ID = "";
    private static final Integer SECRET_LEASE_DURATION = 2764800;
    private static final boolean SECRET_RENEWABLE = false;
    private static final String SECRET_DATA_K1 = "excited";
    private static final String SECRET_DATA_V1 = "yes";
    private static final String SECRET_DATA_K2 = "value";
    private static final String SECRET_DATA_V2 = "world";
    private static final String SECRET_META_CREATED = "2018-03-22T02:24:06.945319214Z";
    private static final String SECRET_META_DELETED = "2018-03-23T03:25:07.056420325Z";
    private static final List<String> SECRET_WARNINGS = null;
    private static final String CUSTOM_META_KEY = "foo";
    private static final String CUSTOM_META_VAL = "bar";
    private static final String SECRET_JSON_V2 = "{\n" +
            "    \"request_id\": \"" + SECRET_REQUEST_ID + "\",\n" +
            "    \"lease_id\": \"" + SECRET_LEASE_ID + "\",\n" +
            "    \"lease_duration\": " + SECRET_LEASE_DURATION + ",\n" +
            "    \"renewable\": " + SECRET_RENEWABLE + ",\n" +
            "    \"data\": {\n" +
            "      \"data\": {\n" +
            "          \"" + SECRET_DATA_K1 + "\": \"" + SECRET_DATA_V1 + "\",\n" +
            "          \"" + SECRET_DATA_K2 + "\": \"" + SECRET_DATA_V2 + "\"\n" +
            "      },\n" +
            "      \"metadata\": {\n" +
            "          \"created_time\": \"" + SECRET_META_CREATED + "\",\n" +
            "          \"custom_metadata\": null,\n" +
            "          \"deletion_time\": \"\",\n" +
            "          \"destroyed\": false,\n" +
            "          \"version\": 1\n" +
            "      }\n" +
            "    },\n" +
            "    \"warnings\": " + SECRET_WARNINGS + "\n" +
            "}";
    private static final String SECRET_JSON_V2_2 = "{\n" +
            "    \"request_id\": \"" + SECRET_REQUEST_ID + "\",\n" +
            "    \"lease_id\": \"" + SECRET_LEASE_ID + "\",\n" +
            "    \"lease_duration\": " + SECRET_LEASE_DURATION + ",\n" +
            "    \"renewable\": " + SECRET_RENEWABLE + ",\n" +
            "    \"data\": {\n" +
            "      \"data\": {\n" +
            "          \"" + SECRET_DATA_K1 + "\": \"" + SECRET_DATA_V1 + "\",\n" +
            "          \"" + SECRET_DATA_K2 + "\": \"" + SECRET_DATA_V2 + "\"\n" +
            "      },\n" +
            "      \"metadata\": {\n" +
            "          \"created_time\": \"" + SECRET_META_CREATED + "\",\n" +
            "          \"custom_metadata\": {" +
            "            \"" + CUSTOM_META_KEY + "\": \"" + CUSTOM_META_VAL + "\"" +
            "          },\n" +
            "          \"deletion_time\": \"" + SECRET_META_DELETED + "\",\n" +
            "          \"destroyed\": true,\n" +
            "          \"version\": 2\n" +
            "      }\n" +
            "    },\n" +
            "    \"warnings\": " + SECRET_WARNINGS + "\n" +
            "}";
    MetaSecretResponseTest() {
        super(MetaSecretResponse.class);
    }
    @Override
    protected MetaSecretResponse createFull() {
        try {
            return objectMapper.readValue(SECRET_JSON_V2, MetaSecretResponse.class);
        } catch (JsonProcessingException e) {
            fail("Creation of full model instance failed", e);
            return null;
        }
    }
    /**
     * Test creation from JSON value as returned by Vault (JSON example copied from Vault documentation).
     */
    @Test
    void jsonRoundtrip() {
        // KV v2 secret.
        MetaSecretResponse res = assertDoesNotThrow(
                () -> objectMapper.readValue(SECRET_JSON_V2, MetaSecretResponse.class),
                "SecretResponse deserialization failed"
        );
        assertSecretData(res);
        assertNotNull(res.getMetadata(), "SecretResponse does not contain metadata");
        assertNotNull(res.getMetadata().getCreatedTime(), "Creation date parsing failed");
        assertNull(res.getMetadata().getDeletionTime(), "Incorrect deletion date");
        assertFalse(res.getMetadata().isDestroyed(), "Secret destroyed when not expected");
        assertEquals(1, res.getMetadata().getVersion(), "Incorrect secret version");
        assertNull(res.getMetadata().getCustomMetadata(), "Incorrect custom metadata");
        // Deleted KV v2 secret.
        res = assertDoesNotThrow(
                () -> objectMapper.readValue(SECRET_JSON_V2_2, MetaSecretResponse.class),
                "SecretResponse deserialization failed"
        );
        assertSecretData(res);
        assertNotNull(res.getMetadata(), "SecretResponse does not contain metadata");
        assertNotNull(res.getMetadata().getCreatedTime(), "Creation date parsing failed");
        assertNotNull(res.getMetadata().getDeletionTime(), "Incorrect deletion date");
        assertTrue(res.getMetadata().isDestroyed(), "Secret destroyed when not expected");
        assertEquals(2, res.getMetadata().getVersion(), "Incorrect secret version");
        assertEquals(Map.of(CUSTOM_META_KEY, CUSTOM_META_VAL), res.getMetadata().getCustomMetadata(), "Incorrect custom metadata");
    }
    private void assertSecretData(SecretResponse res) {
        assertNotNull(res, "Parsed response is NULL");
        assertEquals(SECRET_REQUEST_ID, res.getRequestId(), "Incorrect request ID");
        assertEquals(SECRET_LEASE_ID, res.getLeaseId(), "Incorrect lease ID");
        assertEquals(SECRET_LEASE_DURATION, res.getLeaseDuration(), "Incorrect lease duration");
        assertEquals(SECRET_RENEWABLE, res.isRenewable(), "Incorrect renewable status");
        assertEquals(SECRET_WARNINGS, res.getWarnings(), "Incorrect warnings");
        assertEquals(SECRET_DATA_V1, res.get(SECRET_DATA_K1), "Response does not contain correct data");
        assertEquals(SECRET_DATA_V2, res.get(SECRET_DATA_K2), "Response does not contain correct data");
    }
 }
--- a/Show More
+++ b/Show More
		`@ -0,0 +1,2 @@`
							`distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.9/apache-maven-3.9.9-bin.zip`
							`wrapperUrl=https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.3.2/maven-wrapper-3.3.2.jar`