docs: update version and features in README

test: use WireMockTest annotation
test: update wiremock to 3.13.0
2025-04-24 18:36:36 +02:00 · 2025-04-24 18:30:32 +02:00 · 2025-04-24 18:30:04 +02:00 · 2025-04-13 12:25:18 +02:00 · 2025-04-13 11:25:49 +02:00 · 2025-04-13 10:49:42 +02:00
124 changed files with 7813 additions and 5965 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -1,39 +0,0 @@
-kind: pipeline
-name: default
-
-steps:
-  - name: compile
-    image: maven:3-jdk-11
-    commands:
-      - mvn -B clean compile
-    when:
-      branch:
-        - master
-        - develop
-        - feature/*
-        - fix/*
-        - release/*
-  - name: unit-tests
-    image: maven:3-jdk-11
-    commands:
-      - mvn -B resources:testResources compiler:testCompile surefire:test -P offline-tests
-    when:
-      branch:
-        - develop
-        - feature/*
-        - fix/*
-  - name: unit-integration-tests
-    image: maven:3-jdk-11
-    environment:
-      VAULT_VERSION: 1.7.0
-    commands:
-      - curl -s -o vault_1.7.0_linux_amd64.zip https://releases.hashicorp.com/vault/1.7.0/vault_1.7.0_linux_amd64.zip
-      - curl -s https://releases.hashicorp.com/vault/1.7.0/vault_1.7.0_SHA256SUMS | grep linux_amd64 | sha256sum -c
-      - unzip vault_1.7.0_linux_amd64.zip
-      - rm vault_1.7.0_linux_amd64.zip
-      - mv vault /bin/
-      - mvn -B resources:testResources compiler:testCompile surefire:test
-    when:
-      branch:
-        - master
-        - release/*
--- a/.editorconfig
+++ b/.editorconfig
@ -0,0 +1,14 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+indent_size = 4
+indent_style = space
+insert_final_newline = true
+max_line_length = 120
+tab_width = 4
+trim_trailing_whitespace = true
+
+[{*.yaml,*.yml}]
+indent_size = 2
--- a/.github/workflows/ci-it.yml
+++ b/.github/workflows/ci-it.yml
@ -0,0 +1,56 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - 'main'
+  pull_request:
+    branches:
+      - 'main'
+
+jobs:
+  build-with-it:
+    if: github.ref_name == 'main' || github.base_ref == 'main' || startsWith(github.ref_name, 'release/')
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        jdk: [ 11, 17, 21 ]
+        vault: [ '1.2.0', '1.19.0' ]
+        include:
+          - jdk: 21
+            vault: '1.19.0'
+            analysis: true
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Set up Java
+        uses: actions/setup-java@v4
+        with:
+          java-version: ${{ matrix.jdk }}
+          distribution: 'temurin'
+      - name: Compile
+        run: ./mvnw -B clean compile
+      - name: Set up Vault
+        run: |
+          wget -q "https://releases.hashicorp.com/vault/${{ matrix.vault }}/vault_${{ matrix.vault }}_linux_amd64.zip"
+          wget -q -O - "https://releases.hashicorp.com/vault/${{ matrix.vault }}/vault_${{ matrix.vault }}_SHA256SUMS" | grep linux_amd64 | sha256sum -c
+          tmp="$(mktemp -d)"
+          unzip "vault_${{ matrix.vault }}_linux_amd64.zip" -d "$tmp"
+          rm "vault_${{ matrix.vault }}_linux_amd64.zip"
+          sudo mv "$tmp/vault" /usr/bin/vault
+          rm -rf "$tmp"
+      - name: Test (Unit & Integration)
+        env:
+          VAULT_VERSION: ${{ matrix.vault }}
+        run: ./mvnw -B -P coverage -P integration-test verify
+      - name: Analysis
+        if: matrix.analysis && env.SONAR_TOKEN != ''
+        run: >
+          ./mvnw -B sonar:sonar
+          -Dsonar.host.url=https://sonarcloud.io
+          -Dsonar.organization=stklcode-github
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -0,0 +1,44 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - '**'
+      - '!main'
+  pull_request:
+    branches:
+      - '**'
+      - '!main'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        jdk: [ 11, 17, 21 ]
+        include:
+          - jdk: 21
+            analysis: true
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Set up Java
+        uses: actions/setup-java@v4
+        with:
+          java-version: ${{ matrix.jdk }}
+          distribution: 'temurin'
+      - name: Compile
+        run: ./mvnw -B clean compile
+      - name: Test (Unit)
+        run: ./mvnw -B -P coverage verify
+      - name: Analysis
+        if: matrix.analysis && env.SONAR_TOKEN != ''
+        run: >
+          ./mvnw -B sonar:sonar
+          -Dsonar.host.url=https://sonarcloud.io
+          -Dsonar.organization=stklcode-github
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
--- a/.gitignore
+++ b/.gitignore
@ -1,5 +1,17 @@
-/target/
-/*.iml
-/.idea/
-/*.project
+target/
+pom.xml.tag
+pom.xml.releaseBackup
+pom.xml.versionsBackup
+pom.xml.next
+release.properties
+dependency-reduced-pom.xml
+buildNumber.properties
+.mvn/timing.properties
+.mvn/wrapper/maven-wrapper.jar
+
+.idea
+*.iml
+
+.bin
+
 *~
--- a/.mvn/wrapper/maven-wrapper.properties
+++ b/.mvn/wrapper/maven-wrapper.properties
@ -0,0 +1,2 @@
+distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.9/apache-maven-3.9.9-bin.zip
+wrapperUrl=https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.3.2/maven-wrapper-3.3.2.jar
--- a/.travis.yml
+++ b/.travis.yml
@ -1,47 +0,0 @@
-language: java
-install: true
-addons:
-  sonarcloud:
-    organization: "stklcode-github"
-    token:
-      secure: "sM9OfX5jW764pn9cb2LSXArnXucKMws+eGeg5NnZxHRcGYt4hpBKLSregBSsBNzUoWVj0zNzPCpnh+UQvgxQzUerOqwEdjTBpy3SNPaxSn7UpoSg+Wz3aUmL9ugmx01b51/wMG4UCHEwTZt2tpgTPVtw8K6uSO78e0dSICCBHDnRcdQwOjMEQHIJJ/qHVRwuy/MzLCAP3W1JPZlsphZg9QsFyhB4hW97dE90joZezfocQIv2xI/r6k+BLz0pY6MxYCul0RiDumaiaej0CPvEJI/uSu//BAQjUdHw+mQgnKUYIbrn2ONOviwNfwdr94JyoZEN2B6zASUmNLjPf4AbIojDeyS+CrpQpm17EVm/Qk/Ds+Xra4PPPIcsZhiWzV0KoDUz9xLfXuRJ526VT5tDPiaeI7oETf0+8l+JIS1b399FyqHi7smzjpvC6GuKflQrbuHK4MuKzDh7WTHiqokGG4SS0wOQIaaHB3dfdwwQzPh6IM24e8CETxh3DjMeqUTU4DWmv5po55jZ934TtxVQvVN78bTG9O0zS9u+JmRY04OZ+OaXuFam6MfMUFQi0EPZzdGul/oWSibGUu3bNfVEBp60CnJwYNM/dKG6U7pJthLHvSwiQFOdKzHZ+l1jZJ4gPaXaIGqpwqVGr28ntqA/El1rytPixr2driE6bYMt5jw="
-
-env:
-  - PATH=$PATH:. VAULT_VERSION=1.7.0 ANALYSIS=false
-
-cache:
-  directories:
-    - '$HOME/.m2/repository'
-    - '$HOME/.sonar/cache'
-
-jobs:
-  include:
-    - jdk: openjdk8
-    - jdk: openjdk11
-      env: PATH=$PATH:. VAULT_VERSION=1.7.0 ANALYSIS=true
-    - jdk: openjdk16
-
-before_script:
-  - |
-    if [[ "$TRAVIS_BRANCH" =~ ^master|(release\/.+)$ ]]; then
-      wget -q https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip
-      wget -q -O - https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_SHA256SUMS | grep linux_amd64 | sha256sum -c
-      unzip vault_${VAULT_VERSION}_linux_amd64.zip
-      rm vault_${VAULT_VERSION}_linux_amd64.zip
-    fi
-
-script:
-  - mvn -B clean compile
-  - |
-    if [[ "$TRAVIS_BRANCH" =~ ^master|(release\/.+)$ ]]; then
-      mvn -B resources:testResources compiler:testCompile surefire:test -P coverage
-    else
-      mvn -B resources:testResources compiler:testCompile surefire:test -P coverage -P offline-tests
-    fi
-
-after_success:
-  - if [ "$ANALYSIS" == "true" ]; then mvn sonar:sonar; fi
-
-notifications:
-  slack:
-    secure: "YyE5GePOLkCVTtCy8j507BRmQrtrWhtvmUt4kY0Z2/ptf0LzfuDEJQ4ZbCxO5ri5IDJrrvyPAedjft818+bMzdFfxvi1oviIL+LZNhyev8gfeIBF/U2pvSLGKCRX4g4aZ6NKN3Untjdm8lmiVTltOyZ59JizQVwXzAl3LiOpnJugyBqbhOx4EIqBzwW3gaYAofMqY2LczW5W/M+99HJCst8Mb8H06GstCPEHCizAq7VRaUS68PstlxQMV0Q6bsSYMLFbLWmhuXs96WHqOrT+nNsl07ikr3N8c4HafhFutt2Jyc1+8gXO417+eSvVM0iBpHGwTmfGFfCqx/4Pf62DTJuvh8dR4fLgLDiqEeDrBEcRRDOs9cvXVOO22NN1HuBBJY8VRiFcwNAvuVMXCtnC+1RJRAZB2zubsANiFe+ygk/ywj37cVXY+NpqlBwcSph6jPHo2hD6cIl2rTWn1EnZH519Rh38xTSv6MRzAO9kWNVrAlX+UtvYS8Sk7Owrc0tET9Lc4zj6aI5tsA1wYbN3Jk6EbMhsF6K/XF2npt2qg09pxkj8wmxoUoR6/rGuSv55aSxTdLDmH+en4ahEm3uc4h1lYoVCk0yrZoTAas3zS4WpBCKnl+mweuKNxaejyy0Wv6NR9ZCTaS3yFgibNOjvDpxZxTAPdNBL7hn+k4LwgN4="
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,227 @@
+## 1.5.0 (2025-04-13)
+
+### Deprecations
+* `read...Credentials()` methods for specific database mounts (#92)
+
+### Features
+* Support Vault transit API (#89)
+* Support PEM certificate string from `VAULT_CACERT` environment variable (#93)
+
+### Improvements
+* Replace deprecated `java.net.URL` usage with `java.net.URI` (#94)
+
+### Fix
+* Fix initialization from environment without explicit port
+
+### Dependencies
+* Updated Jackson to 2.18.3 (#90)
+
+### Test
+* Tested against Vault 1.2 to 1.19
+
+
+## 1.4.0 (2024-12-07)
+
+### Removal
+* Remove deprecated `get...TimeString()` on model classes (#77)
+* Drop support for deprecated `App-ID` auth backend (#61) (#78)
+
+### Fix
+* Add jackson-annotations requirement to module-info (#84)
+
+### Dependencies
+* Updated Jackson to 2.18.2 (#85)
+
+### Test
+* Tested against Vault 1.2 to 1.18
+
+
+## 1.3.1 (2024-10-03)
+
+### Dependencies
+* Updated Jackson to 2.18.0 (#80)
+
+### Fix
+* Remove `Automatic-Module-Name` from JAR manifest (#79)
+
+
+## 1.3.0 (2024-06-29)
+
+### Improvements
+* Simplify JSON parsing in error handler
+* Add new fields from Vault 1.16 and 1.17 to `HealthResponse`
+  * `echo_duration_ms`
+  * `clock_skew_ms`
+  * `replication_primary_canary_age_ms`
+  * `enterprise`
+* Add missing `num_uses` field to `AuthData`
+* Add `mount_type` attribute to common response model
+* Add `auth` attribute to common response model
+* Add `custom_metadata`, `cas_required` and `delete_version_after` fields for KVv2 metadata
+* Generate and attach CycloneDX SBOM
+
+### Fix
+* Rename `enable_local_secret_id` to `local_secret_ids` in `AppRole` model
+
+### Dependencies
+* Updated Jackson to 2.17.1
+
+### Test
+* Tested against Vault 1.2 to 1.17
+
+
+## 1.2.0 (2023-12-11)
+
+### Deprecations
+* `get...TimeString()` methods on various model classes are now deprecated
+
+### Improvements
+* Parse timestamps as `ZonedDateTime` instead of `String` representation
+* Remove redundant `java.base` requirement from _module-info.java_ (#69)
+* Close Java HTTP Client when running on Java 21 or later (#70)
+* Add MFA requirements tu `AuthResponse` (#71)
+* Extend `AuthMethod` data model (#72)
+
+### Dependencies
+* Updated Jackson to 2.16.0
+
+
+## 1.1.5 (2023-08-19)
+
+### Fix
+* Fixed JSON type conversion in `SecretResponse#get(String, Class)` (#67)
+
+### Test
+* Tested against Vault 1.2 to 1.15
+
+
+## 1.1.4 (2023-06-15)
+
+### Fix
+* Use `[+-]XX:XX` notation for timezone in date/time parsing
+
+### Improvements
+* Use explicit UTF-8 encoding for parsing responses
+
+### Dependencies
+* Updated Jackson to 2.15.2
+
+### Test
+* Tested against Vault 1.2.0 to 1.13.3
+
+
+## 1.1.3 (2023-01-31)
+
+### Deprecations
+* AppID components (deprecated since 0.4) are marked for removal with the next major release
+
+### Dependencies
+* Updated Jackson to 2.14.2
+
+### Improvements
+* Minor internal refactoring
+
+### Test
+* Tested against Vault 1.2.0 to 1.12.2
+
+
+## 1.1.2 (2022-10-26)
+
+### Dependencies
+* Updated Jackson to 2.13.4.2
+
+### Test
+* Tested against Vault 1.2.0 to 1.12.0
+* Disable AppID tests for Vault 1.12 and above (auth method removed)
+* Tested with Java 19
+
+
+## 1.1.1 (2022-08-29)
+
+### Dependencies
+* Updated Jackson to 2.13.3
+
+### Test
+* Tested against Vault 1.11.2
+* Tested with Java 18
+
+
+## 1.1.0 (2022-04-24)
+
+### Fix
+* Use `replication_performance_mode`  instead of `replication_perf_mode` in health response.
+
+### Improvements
+* Add `migration`, `recovery_seal` and `storage_type` fields to `SealReponse` model
+* Add support for `wrap_info` in data response models
+* Dependency updates
+* Model and response classes implement `Serializable` (#57)
+* Split `SercretResponse`  into `PlainSecretResponse` and `MetaSecretResponse` subclasses (common API unchanged)
+* Add missing fields to `AuthMethod` model
+* Add support for (dis)allowed policy glob patterns in `TokenRole`
+* Add request ID to data response models
+
+### Test
+* Tested against Vault 1.10.1
+
+
+## 1.0.1 (2021-11-21)
+
+### Fix
+* Make `HTTPVaultConnectorBuilder#withPort(Integer)` null-safe (#56)
+* Make system-lambda dependency test-only (#58)
+
+### Test
+* Tested against Vault 1.9.0
+
+## 1.0.0 (2021-10-02)
+
+### Breaking
+* Requires Java 11 or later
+* Builder invocation has changed, use `HTTPVaultConnector.builder()....build()`
+
+### Removal
+* Remove deprecated `VaultConnectorFactory` in favor of `VaultConnectorBuilder` with identical API
+* Remove deprecated `AppRoleBuilder` and `TokenBuilder` in favor of `AppRole.Builder` and `Token.Builder`
+* Remove deprecated `Period`, `Policy` and `Policies` methods from `AppRole` in favor of `Token`-prefixed versions
+* Remove deprecated `SecretResponse#getValue()` method, use `get("value")` instead
+* Remove deprecated convenience methods for interaction with "secret" mount
+
+### Improvements
+* Use pre-sized map objects for fixed-size payloads
+* Remove Apache HTTP Client dependency in favor of Java 11 HTTP
+* Introduce Java module descriptor
+
+### Test
+* Tested against Vault 1.8.3
+
+
+## 0.9.5 (2021-07-28)
+
+### Deprecations
+* Deprecate ` {read,write,delete}Secret()` convenience methods. Use `{read,write,delete}("secret/...")` instead (#52)
+* Deprecated builder invocation `VaultConnectorBuilder.http()` in favor of `HTTPVaultConnector.builder()` (#51)
+* Deprecated `de.stklcode.jvault.connector.builder.HTTPVaultConnectorBuilder` in favor of `de.stklcode.jvault.connector.HTTPVaultConnectorBuilder` (only package changed) (#51)
+
+Old builders will be removed in 1.0
+
+### Improvements
+* Minor dependency updates
+
+### Test
+* Tested against Vault 1.8.0
+
+## 0.9.4 (2021-06-06)
+
+### Deprecations
+* `AppRole.Builder#wit0hTokenPeriod()` is deprecated in favor of `#withTokenPeriod()` (#49)
+
+### Improvements
+* Minor dependency updates
+
+### Test
+* Tested against Vault 1.7.2
+
 ## 0.9.3 (2021-04-02)

 ### Improvements
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -0,0 +1,112 @@
+# How to contribute
+
+As for all great Open Source projects, contributions in form of bug reports and code are welcome and important to keep the project alive.
+
+In general, this project follows the [GitHub Flow](https://guides.github.com/introduction/flow/).
+Fork the project, commit your changes to your branch, open a pull request and it will probably be merged.
+However, to ensure maintainability and quality of the code, there are some guidelines you might be more or less familiar with.
+For that purpose, this document describes the important points.
+
+## Opening an Issue
+
+If you experience any issues with the library or the code, don't hesitate to file an issue.
+
+### Bug Reports
+
+Think you found a bug?
+Please clearly state what happens and describe your environment to help tracking down the issue.
+
+* Which version of the connector are you running?
+* Which version of Java (architecture and OS if relevant)?
+* Which version of Vault?
+
+### Feature Requests
+
+Missing a feature or like to have certain functionality enhanced?
+No problem, please open an issue and describe what and why you think this change is required.
+
+## Pull Requests
+
+If you want to contribute your code to solve an issue or implement a desired feature yourself, you might open a pull request.
+If the changes introduce new functionality or affect major parts of existing code, please consider opening an issue for discussion first.
+
+Extending or adapting JUnit test cases would be nice (no hard criterion though).
+
+The `main` branch also be target for most pull requests.
+However, if it features new functionality you might want to target the `develop` branch instead (see next section for details on branches).
+
+### Branches
+
+The `main` branch represents the current, more or less stable state of development.
+Please ensure your initial code is up to date with it at the time you start development.
+
+In addition, this project features a `develop` branch, which holds bleeding edge developments, not necessarily considered stable or even compatible.
+Do not expect this code to run smoothly, but you might have a look into the history to see if some work on an issue has already been started there.
+
+For fixes and features, there might be additional branches, likely prefixed by `fix/` or `feature/` followed by an issue number (if applicable) and/or a title.
+Feel free to adapt this naming scheme to your forks.
+
+### Merge Requirements
+
+To be merged into the main branch, your code has to pass the automated continuous integration tests, to ensure compatibility.
+In addition, your code has to be approved by a project member.
+
+#### What if my code fails the tests?
+
+Don't worry, you can submit your PR anyway.
+The reviewing process might help you to solve remaining issues.
+
+### Commit messages
+
+Please use speaking titles and messages for your commits, to ensure a transparent history.
+If your patch fixes an issue, reference the ID in the first line.
+If you feel like you have to _briefly_ explain your changes, do it (for long explanations and discussion, consider opening an issue or describe in the PR).
+
+**Example commit:**
+```text
+Fix nasty bug from #1337
+
+This example commit fixes the issue that some people write non-speaking commit messages like 'done magic'.
+A short description is helpful sometimes.
+```
+
+You might sign your work, although that's no must.
+
+### When will it be merged?
+
+Short answer: When it makes sense.
+
+Bugfixes should be merged in time - assuming they pass the above criteria.
+New features might be assigned to a certain milestone and as a result of this be scheduled according to the planned release cycle.
+
+## Compatibility
+
+To ensure usability for a wide range of users, please take note on the software requirements stated in the `README`.
+This includes especially Java versions and a minimum version of _Vault_.
+
+If you are unsure if your code matches these versions, the test will probably tell you.
+
+In case you think, your change is more important than maintaining backwards compatibility, please start a discussion to see,
+if we might increase the minimum version or find a workaround for legacy systems.
+
+## Build Environment
+
+All you need to start off - besides your favorite IDE and a JDK of course - is [Maven](https://maven.apache.org/).
+
+## Unit Tests
+
+The code is tested by JUnit tests.
+For standalone testing against mocked APIs the _Maven_ profile `offline-test` should be used.
+Otherwise, there is a test suite that requires an actual _Vault_ binary in the executable path to start a real server instance. 
+
+## Continuous Integration
+
+Automated tests are run using [GitHub Actions](https://github.com/features/actions) for every commit including pull requests.
+Tests usually run against the minimal supported version, all supported LTS versions and the latest version of Java.
+
+There is an automated code quality analysis pushing results to [SonarCloud](https://sonarcloud.io/dashboard?id=de.stklcode.jvault%3Ajvault-connector).
+
+## Still Open Questions?
+
+If anything is still left unanswered and you're unsure if you got it right, don't hesitate to contact a team member.
+In any case you might submit your request/issue anyway, we won't refuse good code only for formal reasons.
--- a/README.md
+++ b/README.md
@ -1,11 +1,11 @@
 # Java Vault Connector

-[![Build Status](https://travis-ci.com/stklcode/jvaultconnector.svg?branch=master)](https://travis-ci.com/stklcode/jvaultconnector)
-[![Quality Gate](https://sonarcloud.io/api/project_badges/measure?project=de.stklcode.jvault%3Ajvault-connector&metric=alert_status)](https://sonarcloud.io/dashboard?id=de.stklcode.jvault%3Ajvault-connector)
-[![License](https://img.shields.io/badge/license-Apache%202.0-blue.svg)](https://github.com/stklcode/jvaultconnector/blob/master/LICENSE.txt) 
-[![Maven Central](https://img.shields.io/maven-central/v/de.stklcode.jvault/jvault-connector.svg)](https://search.maven.org/#search%7Cga%7C1%7Cg%3A%22de.stklcode.jvault%22%20AND%20a%3A%22jvault-connector%22)
+[![CI](https://github.com/stklcode/jvaultconnector/actions/workflows/ci.yml/badge.svg)](https://github.com/stklcode/jvaultconnector/actions/workflows/ci.yml)
+[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=de.stklcode.jvault%3Ajvault-connector&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=de.stklcode.jvault%3Ajvault-connector)
+[![License](https://img.shields.io/badge/license-Apache%202.0-blue.svg)](https://github.com/stklcode/jvaultconnector/blob/main/LICENSE.txt)
+[![Maven Central Version](https://img.shields.io/maven-central/v/de.stklcode.jvault/jvault-connector)](https://central.sonatype.com/artifact/de.stklcode.jvault/jvault-connector)

-![Logo](https://raw.githubusercontent.com/stklcode/jvaultconnector/master/assets/logo.png)
+![Logo](assets/logo.png)

 Java Vault Connector is a connector library for [Vault](https://www.vaultproject.io) by [Hashicorp](https://www.hashicorp.com) written in Java. The connector allows simple usage of Vault's secret store in own applications.

@ -18,7 +18,6 @@ Java Vault Connector is a connector library for [Vault](https://www.vaultproject
    * Token
    * Username/Password
    * AppRole (register and authenticate)
-    * AppID (register and authenticate) [_deprecated_]
 * Tokens
    * Creation and lookup of tokens and token roles
    * TokenBuilder for speaking creation of complex configurations
@ -29,10 +28,11 @@ Java Vault Connector is a connector library for [Vault](https://www.vaultproject
    * Delete secrets
    * Renew/revoke leases
    * Raw secret content or JSON decoding
-    * SQL secret handling
    * KV v1 and v2 support
+    * Database secret handling
+* Transit API support
 * Connector Factory with builder pattern
-* Tested against Vault 1.7.0
+* Tested against Vault 1.2 to 1.19


 ## Maven Artifact
@ -40,7 +40,7 @@ Java Vault Connector is a connector library for [Vault](https://www.vaultproject
 <dependency>
    <groupId>de.stklcode.jvault</groupId>
    <artifactId>jvault-connector</artifactId>
-    <version>0.9.3</version>
+    <version>1.5.0</version>
 </dependency>
 ```

@ -50,21 +50,19 @@ Java Vault Connector is a connector library for [Vault](https://www.vaultproject

 ```java
 // Instantiate using builder pattern style factory (TLS enabled by default)
-VaultConnector vault = VaultConnectorBuilder.http()
+VaultConnector vault = HTTPVaultConnector.builder()
 .withHost("127.0.0.1")
 .withPort(8200)
 .withTLS()
 .build();

 // Instantiate with custom SSL context
-VaultConnector vault = VaultConnectorBuilder.http()
- .withHost("example.com")
- .withPort(8200)
+VaultConnector vault = HTTPVaultConnector.builder("https://example.com:8200/v1/")
 .withTrustedCA(Paths.get("/path/to/CA.pem"))
 .build();

 // Initialization from environment variables
-VaultConnector vault = VaultConnectorBuilder.http()
+VaultConnector vault = HTTPVaultConnector.builder()
 .fromEnv()
 .build();
 ```
@ -120,10 +118,10 @@ AppRoleSecretResponse secret = vault.createAppRoleSecret("testrole");

 ## Links

-[Project Page](http://jvault.stklcode.de)
+[Project Page](https://jvault.stklcode.de)

-[JavaDoc API](http://jvault.stklcode.de/apidocs/)
+[JavaDoc API](https://jvault.stklcode.de/apidocs/)

 ## License

-The project is licensed under [Apache License 2.0](http://www.apache.org/licenses/LICENSE-2.0).
+The project is licensed under [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0).
--- a/332
+++ b/332
@ -0,0 +1,332 @@
+#!/bin/sh
+# ----------------------------------------------------------------------------
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+# ----------------------------------------------------------------------------
+
+# ----------------------------------------------------------------------------
+# Apache Maven Wrapper startup batch script, version 3.3.2
+#
+# Required ENV vars:
+# ------------------
+#   JAVA_HOME - location of a JDK home dir
+#
+# Optional ENV vars
+# -----------------
+#   MAVEN_OPTS - parameters passed to the Java VM when running Maven
+#     e.g. to debug Maven itself, use
+#       set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000
+#   MAVEN_SKIP_RC - flag to disable loading of mavenrc files
+# ----------------------------------------------------------------------------
+
+if [ -z "$MAVEN_SKIP_RC" ]; then
+
+  if [ -f /usr/local/etc/mavenrc ]; then
+    . /usr/local/etc/mavenrc
+  fi
+
+  if [ -f /etc/mavenrc ]; then
+    . /etc/mavenrc
+  fi
+
+  if [ -f "$HOME/.mavenrc" ]; then
+    . "$HOME/.mavenrc"
+  fi
+
+fi
+
+# OS specific support.  $var _must_ be set to either true or false.
+cygwin=false
+darwin=false
+mingw=false
+case "$(uname)" in
+CYGWIN*) cygwin=true ;;
+MINGW*) mingw=true ;;
+Darwin*)
+  darwin=true
+  # Use /usr/libexec/java_home if available, otherwise fall back to /Library/Java/Home
+  # See https://developer.apple.com/library/mac/qa/qa1170/_index.html
+  if [ -z "$JAVA_HOME" ]; then
+    if [ -x "/usr/libexec/java_home" ]; then
+      JAVA_HOME="$(/usr/libexec/java_home)"
+      export JAVA_HOME
+    else
+      JAVA_HOME="/Library/Java/Home"
+      export JAVA_HOME
+    fi
+  fi
+  ;;
+esac
+
+if [ -z "$JAVA_HOME" ]; then
+  if [ -r /etc/gentoo-release ]; then
+    JAVA_HOME=$(java-config --jre-home)
+  fi
+fi
+
+# For Cygwin, ensure paths are in UNIX format before anything is touched
+if $cygwin; then
+  [ -n "$JAVA_HOME" ] \
+    && JAVA_HOME=$(cygpath --unix "$JAVA_HOME")
+  [ -n "$CLASSPATH" ] \
+    && CLASSPATH=$(cygpath --path --unix "$CLASSPATH")
+fi
+
+# For Mingw, ensure paths are in UNIX format before anything is touched
+if $mingw; then
+  [ -n "$JAVA_HOME" ] && [ -d "$JAVA_HOME" ] \
+    && JAVA_HOME="$(
+      cd "$JAVA_HOME" || (
+        echo "cannot cd into $JAVA_HOME." >&2
+        exit 1
+      )
+      pwd
+    )"
+fi
+
+if [ -z "$JAVA_HOME" ]; then
+  javaExecutable="$(which javac)"
+  if [ -n "$javaExecutable" ] && ! [ "$(expr "$javaExecutable" : '\([^ ]*\)')" = "no" ]; then
+    # readlink(1) is not available as standard on Solaris 10.
+    readLink=$(which readlink)
+    if [ ! "$(expr "$readLink" : '\([^ ]*\)')" = "no" ]; then
+      if $darwin; then
+        javaHome="$(dirname "$javaExecutable")"
+        javaExecutable="$(cd "$javaHome" && pwd -P)/javac"
+      else
+        javaExecutable="$(readlink -f "$javaExecutable")"
+      fi
+      javaHome="$(dirname "$javaExecutable")"
+      javaHome=$(expr "$javaHome" : '\(.*\)/bin')
+      JAVA_HOME="$javaHome"
+      export JAVA_HOME
+    fi
+  fi
+fi
+
+if [ -z "$JAVACMD" ]; then
+  if [ -n "$JAVA_HOME" ]; then
+    if [ -x "$JAVA_HOME/jre/sh/java" ]; then
+      # IBM's JDK on AIX uses strange locations for the executables
+      JAVACMD="$JAVA_HOME/jre/sh/java"
+    else
+      JAVACMD="$JAVA_HOME/bin/java"
+    fi
+  else
+    JAVACMD="$(
+      \unset -f command 2>/dev/null
+      \command -v java
+    )"
+  fi
+fi
+
+if [ ! -x "$JAVACMD" ]; then
+  echo "Error: JAVA_HOME is not defined correctly." >&2
+  echo "  We cannot execute $JAVACMD" >&2
+  exit 1
+fi
+
+if [ -z "$JAVA_HOME" ]; then
+  echo "Warning: JAVA_HOME environment variable is not set." >&2
+fi
+
+# traverses directory structure from process work directory to filesystem root
+# first directory with .mvn subdirectory is considered project base directory
+find_maven_basedir() {
+  if [ -z "$1" ]; then
+    echo "Path not specified to find_maven_basedir" >&2
+    return 1
+  fi
+
+  basedir="$1"
+  wdir="$1"
+  while [ "$wdir" != '/' ]; do
+    if [ -d "$wdir"/.mvn ]; then
+      basedir=$wdir
+      break
+    fi
+    # workaround for JBEAP-8937 (on Solaris 10/Sparc)
+    if [ -d "${wdir}" ]; then
+      wdir=$(
+        cd "$wdir/.." || exit 1
+        pwd
+      )
+    fi
+    # end of workaround
+  done
+  printf '%s' "$(
+    cd "$basedir" || exit 1
+    pwd
+  )"
+}
+
+# concatenates all lines of a file
+concat_lines() {
+  if [ -f "$1" ]; then
+    # Remove \r in case we run on Windows within Git Bash
+    # and check out the repository with auto CRLF management
+    # enabled. Otherwise, we may read lines that are delimited with
+    # \r\n and produce $'-Xarg\r' rather than -Xarg due to word
+    # splitting rules.
+    tr -s '\r\n' ' ' <"$1"
+  fi
+}
+
+log() {
+  if [ "$MVNW_VERBOSE" = true ]; then
+    printf '%s\n' "$1"
+  fi
+}
+
+BASE_DIR=$(find_maven_basedir "$(dirname "$0")")
+if [ -z "$BASE_DIR" ]; then
+  exit 1
+fi
+
+MAVEN_PROJECTBASEDIR=${MAVEN_BASEDIR:-"$BASE_DIR"}
+export MAVEN_PROJECTBASEDIR
+log "$MAVEN_PROJECTBASEDIR"
+
+##########################################################################################
+# Extension to allow automatically downloading the maven-wrapper.jar from Maven-central
+# This allows using the maven wrapper in projects that prohibit checking in binary data.
+##########################################################################################
+wrapperJarPath="$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.jar"
+if [ -r "$wrapperJarPath" ]; then
+  log "Found $wrapperJarPath"
+else
+  log "Couldn't find $wrapperJarPath, downloading it ..."
+
+  if [ -n "$MVNW_REPOURL" ]; then
+    wrapperUrl="$MVNW_REPOURL/org/apache/maven/wrapper/maven-wrapper/3.3.2/maven-wrapper-3.3.2.jar"
+  else
+    wrapperUrl="https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.3.2/maven-wrapper-3.3.2.jar"
+  fi
+  while IFS="=" read -r key value; do
+    # Remove '\r' from value to allow usage on windows as IFS does not consider '\r' as a separator ( considers space, tab, new line ('\n'), and custom '=' )
+    safeValue=$(echo "$value" | tr -d '\r')
+    case "$key" in wrapperUrl)
+      wrapperUrl="$safeValue"
+      break
+      ;;
+    esac
+  done <"$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.properties"
+  log "Downloading from: $wrapperUrl"
+
+  if $cygwin; then
+    wrapperJarPath=$(cygpath --path --windows "$wrapperJarPath")
+  fi
+
+  if command -v wget >/dev/null; then
+    log "Found wget ... using wget"
+    [ "$MVNW_VERBOSE" = true ] && QUIET="" || QUIET="--quiet"
+    if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then
+      wget $QUIET "$wrapperUrl" -O "$wrapperJarPath" || rm -f "$wrapperJarPath"
+    else
+      wget $QUIET --http-user="$MVNW_USERNAME" --http-password="$MVNW_PASSWORD" "$wrapperUrl" -O "$wrapperJarPath" || rm -f "$wrapperJarPath"
+    fi
+  elif command -v curl >/dev/null; then
+    log "Found curl ... using curl"
+    [ "$MVNW_VERBOSE" = true ] && QUIET="" || QUIET="--silent"
+    if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then
+      curl $QUIET -o "$wrapperJarPath" "$wrapperUrl" -f -L || rm -f "$wrapperJarPath"
+    else
+      curl $QUIET --user "$MVNW_USERNAME:$MVNW_PASSWORD" -o "$wrapperJarPath" "$wrapperUrl" -f -L || rm -f "$wrapperJarPath"
+    fi
+  else
+    log "Falling back to using Java to download"
+    javaSource="$MAVEN_PROJECTBASEDIR/.mvn/wrapper/MavenWrapperDownloader.java"
+    javaClass="$MAVEN_PROJECTBASEDIR/.mvn/wrapper/MavenWrapperDownloader.class"
+    # For Cygwin, switch paths to Windows format before running javac
+    if $cygwin; then
+      javaSource=$(cygpath --path --windows "$javaSource")
+      javaClass=$(cygpath --path --windows "$javaClass")
+    fi
+    if [ -e "$javaSource" ]; then
+      if [ ! -e "$javaClass" ]; then
+        log " - Compiling MavenWrapperDownloader.java ..."
+        ("$JAVA_HOME/bin/javac" "$javaSource")
+      fi
+      if [ -e "$javaClass" ]; then
+        log " - Running MavenWrapperDownloader.java ..."
+        ("$JAVA_HOME/bin/java" -cp .mvn/wrapper MavenWrapperDownloader "$wrapperUrl" "$wrapperJarPath") || rm -f "$wrapperJarPath"
+      fi
+    fi
+  fi
+fi
+##########################################################################################
+# End of extension
+##########################################################################################
+
+# If specified, validate the SHA-256 sum of the Maven wrapper jar file
+wrapperSha256Sum=""
+while IFS="=" read -r key value; do
+  case "$key" in wrapperSha256Sum)
+    wrapperSha256Sum=$value
+    break
+    ;;
+  esac
+done <"$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.properties"
+if [ -n "$wrapperSha256Sum" ]; then
+  wrapperSha256Result=false
+  if command -v sha256sum >/dev/null; then
+    if echo "$wrapperSha256Sum  $wrapperJarPath" | sha256sum -c >/dev/null 2>&1; then
+      wrapperSha256Result=true
+    fi
+  elif command -v shasum >/dev/null; then
+    if echo "$wrapperSha256Sum  $wrapperJarPath" | shasum -a 256 -c >/dev/null 2>&1; then
+      wrapperSha256Result=true
+    fi
+  else
+    echo "Checksum validation was requested but neither 'sha256sum' or 'shasum' are available." >&2
+    echo "Please install either command, or disable validation by removing 'wrapperSha256Sum' from your maven-wrapper.properties." >&2
+    exit 1
+  fi
+  if [ $wrapperSha256Result = false ]; then
+    echo "Error: Failed to validate Maven wrapper SHA-256, your Maven wrapper might be compromised." >&2
+    echo "Investigate or delete $wrapperJarPath to attempt a clean download." >&2
+    echo "If you updated your Maven version, you need to update the specified wrapperSha256Sum property." >&2
+    exit 1
+  fi
+fi
+
+MAVEN_OPTS="$(concat_lines "$MAVEN_PROJECTBASEDIR/.mvn/jvm.config") $MAVEN_OPTS"
+
+# For Cygwin, switch paths to Windows format before running java
+if $cygwin; then
+  [ -n "$JAVA_HOME" ] \
+    && JAVA_HOME=$(cygpath --path --windows "$JAVA_HOME")
+  [ -n "$CLASSPATH" ] \
+    && CLASSPATH=$(cygpath --path --windows "$CLASSPATH")
+  [ -n "$MAVEN_PROJECTBASEDIR" ] \
+    && MAVEN_PROJECTBASEDIR=$(cygpath --path --windows "$MAVEN_PROJECTBASEDIR")
+fi
+
+# Provide a "standardized" way to retrieve the CLI args that will
+# work with both Windows and non-Windows executions.
+MAVEN_CMD_LINE_ARGS="$MAVEN_CONFIG $*"
+export MAVEN_CMD_LINE_ARGS
+
+WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain
+
+# shellcheck disable=SC2086 # safe args
+exec "$JAVACMD" \
+  $MAVEN_OPTS \
+  $MAVEN_DEBUG_OPTS \
+  -classpath "$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.jar" \
+  "-Dmaven.multiModuleProjectDirectory=${MAVEN_PROJECTBASEDIR}" \
+  ${WRAPPER_LAUNCHER} $MAVEN_CONFIG "$@"
--- a/mvnw.cmd
+++ b/mvnw.cmd
@ -0,0 +1,206 @@
+@REM ----------------------------------------------------------------------------
+@REM Licensed to the Apache Software Foundation (ASF) under one
+@REM or more contributor license agreements.  See the NOTICE file
+@REM distributed with this work for additional information
+@REM regarding copyright ownership.  The ASF licenses this file
+@REM to you under the Apache License, Version 2.0 (the
+@REM "License"); you may not use this file except in compliance
+@REM with the License.  You may obtain a copy of the License at
+@REM
+@REM    http://www.apache.org/licenses/LICENSE-2.0
+@REM
+@REM Unless required by applicable law or agreed to in writing,
+@REM software distributed under the License is distributed on an
+@REM "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+@REM KIND, either express or implied.  See the License for the
+@REM specific language governing permissions and limitations
+@REM under the License.
+@REM ----------------------------------------------------------------------------
+
+@REM ----------------------------------------------------------------------------
+@REM Apache Maven Wrapper startup batch script, version 3.3.2
+@REM
+@REM Required ENV vars:
+@REM JAVA_HOME - location of a JDK home dir
+@REM
+@REM Optional ENV vars
+@REM MAVEN_BATCH_ECHO - set to 'on' to enable the echoing of the batch commands
+@REM MAVEN_BATCH_PAUSE - set to 'on' to wait for a keystroke before ending
+@REM MAVEN_OPTS - parameters passed to the Java VM when running Maven
+@REM     e.g. to debug Maven itself, use
+@REM set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000
+@REM MAVEN_SKIP_RC - flag to disable loading of mavenrc files
+@REM ----------------------------------------------------------------------------
+
+@REM Begin all REM lines with '@' in case MAVEN_BATCH_ECHO is 'on'
+@echo off
+@REM set title of command window
+title %0
+@REM enable echoing by setting MAVEN_BATCH_ECHO to 'on'
+@if "%MAVEN_BATCH_ECHO%" == "on"  echo %MAVEN_BATCH_ECHO%
+
+@REM set %HOME% to equivalent of $HOME
+if "%HOME%" == "" (set "HOME=%HOMEDRIVE%%HOMEPATH%")
+
+@REM Execute a user defined script before this one
+if not "%MAVEN_SKIP_RC%" == "" goto skipRcPre
+@REM check for pre script, once with legacy .bat ending and once with .cmd ending
+if exist "%USERPROFILE%\mavenrc_pre.bat" call "%USERPROFILE%\mavenrc_pre.bat" %*
+if exist "%USERPROFILE%\mavenrc_pre.cmd" call "%USERPROFILE%\mavenrc_pre.cmd" %*
+:skipRcPre
+
+@setlocal
+
+set ERROR_CODE=0
+
+@REM To isolate internal variables from possible post scripts, we use another setlocal
+@setlocal
+
+@REM ==== START VALIDATION ====
+if not "%JAVA_HOME%" == "" goto OkJHome
+
+echo. >&2
+echo Error: JAVA_HOME not found in your environment. >&2
+echo Please set the JAVA_HOME variable in your environment to match the >&2
+echo location of your Java installation. >&2
+echo. >&2
+goto error
+
+:OkJHome
+if exist "%JAVA_HOME%\bin\java.exe" goto init
+
+echo. >&2
+echo Error: JAVA_HOME is set to an invalid directory. >&2
+echo JAVA_HOME = "%JAVA_HOME%" >&2
+echo Please set the JAVA_HOME variable in your environment to match the >&2
+echo location of your Java installation. >&2
+echo. >&2
+goto error
+
+@REM ==== END VALIDATION ====
+
+:init
+
+@REM Find the project base dir, i.e. the directory that contains the folder ".mvn".
+@REM Fallback to current working directory if not found.
+
+set MAVEN_PROJECTBASEDIR=%MAVEN_BASEDIR%
+IF NOT "%MAVEN_PROJECTBASEDIR%"=="" goto endDetectBaseDir
+
+set EXEC_DIR=%CD%
+set WDIR=%EXEC_DIR%
+:findBaseDir
+IF EXIST "%WDIR%"\.mvn goto baseDirFound
+cd ..
+IF "%WDIR%"=="%CD%" goto baseDirNotFound
+set WDIR=%CD%
+goto findBaseDir
+
+:baseDirFound
+set MAVEN_PROJECTBASEDIR=%WDIR%
+cd "%EXEC_DIR%"
+goto endDetectBaseDir
+
+:baseDirNotFound
+set MAVEN_PROJECTBASEDIR=%EXEC_DIR%
+cd "%EXEC_DIR%"
+
+:endDetectBaseDir
+
+IF NOT EXIST "%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config" goto endReadAdditionalConfig
+
+@setlocal EnableExtensions EnableDelayedExpansion
+for /F "usebackq delims=" %%a in ("%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config") do set JVM_CONFIG_MAVEN_PROPS=!JVM_CONFIG_MAVEN_PROPS! %%a
+@endlocal & set JVM_CONFIG_MAVEN_PROPS=%JVM_CONFIG_MAVEN_PROPS%
+
+:endReadAdditionalConfig
+
+SET MAVEN_JAVA_EXE="%JAVA_HOME%\bin\java.exe"
+set WRAPPER_JAR="%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.jar"
+set WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain
+
+set WRAPPER_URL="https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.3.2/maven-wrapper-3.3.2.jar"
+
+FOR /F "usebackq tokens=1,2 delims==" %%A IN ("%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.properties") DO (
+    IF "%%A"=="wrapperUrl" SET WRAPPER_URL=%%B
+)
+
+@REM Extension to allow automatically downloading the maven-wrapper.jar from Maven-central
+@REM This allows using the maven wrapper in projects that prohibit checking in binary data.
+if exist %WRAPPER_JAR% (
+    if "%MVNW_VERBOSE%" == "true" (
+        echo Found %WRAPPER_JAR%
+    )
+) else (
+    if not "%MVNW_REPOURL%" == "" (
+        SET WRAPPER_URL="%MVNW_REPOURL%/org/apache/maven/wrapper/maven-wrapper/3.3.2/maven-wrapper-3.3.2.jar"
+    )
+    if "%MVNW_VERBOSE%" == "true" (
+        echo Couldn't find %WRAPPER_JAR%, downloading it ...
+        echo Downloading from: %WRAPPER_URL%
+    )
+
+    powershell -Command "&{"^
+		"$webclient = new-object System.Net.WebClient;"^
+		"if (-not ([string]::IsNullOrEmpty('%MVNW_USERNAME%') -and [string]::IsNullOrEmpty('%MVNW_PASSWORD%'))) {"^
+		"$webclient.Credentials = new-object System.Net.NetworkCredential('%MVNW_USERNAME%', '%MVNW_PASSWORD%');"^
+		"}"^
+		"[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $webclient.DownloadFile('%WRAPPER_URL%', '%WRAPPER_JAR%')"^
+		"}"
+    if "%MVNW_VERBOSE%" == "true" (
+        echo Finished downloading %WRAPPER_JAR%
+    )
+)
+@REM End of extension
+
+@REM If specified, validate the SHA-256 sum of the Maven wrapper jar file
+SET WRAPPER_SHA_256_SUM=""
+FOR /F "usebackq tokens=1,2 delims==" %%A IN ("%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.properties") DO (
+    IF "%%A"=="wrapperSha256Sum" SET WRAPPER_SHA_256_SUM=%%B
+)
+IF NOT %WRAPPER_SHA_256_SUM%=="" (
+    powershell -Command "&{"^
+       "Import-Module $PSHOME\Modules\Microsoft.PowerShell.Utility -Function Get-FileHash;"^
+       "$hash = (Get-FileHash \"%WRAPPER_JAR%\" -Algorithm SHA256).Hash.ToLower();"^
+       "If('%WRAPPER_SHA_256_SUM%' -ne $hash){"^
+       "  Write-Error 'Error: Failed to validate Maven wrapper SHA-256, your Maven wrapper might be compromised.';"^
+       "  Write-Error 'Investigate or delete %WRAPPER_JAR% to attempt a clean download.';"^
+       "  Write-Error 'If you updated your Maven version, you need to update the specified wrapperSha256Sum property.';"^
+       "  exit 1;"^
+       "}"^
+       "}"
+    if ERRORLEVEL 1 goto error
+)
+
+@REM Provide a "standardized" way to retrieve the CLI args that will
+@REM work with both Windows and non-Windows executions.
+set MAVEN_CMD_LINE_ARGS=%*
+
+%MAVEN_JAVA_EXE% ^
+  %JVM_CONFIG_MAVEN_PROPS% ^
+  %MAVEN_OPTS% ^
+  %MAVEN_DEBUG_OPTS% ^
+  -classpath %WRAPPER_JAR% ^
+  "-Dmaven.multiModuleProjectDirectory=%MAVEN_PROJECTBASEDIR%" ^
+  %WRAPPER_LAUNCHER% %MAVEN_CONFIG% %*
+if ERRORLEVEL 1 goto error
+goto end
+
+:error
+set ERROR_CODE=1
+
+:end
+@endlocal & set ERROR_CODE=%ERROR_CODE%
+
+if not "%MAVEN_SKIP_RC%"=="" goto skipRcPost
+@REM check for post script, once with legacy .bat ending and once with .cmd ending
+if exist "%USERPROFILE%\mavenrc_post.bat" call "%USERPROFILE%\mavenrc_post.bat"
+if exist "%USERPROFILE%\mavenrc_post.cmd" call "%USERPROFILE%\mavenrc_post.cmd"
+:skipRcPost
+
+@REM pause the script if MAVEN_BATCH_PAUSE is set to 'on'
+if "%MAVEN_BATCH_PAUSE%"=="on" pause
+
+if "%MAVEN_TERMINATE_CMD%"=="on" exit %ERROR_CODE%
+
+cmd /C exit /B %ERROR_CODE%
--- a/pom.xml
+++ b/pom.xml
@ -4,7 +4,7 @@

    <groupId>de.stklcode.jvault</groupId>
    <artifactId>jvault-connector</artifactId>
-    <version>0.9.3</version>
+    <version>1.5.1-SNAPSHOT</version>

    <packaging>jar</packaging>

@ -16,21 +16,16 @@
    <licenses>
        <license>
            <name>Apache License 2.0</name>
-            <url>http://www.apache.org/licenses/LICENSE-2.0.html</url>
+            <url>https://www.apache.org/licenses/LICENSE-2.0.html</url>
            <distribution>repo</distribution>
        </license>
    </licenses>

-    <properties>
-        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-        <argLine></argLine>
-    </properties>
-
    <developers>
        <developer>
            <name>Stefan Kalscheuer</name>
            <email>stefan@stklcode.de</email>
-            <timezone>+1</timezone>
+            <timezone>Europe/Berlin</timezone>
        </developer>
    </developers>

@ -38,6 +33,7 @@
        <connection>scm:git:git://github.com/stklcode/jvaultconnector.git</connection>
        <developerConnection>scm:git:git@github.com:stklcode/jvaultconnector.git</developerConnection>
        <url>https://github.com/stklcode/jvaultconnector</url>
+        <tag>HEAD</tag>
    </scm>

    <issueManagement>
@ -45,125 +41,181 @@
        <url>https://github.com/stklcode/jvaultconnector/issues</url>
    </issueManagement>

-    <build>
-        <plugins>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-compiler-plugin</artifactId>
-                <version>3.8.1</version>
-                <configuration>
-                    <source>1.8</source>
-                    <target>1.8</target>
-                </configuration>
-            </plugin>
-        </plugins>
-        <pluginManagement>
-            <plugins>
-                <plugin>
-                    <groupId>org.apache.maven.plugins</groupId>
-                    <artifactId>maven-clean-plugin</artifactId>
-                    <version>3.1.0</version>
-                </plugin>
-                <plugin>
-                    <groupId>org.apache.maven.plugins</groupId>
-                    <artifactId>maven-resources-plugin</artifactId>
-                    <version>3.2.0</version>
-                </plugin>
-                <plugin>
-                    <groupId>org.apache.maven.plugins</groupId>
-                    <artifactId>maven-jar-plugin</artifactId>
-                    <version>3.2.0</version>
-                    <configuration>
-                        <archive>
-                            <manifestEntries>
-                                <Automatic-Module-Name>de.stklcode.jvault.connector</Automatic-Module-Name>
-                            </manifestEntries>
-                        </archive>
-                    </configuration>
-                </plugin>
-                <plugin>
-                    <groupId>org.apache.maven.plugins</groupId>
-                    <artifactId>maven-install-plugin</artifactId>
-                    <version>2.5.2</version>
-                </plugin>
-                <plugin>
-                    <groupId>org.apache.maven.plugins</groupId>
-                    <artifactId>maven-deploy-plugin</artifactId>
-                    <version>2.8.2</version>
-                </plugin>
-                <plugin>
-                    <groupId>org.apache.maven.plugins</groupId>
-                    <artifactId>maven-surefire-plugin</artifactId>
-                    <version>2.22.2</version>
-                    <configuration>
-                        <reuseForks>false</reuseForks>
-                        <argLine>@{argLine} --illegal-access=permit</argLine>
-                    </configuration>
-                </plugin>
-            </plugins>
-        </pluginManagement>
-    </build>
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <argLine></argLine>
+    </properties>

    <dependencies>
-        <dependency>
-            <groupId>org.apache.httpcomponents</groupId>
-            <artifactId>httpclient</artifactId>
-            <version>4.5.13</version>
-        </dependency>
        <dependency>
            <groupId>com.fasterxml.jackson.core</groupId>
            <artifactId>jackson-databind</artifactId>
-            <version>2.12.2</version>
+             <version>2.18.3</version>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.datatype</groupId>
+            <artifactId>jackson-datatype-jsr310</artifactId>
+            <version>2.18.3</version>
        </dependency>

        <dependency>
            <groupId>org.junit.jupiter</groupId>
            <artifactId>junit-jupiter</artifactId>
-            <version>5.7.1</version>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.hamcrest</groupId>
-            <artifactId>hamcrest</artifactId>
-            <version>2.2</version>
+            <version>5.12.1</version>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.mockito</groupId>
            <artifactId>mockito-core</artifactId>
-            <version>3.8.0</version>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.mockito</groupId>
-            <artifactId>mockito-inline</artifactId>
-            <version>3.8.0</version>
+            <version>5.17.0</version>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>com.github.stefanbirkner</groupId>
            <artifactId>system-lambda</artifactId>
-            <version>1.2.0</version>
+            <version>1.2.1</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.wiremock</groupId>
+            <artifactId>wiremock</artifactId>
+            <version>3.13.0</version>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>commons-io</groupId>
            <artifactId>commons-io</artifactId>
-            <version>2.8.0</version>
+            <version>2.19.0</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>nl.jqno.equalsverifier</groupId>
+            <artifactId>equalsverifier</artifactId>
+            <version>3.19.3</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.awaitility</groupId>
+            <artifactId>awaitility</artifactId>
+            <version>4.3.0</version>
            <scope>test</scope>
        </dependency>
    </dependencies>

-    <dependencyManagement>
-        <dependencies>
-            <dependency>
+    <build>
+        <pluginManagement>
+            <plugins>
+                <plugin>
+                    <groupId>org.apache.maven.plugins</groupId>
+                    <artifactId>maven-compiler-plugin</artifactId>
+                    <version>3.14.0</version>
+                    <configuration>
+                        <release>11</release>
+                    </configuration>
+                </plugin>
+                <plugin>
+                    <groupId>org.apache.maven.plugins</groupId>
+                    <artifactId>maven-clean-plugin</artifactId>
+                    <version>3.4.1</version>
+                </plugin>
+                <plugin>
+                    <groupId>org.apache.maven.plugins</groupId>
+                    <artifactId>maven-deploy-plugin</artifactId>
+                    <version>3.1.4</version>
+                </plugin>
+                <plugin>
+                    <groupId>org.apache.maven.plugins</groupId>
+                    <artifactId>maven-failsafe-plugin</artifactId>
+                    <version>3.5.3</version>
+                    <configuration>
+                        <argLine>
+                            @{argLine}
+                            --add-opens de.stklcode.jvault.connector/de.stklcode.jvault.connector.test=com.fasterxml.jackson.databind
+                        </argLine>
+                    </configuration>
+                </plugin>
+                <plugin>
+                    <groupId>org.apache.maven.plugins</groupId>
+                    <artifactId>maven-install-plugin</artifactId>
+                    <version>3.1.4</version>
+                </plugin>
+                <plugin>
+                    <groupId>org.apache.maven.plugins</groupId>
+                    <artifactId>maven-jar-plugin</artifactId>
+                    <version>3.4.2</version>
+                </plugin>
+                <plugin>
+                    <groupId>org.apache.maven.plugins</groupId>
+                    <artifactId>maven-resources-plugin</artifactId>
+                    <version>3.3.1</version>
+                </plugin>
+                <plugin>
+                    <groupId>org.apache.maven.plugins</groupId>
+                    <artifactId>maven-source-plugin</artifactId>
+                    <version>3.3.1</version>
+                </plugin>
+                <plugin>
+                    <groupId>org.apache.maven.plugins</groupId>
+                    <artifactId>maven-surefire-plugin</artifactId>
+                    <version>3.5.3</version>
+                    <configuration>
+                        <argLine>
+                            @{argLine}
+                            --add-opens java.base/java.util=ALL-UNNAMED
+                            --add-opens de.stklcode.jvault.connector/de.stklcode.jvault.connector=ALL-UNNAMED
+                            --add-opens de.stklcode.jvault.connector/de.stklcode.jvault.connector.exception=ALL-UNNAMED
+                            --add-opens de.stklcode.jvault.connector/de.stklcode.jvault.connector.model=ALL-UNNAMED
+                            --add-opens de.stklcode.jvault.connector/de.stklcode.jvault.connector.model.response=ALL-UNNAMED
+                            --add-opens de.stklcode.jvault.connector/de.stklcode.jvault.connector.model.response.embedded=ALL-UNNAMED
+                            --add-opens de.stklcode.jvault.connector/de.stklcode.jvault.connector.test=com.fasterxml.jackson.databind
+                            --add-opens de.stklcode.jvault.connector/de.stklcode.jvault.connector.test=com.fasterxml.jackson.datatype.jsr310
+                        </argLine>
+                    </configuration>
+                </plugin>
+                <plugin>
+                    <groupId>org.cyclonedx</groupId>
+                    <artifactId>cyclonedx-maven-plugin</artifactId>
+                    <version>2.9.1</version>
+                </plugin>
+                <plugin>
+                    <groupId>org.jacoco</groupId>
+                    <artifactId>jacoco-maven-plugin</artifactId>
+                    <version>0.8.13</version>
+                </plugin>
+                <plugin>
                    <groupId>org.sonarsource.scanner.maven</groupId>
                    <artifactId>sonar-maven-plugin</artifactId>
-                <version>3.8.0.2131</version>
-            </dependency>
-        </dependencies>
-    </dependencyManagement>
+                    <version>5.1.0.4751</version>
+                </plugin>
+            </plugins>
+        </pluginManagement>

+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-enforcer-plugin</artifactId>
+                <version>3.5.0</version>
+                <executions>
+                    <execution>
+                        <id>enforce-versions</id>
+                        <goals>
+                            <goal>enforce</goal>
+                        </goals>
+                        <configuration>
+                            <rules>
+                                <requireMavenVersion>
+                                    <version>[3.6.3,)</version>
+                                </requireMavenVersion>
+                                <requireJavaVersion>
+                                    <version>[11,)</version>
+                                </requireJavaVersion>
+                            </rules>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>

    <profiles>
        <profile>
@ -176,7 +228,6 @@
                    <plugin>
                        <groupId>org.apache.maven.plugins</groupId>
                        <artifactId>maven-source-plugin</artifactId>
-                        <version>3.2.1</version>
                        <executions>
                            <execution>
                                <id>attach-sources</id>
@ -200,9 +251,9 @@
                    <plugin>
                        <groupId>org.apache.maven.plugins</groupId>
                        <artifactId>maven-javadoc-plugin</artifactId>
-                        <version>3.2.0</version>
+                        <version>3.11.2</version>
                        <configuration>
-                            <source>1.8</source>
+                            <source>11</source>
                        </configuration>
                        <executions>
                            <execution>
@ -217,6 +268,29 @@
            </build>
        </profile>

+        <profile>
+            <id>sbom</id>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.cyclonedx</groupId>
+                        <artifactId>cyclonedx-maven-plugin</artifactId>
+                        <executions>
+                            <execution>
+                                <phase>package</phase>
+                                <goals>
+                                    <goal>makeBom</goal>
+                                </goals>
+                                <configuration>
+                                    <skipNotDeployed>false</skipNotDeployed>
+                                </configuration>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
+
        <profile>
            <id>sign</id>
            <build>
@ -224,7 +298,7 @@
                    <plugin>
                        <groupId>org.apache.maven.plugins</groupId>
                        <artifactId>maven-gpg-plugin</artifactId>
-                        <version>1.6</version>
+                        <version>3.2.7</version>
                        <executions>
                            <execution>
                                <id>sign-artifacts</id>
@ -249,17 +323,15 @@
                    <plugin>
                        <groupId>org.jacoco</groupId>
                        <artifactId>jacoco-maven-plugin</artifactId>
-                        <version>0.8.6</version>
                        <executions>
                            <execution>
-                                <id>prepare-agent</id>
+                                <id>default-prepare-agent</id>
                                <goals>
                                    <goal>prepare-agent</goal>
                                </goals>
                            </execution>
                            <execution>
-                                <id>report</id>
-                                <phase>prepare-package</phase>
+                                <id>default-report</id>
                                <goals>
                                    <goal>report</goal>
                                </goals>
@ -271,19 +343,22 @@
        </profile>

        <profile>
-            <id>offline-tests</id>
+            <id>integration-test</id>
            <build>
-                <pluginManagement>
                <plugins>
                    <plugin>
                        <groupId>org.apache.maven.plugins</groupId>
-                            <artifactId>maven-surefire-plugin</artifactId>
-                            <configuration>
-                                <excludedGroups>online</excludedGroups>
-                            </configuration>
+                        <artifactId>maven-failsafe-plugin</artifactId>
+                        <executions>
+                            <execution>
+                                <goals>
+                                    <goal>integration-test</goal>
+                                    <goal>verify</goal>
+                                </goals>
+                            </execution>
+                        </executions>
                    </plugin>
                </plugins>
-                </pluginManagement>
            </build>
        </profile>

@ -294,7 +369,11 @@
                    <plugin>
                        <groupId>org.owasp</groupId>
                        <artifactId>dependency-check-maven</artifactId>
-                        <version>6.1.5</version>
+                        <version>12.1.1</version>
+                        <configuration>
+                            <nvdApiKey>${env.NVD_API_KEY}</nvdApiKey>
+                            <nvdDatafeedUrl>${env.NVD_DATAFEED_URL}</nvdDatafeedUrl>
+                        </configuration>
                        <executions>
                            <execution>
                                <goals>
@ -308,39 +387,22 @@
        </profile>

        <profile>
-            <id>jdk1.8</id>
-            <activation>
-                <jdk>1.8</jdk>
-            </activation>
+            <id>central</id>
            <build>
-                <pluginManagement>
                <plugins>
                    <plugin>
-                            <groupId>org.apache.maven.plugins</groupId>
-                            <artifactId>maven-surefire-plugin</artifactId>
+                        <groupId>org.sonatype.central</groupId>
+                        <artifactId>central-publishing-maven-plugin</artifactId>
+                        <version>0.7.0</version>
+                        <extensions>true</extensions>
                        <configuration>
-                                <argLine>@{argLine}</argLine>
+                            <publishingServerId>central</publishingServerId>
                        </configuration>
                    </plugin>
                </plugins>
-                </pluginManagement>
            </build>
        </profile>

-        <profile>
-            <id>sonatype</id>
-            <distributionManagement>
-                <repository>
-                    <id>ossrh</id>
-                    <url>https://oss.sonatype.org/service/local/staging/deploy/maven2/</url>
-                </repository>
-                <snapshotRepository>
-                    <id>ossrh</id>
-                    <url>https://oss.sonatype.org/content/repositories/snapshots</url>
-                </snapshotRepository>
-            </distributionManagement>
-        </profile>
-
        <profile>
            <id>local</id>
            <distributionManagement>
--- a/src/main/java/de/stklcode/jvault/connector/HTTPVaultConnector.java
+++ b/src/main/java/de/stklcode/jvault/connector/HTTPVaultConnector.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -24,7 +24,8 @@ import de.stklcode.jvault.connector.model.*;
 import de.stklcode.jvault.connector.model.response.*;
 import de.stklcode.jvault.connector.model.response.embedded.AuthMethod;

-import java.security.cert.X509Certificate;
+import java.net.URI;
+import java.net.URISyntaxException;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@ -40,30 +41,37 @@ import static java.util.Collections.singletonMap;
 * @since 0.1
 */
 public class HTTPVaultConnector implements VaultConnector {
-    private static final String PATH_PREFIX = "/v1/";
-    private static final String PATH_SEAL_STATUS = "sys/seal-status";
-    private static final String PATH_SEAL = "sys/seal";
-    private static final String PATH_UNSEAL = "sys/unseal";
-    private static final String PATH_RENEW = "sys/leases/renew";
-    private static final String PATH_AUTH = "sys/auth";
-    private static final String PATH_TOKEN = "auth/token";
+    private static final String PATH_SYS = "sys";
+    private static final String PATH_SYS_AUTH = PATH_SYS + "/auth";
+    private static final String PATH_RENEW = PATH_SYS + "/leases/renew";
+    private static final String PATH_REVOKE = PATH_SYS + "/leases/revoke/";
+    private static final String PATH_HEALTH = PATH_SYS + "/health";
+    private static final String PATH_SEAL = PATH_SYS + "/seal";
+    private static final String PATH_SEAL_STATUS = PATH_SYS + "/seal-status";
+    private static final String PATH_UNSEAL = PATH_SYS + "/unseal";
+
+
+    private static final String PATH_AUTH = "auth";
+    private static final String PATH_AUTH_TOKEN = PATH_AUTH + "/token";
    private static final String PATH_LOOKUP = "/lookup";
    private static final String PATH_CREATE = "/create";
    private static final String PATH_ROLES = "/roles";
    private static final String PATH_CREATE_ORPHAN = "/create-orphan";
-    private static final String PATH_AUTH_USERPASS = "auth/userpass/login/";
-    private static final String PATH_AUTH_APPID = "auth/app-id/";
-    private static final String PATH_AUTH_APPROLE = "auth/approle/";
-    private static final String PATH_AUTH_APPROLE_ROLE = "auth/approle/role/%s%s";
-    private static final String PATH_REVOKE = "sys/leases/revoke/";
-    private static final String PATH_HEALTH = "sys/health";
+    private static final String PATH_AUTH_USERPASS = PATH_AUTH + "/userpass/login/";
+    private static final String PATH_AUTH_APPROLE = PATH_AUTH + "/approle";
+    private static final String PATH_AUTH_APPROLE_ROLE = PATH_AUTH_APPROLE + "/role/%s%s";
+
    private static final String PATH_DATA = "/data/";
    private static final String PATH_METADATA = "/metadata/";
+    private static final String PATH_LOGIN = "/login";
    private static final String PATH_DELETE = "/delete/";
    private static final String PATH_UNDELETE = "/undelete/";
    private static final String PATH_DESTROY = "/destroy/";

-    public static final String DEFAULT_TLS_VERSION = "TLSv1.2";
+    private static final String PATH_TRANSIT = "transit";
+    private static final String PATH_TRANSIT_ENCRYPT = PATH_TRANSIT + "/encrypt/";
+    private static final String PATH_TRANSIT_DECRYPT = PATH_TRANSIT + "/decrypt/";
+    private static final String PATH_TRANSIT_HASH = PATH_TRANSIT + "/hash/";

    private final RequestHelper request;

@ -72,148 +80,54 @@ public class HTTPVaultConnector implements VaultConnector {
    private long tokenTTL = 0;              // Expiration time for current token.

    /**
-     * Create connector using hostname and schema.
+     * Create connector using a {@link HTTPVaultConnectorBuilder}.
     *
-     * @param hostname The hostname
-     * @param useTLS   If TRUE, use HTTPS, otherwise HTTP
+     * @param builder The builder.
     */
-    public HTTPVaultConnector(final String hostname, final boolean useTLS) {
-        this(hostname, useTLS, null);
+    HTTPVaultConnector(final HTTPVaultConnectorBuilder builder) {
+        this.request = new RequestHelper(
+            ((builder.isWithTLS()) ? "https" : "http") + "://" +
+                builder.getHost() +
+                ((builder.getPort() != null) ? ":" + builder.getPort() : "") +
+                builder.getPrefix(),
+            builder.getNumberOfRetries(),
+            builder.getTimeout(),
+            builder.getTlsVersion(),
+            builder.getTrustedCA()
+        );
    }

    /**
-     * Create connector using hostname, schema and port.
+     * Get a new builder for a connector.
     *
-     * @param hostname The hostname
-     * @param useTLS   If TRUE, use HTTPS, otherwise HTTP
-     * @param port     The port
+     * @return Builder instance.
+     * @since 0.9.5
     */
-    public HTTPVaultConnector(final String hostname, final boolean useTLS, final Integer port) {
-        this(hostname, useTLS, port, PATH_PREFIX);
+    public static HTTPVaultConnectorBuilder builder() {
+        return new HTTPVaultConnectorBuilder();
    }

    /**
-     * Create connector using hostname, schema, port and path.
+     * Get a new builder for a connector.
     *
-     * @param hostname The hostname
-     * @param useTLS   If TRUE, use HTTPS, otherwise HTTP
-     * @param port     The port
-     * @param prefix   HTTP API prefix (default: /v1/)
+     * @param baseURL Base URL.
+     * @return Builder instance.
+     * @throws URISyntaxException Invalid URI syntax.
+     * @since 1.0
     */
-    public HTTPVaultConnector(final String hostname, final boolean useTLS, final Integer port, final String prefix) {
-        this(((useTLS) ? "https" : "http")
-                + "://" + hostname
-                + ((port != null) ? ":" + port : "")
-                + prefix);
+    public static HTTPVaultConnectorBuilder builder(String baseURL) throws URISyntaxException {
+        return new HTTPVaultConnectorBuilder().withBaseURL(baseURL);
    }

    /**
-     * Create connector using hostname, schema, port, path and trusted certificate.
+     * Get a new builder for a connector.
     *
-     * @param hostname      The hostname
-     * @param useTLS        If TRUE, use HTTPS, otherwise HTTP
-     * @param port          The port
-     * @param prefix        HTTP API prefix (default: /v1/)
-     * @param trustedCaCert Trusted CA certificate
+     * @param baseURL Base URL.
+     * @return Builder instance.
+     * @since 1.0
     */
-    public HTTPVaultConnector(final String hostname,
-                              final boolean useTLS,
-                              final Integer port,
-                              final String prefix,
-                              final X509Certificate trustedCaCert) {
-        this(hostname, useTLS, DEFAULT_TLS_VERSION, port, prefix, trustedCaCert, 0, null);
-    }
-
-    /**
-     * Create connector using hostname, schema, port, path and trusted certificate.
-     *
-     * @param hostname        The hostname
-     * @param useTLS          If TRUE, use HTTPS, otherwise HTTP
-     * @param tlsVersion      TLS version
-     * @param port            The port
-     * @param prefix          HTTP API prefix (default: /v1/)
-     * @param trustedCaCert   Trusted CA certificate
-     * @param numberOfRetries Number of retries on 5xx errors
-     * @param timeout         Timeout for HTTP requests (milliseconds)
-     */
-    public HTTPVaultConnector(final String hostname,
-                              final boolean useTLS,
-                              final String tlsVersion,
-                              final Integer port,
-                              final String prefix,
-                              final X509Certificate trustedCaCert,
-                              final int numberOfRetries,
-                              final Integer timeout) {
-        this(((useTLS) ? "https" : "http")
-                        + "://" + hostname
-                        + ((port != null) ? ":" + port : "")
-                        + prefix,
-                trustedCaCert,
-                numberOfRetries,
-                timeout,
-                tlsVersion);
-    }
-
-    /**
-     * Create connector using full URL.
-     *
-     * @param baseURL The URL
-     */
-    public HTTPVaultConnector(final String baseURL) {
-        this(baseURL, null);
-    }
-
-    /**
-     * Create connector using full URL and trusted certificate.
-     *
-     * @param baseURL       The URL
-     * @param trustedCaCert Trusted CA certificate
-     */
-    public HTTPVaultConnector(final String baseURL, final X509Certificate trustedCaCert) {
-        this(baseURL, trustedCaCert, 0, null);
-    }
-
-    /**
-     * Create connector using full URL and trusted certificate.
-     *
-     * @param baseURL         The URL
-     * @param trustedCaCert   Trusted CA certificate
-     * @param numberOfRetries Number of retries on 5xx errors
-     */
-    public HTTPVaultConnector(final String baseURL, final X509Certificate trustedCaCert, final int numberOfRetries) {
-        this(baseURL, trustedCaCert, numberOfRetries, null);
-    }
-
-    /**
-     * Create connector using full URL and trusted certificate.
-     *
-     * @param baseURL         The URL
-     * @param trustedCaCert   Trusted CA certificate
-     * @param numberOfRetries Number of retries on 5xx errors
-     * @param timeout         Timeout for HTTP requests (milliseconds)
-     */
-    public HTTPVaultConnector(final String baseURL,
-                              final X509Certificate trustedCaCert,
-                              final int numberOfRetries,
-                              final Integer timeout) {
-        this(baseURL, trustedCaCert, numberOfRetries, timeout, DEFAULT_TLS_VERSION);
-    }
-
-    /**
-     * Create connector using full URL and trusted certificate.
-     *
-     * @param baseURL         The URL
-     * @param trustedCaCert   Trusted CA certificate
-     * @param numberOfRetries Number of retries on 5xx errors
-     * @param timeout         Timeout for HTTP requests (milliseconds)
-     * @param tlsVersion      TLS Version.
-     */
-    public HTTPVaultConnector(final String baseURL,
-                              final X509Certificate trustedCaCert,
-                              final int numberOfRetries,
-                              final Integer timeout,
-                              final String tlsVersion) {
-        this.request = new RequestHelper(baseURL, numberOfRetries, timeout, tlsVersion, trustedCaCert);
+    public static HTTPVaultConnectorBuilder builder(URI baseURL) {
+        return new HTTPVaultConnectorBuilder().withBaseURL(baseURL);
    }

    @Override
@ -235,24 +149,28 @@ public class HTTPVaultConnector implements VaultConnector {

    @Override
    public final SealResponse unseal(final String key, final Boolean reset) throws VaultConnectorException {
-        Map<String, String> param = new HashMap<>(2, 1);
-        param.put("key", key);
-        if (reset != null) {
-            param.put("reset", reset.toString());
-        }
+        Map<String, String> param = mapOfStrings(
+            "key", key,
+            "reset", reset
+        );

        return request.put(PATH_UNSEAL, param, token, SealResponse.class);
    }

    @Override
    public HealthResponse getHealth() throws VaultConnectorException {
-        /* Force status code to be 200, so we don't need to modify the request sequence. */
-        Map<String, String> param = new HashMap<>(3, 1);
-        param.put("standbycode", "200");    // Default: 429.
-        param.put("sealedcode", "200");     // Default: 503.
-        param.put("uninitcode", "200");     // Default: 501.

-        return request.get(PATH_HEALTH, param, token, HealthResponse.class);
+        return request.get(
+            PATH_HEALTH,
+            // Force status code to be 200, so we don't need to modify the request sequence.
+            Map.of(
+                "standbycode", "200",   // Default: 429.
+                "sealedcode", "200",    // Default: 503.
+                "uninitcode", "200"     // Default: 501.
+            ),
+            token,
+            HealthResponse.class
+        );
    }

    @Override
@ -263,7 +181,7 @@ public class HTTPVaultConnector implements VaultConnector {
    @Override
    public final List<AuthBackend> getAuthBackends() throws VaultConnectorException {
        /* Issue request and parse response */
-        AuthMethodsResponse amr = request.get(PATH_AUTH, emptyMap(), token, AuthMethodsResponse.class);
+        AuthMethodsResponse amr = request.get(PATH_SYS_AUTH, emptyMap(), token, AuthMethodsResponse.class);

        return amr.getSupportedMethods().values().stream().map(AuthMethod::getType).collect(Collectors.toList());
    }
@ -273,7 +191,7 @@ public class HTTPVaultConnector implements VaultConnector {
        /* set token */
        this.token = token;
        this.tokenTTL = 0;
-        TokenResponse res = request.post(PATH_TOKEN + PATH_LOOKUP, emptyMap(), token, TokenResponse.class);
+        TokenResponse res = request.post(PATH_AUTH_TOKEN + PATH_LOOKUP, emptyMap(), token, TokenResponse.class);
        authorized = true;

        return res;
@ -286,23 +204,13 @@ public class HTTPVaultConnector implements VaultConnector {
        return queryAuth(PATH_AUTH_USERPASS + username, payload);
    }

-    @Override
-    @Deprecated
-    public final AuthResponse authAppId(final String appID, final String userID) throws VaultConnectorException {
-        final Map<String, String> payload = new HashMap<>(2, 1);
-        payload.put("app_id", appID);
-        payload.put("user_id", userID);
-        return queryAuth(PATH_AUTH_APPID + "login", payload);
-    }
-
    @Override
    public final AuthResponse authAppRole(final String roleID, final String secretID) throws VaultConnectorException {
-        final Map<String, String> payload = new HashMap<>(2, 1);
-        payload.put("role_id", roleID);
-        if (secretID != null) {
-            payload.put("secret_id", secretID);
-        }
-        return queryAuth(PATH_AUTH_APPROLE + "login", payload);
+        final Map<String, String> payload = mapOfStrings(
+            "role_id", roleID,
+            "secret_id", secretID
+        );
+        return queryAuth(PATH_AUTH_APPROLE + PATH_LOGIN, payload);
    }

    /**
@ -325,36 +233,6 @@ public class HTTPVaultConnector implements VaultConnector {
        return auth;
    }

-    @Override
-    @Deprecated
-    public final boolean registerAppId(final String appID, final String policy, final String displayName)
-            throws VaultConnectorException {
-        requireAuth();
-        Map<String, String> payload = new HashMap<>(2, 1);
-        payload.put("value", policy);
-        payload.put("display_name", displayName);
-
-        /* Issue request and expect code 204 with empty response */
-        request.postWithoutResponse(PATH_AUTH_APPID + "map/app-id/" + appID, payload, token);
-
-        return true;
-    }
-
-    @Override
-    @Deprecated
-    public final boolean registerUserId(final String appID, final String userID) throws VaultConnectorException {
-        requireAuth();
-
-        /* Issue request and expect code 204 with empty response */
-        request.postWithoutResponse(
-                PATH_AUTH_APPID + "map/user-id/" + userID,
-                singletonMap("value", appID),
-                token
-        );
-
-        return true;
-    }
-
    @Override
    public final boolean createAppRole(final AppRole role) throws VaultConnectorException {
        requireAuth();
@ -468,7 +346,7 @@ public class HTTPVaultConnector implements VaultConnector {
        requireAuth();

        SecretListResponse secrets = request.get(
-                PATH_AUTH_APPROLE + "role?list=true",
+            PATH_AUTH_APPROLE + "/role?list=true",
            emptyMap(),
            token,
            SecretListResponse.class
@ -495,23 +373,22 @@ public class HTTPVaultConnector implements VaultConnector {
    public final SecretResponse read(final String key) throws VaultConnectorException {
        requireAuth();
        /* Issue request and parse secret response */
-        return request.get(key, emptyMap(), token, SecretResponse.class);
+        return request.get(key, emptyMap(), token, PlainSecretResponse.class);
    }

    @Override
-    public final SecretResponse readSecretVersion(final String mount, final String key, final Integer version) throws VaultConnectorException {
+    public final SecretResponse readSecretVersion(final String mount, final String key, final Integer version)
+        throws VaultConnectorException {
        requireAuth();
        /* Request HTTP response and parse secret metadata */
-        Map<String, String> args = new HashMap<>(1, 1);
-        if (version != null) {
-            args.put("version", version.toString());
-        }
+        Map<String, String> args = mapOfStrings("version", version);

-        return request.get(mount + PATH_DATA + key, args, token, SecretResponse.class);
+        return request.get(mount + PATH_DATA + key, args, token, MetaSecretResponse.class);
    }

    @Override
-    public final MetadataResponse readSecretMetadata(final String mount, final String key) throws VaultConnectorException {
+    public final MetadataResponse readSecretMetadata(final String mount, final String key)
+        throws VaultConnectorException {
        requireAuth();

        /* Request HTTP response and parse secret metadata */
@ -519,20 +396,25 @@ public class HTTPVaultConnector implements VaultConnector {
    }

    @Override
-    public void updateSecretMetadata(final String mount, final String key, final Integer maxVersions, final boolean casRequired) throws VaultConnectorException {
+    public void updateSecretMetadata(final String mount,
+                                     final String key,
+                                     final Integer maxVersions,
+                                     final boolean casRequired) throws VaultConnectorException {
        requireAuth();

-        Map<String, Object> payload = new HashMap<>(2, 1);
-        if (maxVersions != null) {
-            payload.put("max_versions", maxVersions);
-        }
-        payload.put("cas_required", casRequired);
+        Map<String, Object> payload = mapOf(
+            "max_versions", maxVersions,
+            "cas_required", casRequired
+        );

        write(mount + PATH_METADATA + key, payload);
    }

    @Override
-    public final SecretVersionResponse writeSecretData(final String mount, final String key, final Map<String, Object> data, final Integer cas) throws VaultConnectorException {
+    public final SecretVersionResponse writeSecretData(final String mount,
+                                                       final String key,
+                                                       final Map<String, Object> data,
+                                                       final Integer cas) throws VaultConnectorException {
        requireAuth();

        if (key == null || key.isEmpty()) {
@ -540,17 +422,18 @@ public class HTTPVaultConnector implements VaultConnector {
        }

        // Add CAS value to options map if present.
-        Map<String, Object> options = new HashMap<>(1, 1);
-        if (cas != null) {
-            options.put("cas", cas);
-        }
-
-        Map<String, Object> payload = new HashMap<>(2, 1);
-        payload.put("data", data);
-        payload.put("options", options);
+        Map<String, Object> options = mapOf("cas", cas);

        /* Issue request and parse metadata response */
-        return request.post(mount + PATH_DATA + key, payload, token, SecretVersionResponse.class);
+        return request.post(
+            mount + PATH_DATA + key,
+            Map.of(
+                "data", data,
+                "options", options
+            ),
+            token,
+            SecretVersionResponse.class
+        );
    }

    @Override
@ -563,22 +446,23 @@ public class HTTPVaultConnector implements VaultConnector {
    }

    @Override
-    public final void write(final String key, final Map<String, Object> data, final Map<String, Object> options) throws VaultConnectorException {
+    public final void write(final String key, final Map<String, Object> data, final Map<String, Object> options)
+        throws VaultConnectorException {
        requireAuth();

        if (key == null || key.isEmpty()) {
            throw new InvalidRequestException("Secret path must not be empty.");
        }

-        // By default data is directly passed as payload.
+        // By default, data is directly passed as payload.
        Object payload = data;

        // If options are given, split payload in two parts.
        if (options != null) {
-            Map<String, Object> payloadMap = new HashMap<>(2, 1);
-            payloadMap.put("data", data);
-            payloadMap.put("options", options);
-            payload = payloadMap;
+            payload = Map.of(
+                "data", data,
+                "options", options
+            );
        }

        /* Issue request and expect code 204 with empty response */
@ -604,17 +488,20 @@ public class HTTPVaultConnector implements VaultConnector {
    }

    @Override
-    public final void deleteSecretVersions(final String mount, final String key, final int... versions) throws VaultConnectorException {
+    public final void deleteSecretVersions(final String mount, final String key, final int... versions)
+        throws VaultConnectorException {
        handleSecretVersions(mount, PATH_DELETE, key, versions);
    }

    @Override
-    public final void undeleteSecretVersions(final String mount, final String key, final int... versions) throws VaultConnectorException {
+    public final void undeleteSecretVersions(final String mount, final String key, final int... versions)
+        throws VaultConnectorException {
        handleSecretVersions(mount, PATH_UNDELETE, key, versions);
    }

    @Override
-    public final void destroySecretVersions(final String mount, final String key, final int... versions) throws VaultConnectorException {
+    public final void destroySecretVersions(final String mount, final String key, final int... versions)
+        throws VaultConnectorException {
        handleSecretVersions(mount, PATH_DESTROY, key, versions);
    }

@ -628,7 +515,10 @@ public class HTTPVaultConnector implements VaultConnector {
     * @throws VaultConnectorException on error
     * @since 0.8
     */
-    private void handleSecretVersions(final String mount, final String pathPart, final String key, final int... versions) throws VaultConnectorException {
+    private void handleSecretVersions(final String mount,
+                                      final String pathPart,
+                                      final String key,
+                                      final int... versions) throws VaultConnectorException {
        requireAuth();

        /* Request HTTP response and expect empty result */
@ -650,11 +540,10 @@ public class HTTPVaultConnector implements VaultConnector {
    public final SecretResponse renew(final String leaseID, final Integer increment) throws VaultConnectorException {
        requireAuth();

-        Map<String, String> payload = new HashMap<>(2, 1);
-        payload.put("lease_id", leaseID);
-        if (increment != null) {
-            payload.put("increment", increment.toString());
-        }
+        Map<String, String> payload = mapOfStrings(
+            "lease_id", leaseID,
+            "increment", increment
+        );

        /* Issue request and parse secret response */
        return request.put(PATH_RENEW, payload, token, SecretResponse.class);
@ -662,12 +551,12 @@ public class HTTPVaultConnector implements VaultConnector {

    @Override
    public final AuthResponse createToken(final Token token) throws VaultConnectorException {
-        return createTokenInternal(token, PATH_TOKEN + PATH_CREATE);
+        return createTokenInternal(token, PATH_AUTH_TOKEN + PATH_CREATE);
    }

    @Override
    public final AuthResponse createToken(final Token token, final boolean orphan) throws VaultConnectorException {
-        return createTokenInternal(token, PATH_TOKEN + PATH_CREATE_ORPHAN);
+        return createTokenInternal(token, PATH_AUTH_TOKEN + PATH_CREATE_ORPHAN);
    }

    @Override
@ -675,7 +564,7 @@ public class HTTPVaultConnector implements VaultConnector {
        if (role == null || role.isEmpty()) {
            throw new InvalidRequestException("No role name specified.");
        }
-        return createTokenInternal(token, PATH_TOKEN + PATH_CREATE + "/" + role);
+        return createTokenInternal(token, PATH_AUTH_TOKEN + PATH_CREATE + "/" + role);
    }

    @Override
@ -710,7 +599,7 @@ public class HTTPVaultConnector implements VaultConnector {

        /* Request HTTP response and parse Secret */
        return request.get(
-                PATH_TOKEN + PATH_LOOKUP,
+            PATH_AUTH_TOKEN + PATH_LOOKUP,
            singletonMap("token", token),
            token,
            TokenResponse.class
@ -728,7 +617,7 @@ public class HTTPVaultConnector implements VaultConnector {
        }

        // Issue request and expect code 204 with empty response.
-        request.postWithoutResponse(PATH_TOKEN + PATH_ROLES + "/" + name, role, token);
+        request.postWithoutResponse(PATH_AUTH_TOKEN + PATH_ROLES + "/" + name, role, token);

        return true;
    }
@ -738,14 +627,14 @@ public class HTTPVaultConnector implements VaultConnector {
        requireAuth();

        // Request HTTP response and parse response.
-        return request.get(PATH_TOKEN + PATH_ROLES + "/" + name, emptyMap(), token, TokenRoleResponse.class);
+        return request.get(PATH_AUTH_TOKEN + PATH_ROLES + "/" + name, emptyMap(), token, TokenRoleResponse.class);
    }

    @Override
    public List<String> listTokenRoles() throws VaultConnectorException {
        requireAuth();

-        return list(PATH_TOKEN + PATH_ROLES);
+        return list(PATH_AUTH_TOKEN + PATH_ROLES);
    }

    @Override
@ -757,11 +646,52 @@ public class HTTPVaultConnector implements VaultConnector {
        }

        // Issue request and expect code 204 with empty response.
-        request.deleteWithoutResponse(PATH_TOKEN + PATH_ROLES + "/" + name, token);
+        request.deleteWithoutResponse(PATH_AUTH_TOKEN + PATH_ROLES + "/" + name, token);

        return true;
    }

+    @Override
+    public final TransitResponse transitEncrypt(final String keyName, final String plaintext)
+        throws VaultConnectorException {
+        requireAuth();
+
+        Map<String, Object> payload = mapOf(
+            "plaintext", plaintext
+        );
+
+        return request.post(PATH_TRANSIT_ENCRYPT + keyName, payload, token, TransitResponse.class);
+    }
+
+    @Override
+    public final TransitResponse transitDecrypt(final String keyName, final String ciphertext)
+        throws VaultConnectorException {
+        requireAuth();
+
+        Map<String, Object> payload = mapOf(
+            "ciphertext", ciphertext
+        );
+
+        return request.post(PATH_TRANSIT_DECRYPT + keyName, payload, token, TransitResponse.class);
+    }
+
+    @Override
+    public final TransitResponse transitHash(final String algorithm, final String input, final String format)
+        throws VaultConnectorException {
+        if (format != null && !"hex".equals(format) && !"base64".equals(format)) {
+            throw new IllegalArgumentException("Unsupported format " + format);
+        }
+
+        requireAuth();
+
+        Map<String, Object> payload = mapOf(
+            "input", input,
+            "format", format
+        );
+
+        return request.post(PATH_TRANSIT_HASH + algorithm, payload, token, TransitResponse.class);
+    }
+
    /**
     * Check for required authorization.
     *
@ -773,4 +703,42 @@ public class HTTPVaultConnector implements VaultConnector {
            throw new AuthorizationRequiredException();
        }
    }
+
+    /**
+     * Generate a map of non-null {@link String} keys and values
+     *
+     * @param keyValues Key-value tuples as vararg.
+     * @return The map of non-null keys and values.
+     */
+    private static Map<String, String> mapOfStrings(Object... keyValues) {
+        Map<String, String> map = new HashMap<>(keyValues.length / 2, 1);
+        for (int i = 0; i < keyValues.length - 1; i = i + 2) {
+            Object key = keyValues[i];
+            Object val = keyValues[i + 1];
+            if (key instanceof String && val != null) {
+                map.put((String) key, val.toString());
+            }
+        }
+
+        return map;
+    }
+
+    /**
+     * Generate a map of non-null {@link String} keys and {@link Object} values
+     *
+     * @param keyValues Key-value tuples as vararg.
+     * @return The map of non-null keys and values.
+     */
+    private static Map<String, Object> mapOf(Object... keyValues) {
+        Map<String, Object> map = new HashMap<>(keyValues.length / 2, 1);
+        for (int i = 0; i < keyValues.length; i = i + 2) {
+            Object key = keyValues[i];
+            Object val = keyValues[i + 1];
+            if (key instanceof String && val != null) {
+                map.put((String) key, val);
+            }
+        }
+
+        return map;
+    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/builder/HTTPVaultConnectorBuilder.java
+++ b/src/main/java/de/stklcode/jvault/connector/builder/HTTPVaultConnectorBuilder.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -14,17 +14,17 @@
 * limitations under the License.
 */

-package de.stklcode.jvault.connector.builder;
+package de.stklcode.jvault.connector;

-import de.stklcode.jvault.connector.HTTPVaultConnector;
 import de.stklcode.jvault.connector.exception.ConnectionException;
 import de.stklcode.jvault.connector.exception.TlsException;
 import de.stklcode.jvault.connector.exception.VaultConnectorException;

+import java.io.ByteArrayInputStream;
 import java.io.IOException;
-import java.io.InputStream;
-import java.net.MalformedURLException;
-import java.net.URL;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
@ -37,8 +37,9 @@ import java.security.cert.X509Certificate;
 *
 * @author Stefan Kalscheuer
 * @since 0.8.0
+ * @since 0.9.5 Package {@link de.stklcode.jvault.connector}
 */
-public final class HTTPVaultConnectorBuilder implements VaultConnectorBuilder {
+public final class HTTPVaultConnectorBuilder {
    private static final String ENV_VAULT_ADDR = "VAULT_ADDR";
    private static final String ENV_VAULT_CACERT = "VAULT_CACERT";
    private static final String ENV_VAULT_TOKEN = "VAULT_TOKEN";
@ -65,7 +66,7 @@ public final class HTTPVaultConnectorBuilder implements VaultConnectorBuilder {
     * Default empty constructor.
     * Initializes factory with default values.
     */
-    public HTTPVaultConnectorBuilder() {
+    HTTPVaultConnectorBuilder() {
        host = DEFAULT_HOST;
        port = DEFAULT_PORT;
        tls = DEFAULT_TLS;
@ -74,6 +75,36 @@ public final class HTTPVaultConnectorBuilder implements VaultConnectorBuilder {
        numberOfRetries = DEFAULT_NUMBER_OF_RETRIES;
    }

+    /**
+     * Set base URL, e.g. "protocol://host:port/prefix".
+     *
+     * @param baseURL Base URL
+     * @return self
+     * @throws URISyntaxException Invalid URI syntax.
+     * @since 1.0
+     */
+    public HTTPVaultConnectorBuilder withBaseURL(final String baseURL) throws URISyntaxException {
+        return withBaseURL(new URI(baseURL));
+    }
+
+    /**
+     * Set base URL, e.g. "protocol://host:port/prefix".
+     *
+     * @param baseURL Base URL
+     * @return self
+     * @since 1.0
+     */
+    public HTTPVaultConnectorBuilder withBaseURL(final URI baseURL) {
+        String path = baseURL.getPath();
+        if (path == null || path.isBlank()) {
+            path = DEFAULT_PREFIX;
+        }
+        return withTLS(!("http".equalsIgnoreCase(baseURL.getScheme())))
+            .withHost(baseURL.getHost())
+            .withPort(baseURL.getPort())
+            .withPrefix(path);
+    }
+
    /**
     * Set hostname (default: 127.0.0.1).
     *
@ -85,17 +116,43 @@ public final class HTTPVaultConnectorBuilder implements VaultConnectorBuilder {
        return this;
    }

+    /**
+     * Get hostname.
+     *
+     * @return Hostname or IP address
+     */
+    String getHost() {
+        return this.host;
+    }
+
    /**
     * Set port (default: 8200).
+     * A value of {@code null} or {@code -1} indicates that no port is specified, i.e. the protocol default is used.
+     * Otherwise, a valid port number between 1 and 65535 is expected.
     *
     * @param port Vault TCP port
     * @return self
     */
    public HTTPVaultConnectorBuilder withPort(final Integer port) {
+        if (port == null || port < 0) {
+            this.port = null;
+        } else if (port < 1 || port > 65535) {
+            throw new IllegalArgumentException("Port number " + port + " out of range");
+        } else {
            this.port = port;
+        }
        return this;
    }

+    /**
+     * Set port..
+     *
+     * @return Vault TCP port
+     */
+    Integer getPort() {
+        return this.port;
+    }
+
    /**
     * Set TLS usage (default: TRUE).
     *
@ -107,6 +164,24 @@ public final class HTTPVaultConnectorBuilder implements VaultConnectorBuilder {
        return this;
    }

+    /**
+     * Get TLS usage flag.
+     *
+     * @return use TLS or not
+     */
+    boolean isWithTLS() {
+        return this.tls;
+    }
+
+    /**
+     * Get TLS version.
+     *
+     * @return TLS version.
+     */
+    String getTlsVersion() {
+        return this.tlsVersion;
+    }
+
    /**
     * Set TLS usage (default: TRUE).
     *
@ -153,7 +228,7 @@ public final class HTTPVaultConnectorBuilder implements VaultConnectorBuilder {
    /**
     * Set API prefix. Default is "/v1/" and changes should not be necessary for current state of development.
     *
-     * @param prefix Vault API prefix (default: "/v1/"
+     * @param prefix Vault API prefix (default: "/v1/")
     * @return self
     */
    public HTTPVaultConnectorBuilder withPrefix(final String prefix) {
@ -161,6 +236,15 @@ public final class HTTPVaultConnectorBuilder implements VaultConnectorBuilder {
        return this;
    }

+    /**
+     * Get API prefix.
+     *
+     * @return Vault API prefix.
+     */
+    String getPrefix() {
+        return this.prefix;
+    }
+
    /**
     * Add a trusted CA certificate for HTTPS connections.
     *
@ -190,6 +274,15 @@ public final class HTTPVaultConnectorBuilder implements VaultConnectorBuilder {
        return this;
    }

+    /**
+     * Get the trusted CA certificate for HTTPS connections.
+     *
+     * @return path to certificate file, if specified.
+     */
+    X509Certificate getTrustedCA() {
+        return this.trustedCA;
+    }
+
    /**
     * Set token for automatic authentication, using {@link #buildAndAuth()}.
     *
@ -203,7 +296,7 @@ public final class HTTPVaultConnectorBuilder implements VaultConnectorBuilder {
    }

    /**
-     * Build connector based on the {@code }VAULT_ADDR} and {@code VAULT_CACERT} (optional) environment variables.
+     * Build connector based on the {@code VAULT_ADDR} and {@code VAULT_CACERT} (optional) environment variables.
     *
     * @return self
     * @throws VaultConnectorException if Vault address from environment variables is malformed
@ -211,13 +304,10 @@ public final class HTTPVaultConnectorBuilder implements VaultConnectorBuilder {
     */
    public HTTPVaultConnectorBuilder fromEnv() throws VaultConnectorException {
        /* Parse URL from environment variable */
-        if (System.getenv(ENV_VAULT_ADDR) != null && !System.getenv(ENV_VAULT_ADDR).trim().isEmpty()) {
+        if (System.getenv(ENV_VAULT_ADDR) != null && !System.getenv(ENV_VAULT_ADDR).isBlank()) {
            try {
-                URL url = new URL(System.getenv(ENV_VAULT_ADDR));
-                this.host = url.getHost();
-                this.port = url.getPort();
-                this.tls = url.getProtocol().equals("https");
-            } catch (MalformedURLException e) {
+                withBaseURL(System.getenv(ENV_VAULT_ADDR));
+            } catch (URISyntaxException e) {
                throw new ConnectionException("URL provided in environment variable malformed", e);
            }
        }
@ -225,7 +315,7 @@ public final class HTTPVaultConnectorBuilder implements VaultConnectorBuilder {
        /* Read number of retries */
        if (System.getenv(ENV_VAULT_MAX_RETRIES) != null) {
            try {
-                numberOfRetries = Integer.parseInt(System.getenv(ENV_VAULT_MAX_RETRIES));
+                withNumberOfRetries(Integer.parseInt(System.getenv(ENV_VAULT_MAX_RETRIES)));
            } catch (NumberFormatException ignored) {
                /* Ignore malformed values. */
            }
@ -235,8 +325,12 @@ public final class HTTPVaultConnectorBuilder implements VaultConnectorBuilder {
        token = System.getenv(ENV_VAULT_TOKEN);

        /* Parse certificate, if set */
-        if (System.getenv(ENV_VAULT_CACERT) != null && !System.getenv(ENV_VAULT_CACERT).trim().isEmpty()) {
-            return withTrustedCA(Paths.get(System.getenv(ENV_VAULT_CACERT)));
+        if (System.getenv(ENV_VAULT_CACERT) != null && !System.getenv(ENV_VAULT_CACERT).isBlank()) {
+            X509Certificate cert = certificateFromString(System.getenv(ENV_VAULT_CACERT));
+            if (cert == null) {
+                cert = certificateFromFile(Paths.get(System.getenv(ENV_VAULT_CACERT)));
+            }
+            return withTrustedCA(cert);
        }
        return this;
    }
@ -253,6 +347,15 @@ public final class HTTPVaultConnectorBuilder implements VaultConnectorBuilder {
        return this;
    }

+    /**
+     * Get the number of retries to attempt on 5xx errors.
+     *
+     * @return The number of retries to attempt on 5xx errors (default: 0)
+     */
+    int getNumberOfRetries() {
+        return this.numberOfRetries;
+    }
+
    /**
     * Define a custom timeout for the HTTP connection.
     *
@ -265,12 +368,31 @@ public final class HTTPVaultConnectorBuilder implements VaultConnectorBuilder {
        return this;
    }

-    @Override
-    public HTTPVaultConnector build() {
-        return new HTTPVaultConnector(host, tls, tlsVersion, port, prefix, trustedCA, numberOfRetries, timeout);
+    /**
+     * Get custom timeout for the HTTP connection.
+     *
+     * @return Timeout value in milliseconds.
+     */
+    Integer getTimeout() {
+        return this.timeout;
    }

-    @Override
+    /**
+     * Build command, produces connector after initialization.
+     *
+     * @return Vault Connector instance.
+     */
+    public HTTPVaultConnector build() {
+        return new HTTPVaultConnector(this);
+    }
+
+    /**
+     * Build connector and authenticate with token set in factory or from environment.
+     *
+     * @return Authenticated Vault connector instance.
+     * @throws VaultConnectorException if authentication failed
+     * @since 0.6.0
+     */
    public HTTPVaultConnector buildAndAuth() throws VaultConnectorException {
        if (token == null) {
            throw new ConnectionException("No vault token provided, unable to authenticate.");
@ -280,6 +402,28 @@ public final class HTTPVaultConnectorBuilder implements VaultConnectorBuilder {
        return con;
    }

+    /**
+     * Read given certificate file to X.509 certificate.
+     *
+     * @param cert Certificate string (optionally PEM)
+     * @return X.509 Certificate object if parseable, else {@code null}
+     * @throws TlsException on error
+     * @since 1.5.0
+     */
+    private X509Certificate certificateFromString(final String cert) throws TlsException {
+        // Check if PEM header is present in given string
+        if (cert.contains("-BEGIN ") && cert.contains("-END")) {
+            try (var is = new ByteArrayInputStream(cert.getBytes(StandardCharsets.UTF_8))) {
+                return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(is);
+            } catch (IOException | CertificateException e) {
+                throw new TlsException("Unable to read certificate.", e);
+            }
+        }
+
+        // Not am PEM string, skip
+        return null;
+    }
+
    /**
     * Read given certificate file to X.509 certificate.
     *
@ -289,7 +433,7 @@ public final class HTTPVaultConnectorBuilder implements VaultConnectorBuilder {
     * @since 0.4.0
     */
    private X509Certificate certificateFromFile(final Path certFile) throws TlsException {
-        try (InputStream is = Files.newInputStream(certFile)) {
+        try (var is = Files.newInputStream(certFile)) {
            return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(is);
        } catch (IOException | CertificateException e) {
            throw new TlsException("Unable to read certificate.", e);
--- a/src/main/java/de/stklcode/jvault/connector/VaultConnector.java
+++ b/src/main/java/de/stklcode/jvault/connector/VaultConnector.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -16,7 +16,6 @@

 package de.stklcode.jvault.connector;

-import de.stklcode.jvault.connector.exception.InvalidRequestException;
 import de.stklcode.jvault.connector.exception.VaultConnectorException;
 import de.stklcode.jvault.connector.model.*;
 import de.stklcode.jvault.connector.model.response.*;
@ -32,10 +31,6 @@ import java.util.*;
 * @since 0.1
 */
 public interface VaultConnector extends AutoCloseable, Serializable {
-    /**
-     * Default sub-path for Vault secrets.
-     */
-    String PATH_SECRET = "secret";

    /**
     * Reset authorization information.
@ -114,18 +109,6 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     */
    AuthResponse authUserPass(final String username, final String password) throws VaultConnectorException;

-    /**
-     * Authorize to Vault using AppID method.
-     *
-     * @param appID  The App ID
-     * @param userID The User ID
-     * @return The {@link AuthResponse}
-     * @throws VaultConnectorException on error
-     * @deprecated As of Vault 0.6.1 App-ID is superseded by AppRole. Consider using {@link #authAppRole} instead.
-     */
-    @Deprecated
-    AuthResponse authAppId(final String appID, final String userID) throws VaultConnectorException;
-
    /**
     * Authorize to Vault using AppRole method without secret ID.
     *
@ -149,20 +132,6 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     */
    AuthResponse authAppRole(final String roleID, final String secretID) throws VaultConnectorException;

-    /**
-     * Register new App-ID with policy.
-     *
-     * @param appID       The unique App-ID
-     * @param policy      The policy to associate with
-     * @param displayName Arbitrary name to display
-     * @return {@code true} on success
-     * @throws VaultConnectorException on error
-     * @deprecated As of Vault 0.6.1 App-ID is superseded by AppRole. Consider using {@link #createAppRole} instead.
-     */
-    @Deprecated
-    boolean registerAppId(final String appID, final String policy, final String displayName)
-            throws VaultConnectorException;
-
    /**
     * Register a new AppRole role from given metamodel.
     *
@ -344,38 +313,6 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     */
    List<String> listAppRoleSecrets(final String roleName) throws VaultConnectorException;

-    /**
-     * Register User-ID with App-ID.
-     *
-     * @param appID  The App-ID
-     * @param userID The User-ID
-     * @return {@code true} on success
-     * @throws VaultConnectorException on error
-     * @deprecated As of Vault 0.6.1 App-ID is superseded by AppRole.
-     * Consider using {@link #createAppRoleSecret} instead.
-     */
-    @Deprecated
-    boolean registerUserId(final String appID, final String userID) throws VaultConnectorException;
-
-    /**
-     * Register new App-ID and User-ID at once.
-     *
-     * @param appID       The App-ID
-     * @param policy      The policy to associate with
-     * @param displayName Arbitrary name to display
-     * @param userID      The User-ID
-     * @return {@code true} on success
-     * @throws VaultConnectorException on error
-     * @deprecated As of Vault 0.6.1 App-ID is superseded by AppRole.
-     */
-    @Deprecated
-    default boolean registerAppUserId(final String appID,
-                                      final String policy,
-                                      final String displayName,
-                                      final String userID) throws VaultConnectorException {
-        return registerAppId(appID, policy, userID) && registerUserId(appID, userID);
-    }
-
    /**
     * Get authorization status.
     *
@ -393,34 +330,6 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     */
    SecretResponse read(final String key) throws VaultConnectorException;

-    /**
-     * Retrieve secret from Vault.
-     * <br>
-     * Prefix {@code secret/} is automatically added to key.
-     *
-     * @param key Secret identifier
-     * @return Secret response
-     * @throws VaultConnectorException on error
-     */
-    default SecretResponse readSecret(final String key) throws VaultConnectorException {
-        return read(PATH_SECRET + "/" + key);
-    }
-
-    /**
-     * Retrieve the latest secret data for specific version from Vault.
-     * <br>
-     * Prefix "secret/data" is automatically added to key.
-     * Only available for KV v2 secrets.
-     *
-     * @param key Secret identifier
-     * @return Secret response
-     * @throws VaultConnectorException on error
-     * @since 0.8
-     */
-    default SecretResponse readSecretData(final String key) throws VaultConnectorException {
-        return readSecretVersion(key, null);
-    }
-
    /**
     * Retrieve the latest secret data for specific version from Vault.
     * <br>
@ -437,22 +346,6 @@ public interface VaultConnector extends AutoCloseable, Serializable {
        return readSecretVersion(mount, key, null);
    }

-    /**
-     * Write secret to Vault.
-     * <br>
-     * Prefix {@code secret/} is automatically added to path.
-     * Only available for KV v2 secrets.
-     *
-     * @param key  Secret identifier.
-     * @param data Secret content. Value must be be JSON serializable.
-     * @return Metadata for the created/updated secret.
-     * @throws VaultConnectorException on error
-     * @since 0.8
-     */
-    default SecretVersionResponse writeSecretData(final String key, final Map<String, Object> data) throws VaultConnectorException {
-        return writeSecretData(PATH_SECRET, key, data, null);
-    }
-
    /**
     * Write secret to Vault.
     * <br>
@ -466,7 +359,9 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     * @throws VaultConnectorException on error
     * @since 0.8
     */
-    default SecretVersionResponse writeSecretData(final String mount, final String key, final Map<String, Object> data) throws VaultConnectorException {
+    default SecretVersionResponse writeSecretData(final String mount,
+                                                  final String key,
+                                                  final Map<String, Object> data) throws VaultConnectorException {
        return writeSecretData(mount, key, data, null);
    }

@ -484,23 +379,10 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     * @throws VaultConnectorException on error
     * @since 0.8
     */
-    SecretVersionResponse writeSecretData(final String mount, final String key, final Map<String, Object> data, final Integer cas) throws VaultConnectorException;
-
-    /**
-     * Retrieve secret data from Vault.
-     * <br>
-     * Path {@code <mount>/data/<key>} is read here.
-     * Only available for KV v2 secrets.
-     *
-     * @param key     Secret identifier
-     * @param version Version to read. If {@code null} or zero, the latest version will be returned.
-     * @return Secret response
-     * @throws VaultConnectorException on error
-     * @since 0.8
-     */
-    default SecretResponse readSecretVersion(final String key, final Integer version) throws VaultConnectorException {
-        return readSecretVersion(PATH_SECRET, key, version);
-    }
+    SecretVersionResponse writeSecretData(final String mount,
+                                          final String key,
+                                          final Map<String, Object> data,
+                                          final Integer cas) throws VaultConnectorException;

    /**
     * Retrieve secret data from Vault.
@ -515,37 +397,8 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     * @throws VaultConnectorException on error
     * @since 0.8
     */
-    SecretResponse readSecretVersion(final String mount, final String key, final Integer version) throws VaultConnectorException;
-
-    /**
-     * Retrieve secret metadata from Vault.
-     * Path {@code secret/metadata/<key>} is read here.
-     * Only available for KV v2 secrets.
-     *
-     * @param key Secret identifier
-     * @return Metadata response
-     * @throws VaultConnectorException on error
-     * @since 0.8
-     */
-    default MetadataResponse readSecretMetadata(final String key) throws VaultConnectorException {
-        return readSecretMetadata(PATH_SECRET, key);
-    }
-
-    /**
-     * Update secret metadata.
-     * <br>
-     * Path {@code secret/metadata/<key>} is read here.
-     * Only available for KV v2 secrets.
-     *
-     * @param key         Secret identifier
-     * @param maxVersions Maximum number of versions (fallback to backend default if {@code null})
-     * @param casRequired Specify if Check-And-Set is required for this secret.
-     * @throws VaultConnectorException on error
-     * @since 0.8
-     */
-    default void updateSecretMetadata(final String key, final Integer maxVersions, final boolean casRequired) throws VaultConnectorException {
-        updateSecretMetadata(PATH_SECRET, key, maxVersions, casRequired);
-    }
+    SecretResponse readSecretVersion(final String mount, final String key, final Integer version)
+        throws VaultConnectorException;

    /**
     * Retrieve secret metadata from Vault.
@ -574,7 +427,10 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     * @throws VaultConnectorException on error
     * @since 0.8
     */
-    void updateSecretMetadata(final String mount, final String key, final Integer maxVersions, final boolean casRequired) throws VaultConnectorException;
+    void updateSecretMetadata(final String mount,
+                              final String key,
+                              final Integer maxVersions,
+                              final boolean casRequired) throws VaultConnectorException;

    /**
     * List available nodes from Vault.
@ -586,19 +442,6 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     */
    List<String> list(final String path) throws VaultConnectorException;

-    /**
-     * List available secrets from Vault.
-     * <br>
-     * Prefix {@code secret/} is automatically added to path.
-     *
-     * @param path Root path to search
-     * @return List of secret keys
-     * @throws VaultConnectorException on error
-     */
-    default List<String> listSecrets(final String path) throws VaultConnectorException {
-        return list(PATH_SECRET + "/" + path);
-    }
-
    /**
     * Write simple value to Vault.
     *
@ -632,37 +475,8 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     * @throws VaultConnectorException on error
     * @since 0.8 {@code options} parameter added
     */
-    void write(final String key, final Map<String, Object> data, final Map<String, Object> options) throws VaultConnectorException;
-
-    /**
-     * Write secret to Vault.
-     * <br>
-     * Prefix {@code secret/} is automatically added to path.
-     *
-     * @param key   Secret path
-     * @param value Secret value
-     * @throws VaultConnectorException on error
-     */
-    default void writeSecret(final String key, final String value) throws VaultConnectorException {
-        writeSecret(key, Collections.singletonMap("value", value));
-    }
-
-    /**
-     * Write secret to Vault.
-     * <br>
-     * Prefix {@code secret/} is automatically added to path.
-     *
-     * @param key  Secret path
-     * @param data Secret content. Value must be be JSON serializable.
-     * @throws VaultConnectorException on error
-     * @since 0.5.0
-     */
-    default void writeSecret(final String key, final Map<String, Object> data) throws VaultConnectorException {
-        if (key == null || key.isEmpty()) {
-            throw new InvalidRequestException("Secret path must not be empty.");
-        }
-        write(PATH_SECRET + "/" + key, data);
-    }
+    void write(final String key, final Map<String, Object> data, final Map<String, Object> options)
+        throws VaultConnectorException;

    /**
     * Delete key from Vault.
@ -673,31 +487,6 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     */
    void delete(final String key) throws VaultConnectorException;

-    /**
-     * Delete secret from Vault.
-     * <br>
-     * Prefix {@code secret/} is automatically added to path.
-     *
-     * @param key Secret path
-     * @throws VaultConnectorException on error
-     */
-    default void deleteSecret(final String key) throws VaultConnectorException {
-        delete(PATH_SECRET + "/" + key);
-    }
-
-    /**
-     * Delete latest version of a secret from Vault.
-     * <br>
-     * Prefix {@code secret/} is automatically added to path. Only available for KV v2 stores.
-     *
-     * @param key Secret path.
-     * @throws VaultConnectorException on error
-     * @since 0.8
-     */
-    default void deleteLatestSecretVersion(final String key) throws VaultConnectorException {
-        deleteLatestSecretVersion(PATH_SECRET, key);
-    }
-
    /**
     * Delete latest version of a secret from Vault.
     * <br>
@ -710,20 +499,6 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     */
    void deleteLatestSecretVersion(final String mount, final String key) throws VaultConnectorException;

-    /**
-     * Delete latest version of a secret from Vault.
-     * <br>
-     * Prefix {@code secret/} is automatically added to path.
-     * Only available for KV v2 stores.
-     *
-     * @param key Secret path.
-     * @throws VaultConnectorException on error
-     * @since 0.8
-     */
-    default void deleteAllSecretVersions(final String key) throws VaultConnectorException {
-        deleteAllSecretVersions(PATH_SECRET, key);
-    }
-
    /**
     * Delete latest version of a secret from Vault.
     * <br>
@ -737,20 +512,6 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     */
    void deleteAllSecretVersions(final String mount, final String key) throws VaultConnectorException;

-    /**
-     * Delete secret versions from Vault.
-     * <br>
-     * Only available for KV v2 stores.
-     *
-     * @param key      Secret path.
-     * @param versions Versions of the secret to delete.
-     * @throws VaultConnectorException on error
-     * @since 0.8
-     */
-    default void deleteSecretVersions(final String key, final int... versions) throws VaultConnectorException {
-        deleteSecretVersions(PATH_SECRET, key, versions);
-    }
-
    /**
     * Delete secret versions from Vault.
     * <br>
@ -762,20 +523,8 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     * @throws VaultConnectorException on error
     * @since 0.8
     */
-    void deleteSecretVersions(final String mount, final String key, final int... versions) throws VaultConnectorException;
-
-    /**
-     * Undelete (restore) secret versions from Vault.
-     * Only available for KV v2 stores.
-     *
-     * @param key      Secret path.
-     * @param versions Versions of the secret to undelete.
-     * @throws VaultConnectorException on error
-     * @since 0.8
-     */
-    default void undeleteSecretVersions(final String key, final int... versions) throws VaultConnectorException {
-        undeleteSecretVersions(PATH_SECRET, key, versions);
-    }
+    void deleteSecretVersions(final String mount, final String key, final int... versions)
+        throws VaultConnectorException;

    /**
     * Undelete (restore) secret versions from Vault.
@ -787,20 +536,8 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     * @throws VaultConnectorException on error
     * @since 0.8
     */
-    void undeleteSecretVersions(final String mount, final String key, final int... versions) throws VaultConnectorException;
-
-    /**
-     * Destroy secret versions from Vault.
-     * Only available for KV v2 stores.
-     *
-     * @param key      Secret path.
-     * @param versions Versions of the secret to destroy.
-     * @throws VaultConnectorException on error
-     * @since 0.8
-     */
-    default void destroySecretVersions(final String key, final int... versions) throws VaultConnectorException {
-        destroySecretVersions(PATH_SECRET, key, versions);
-    }
+    void undeleteSecretVersions(final String mount, final String key, final int... versions)
+        throws VaultConnectorException;

    /**
     * Destroy secret versions from Vault.
@ -812,7 +549,8 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     * @throws VaultConnectorException on error
     * @since 0.8
     */
-    void destroySecretVersions(final String mount, final String key, final int... versions) throws VaultConnectorException;
+    void destroySecretVersions(final String mount, final String key, final int... versions)
+        throws VaultConnectorException;

    /**
     * Revoke given lease immediately.
@ -933,6 +671,82 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     */
    boolean deleteTokenRole(final String name) throws VaultConnectorException;

+    /**
+     * Encrypt plaintext via transit engine from Vault.
+     *
+     * @param keyName   Transit key name
+     * @param plaintext Text to encrypt (Base64 encoded)
+     * @return Transit response
+     * @throws VaultConnectorException on error
+     * @since 1.5.0
+     */
+    TransitResponse transitEncrypt(final String keyName, final String plaintext) throws VaultConnectorException;
+
+    /**
+     * Encrypt plaintext via transit engine from Vault.
+     *
+     * @param keyName   Transit key name
+     * @param plaintext Binary data to encrypt
+     * @return Transit response
+     * @throws VaultConnectorException on error
+     * @since 1.5.0
+     */
+    default TransitResponse transitEncrypt(final String keyName, final byte[] plaintext)
+        throws VaultConnectorException {
+        return transitEncrypt(keyName, Base64.getEncoder().encodeToString(plaintext));
+    }
+
+    /**
+     * Decrypt ciphertext via transit engine from Vault.
+     *
+     * @param keyName    Transit key name
+     * @param ciphertext Text to decrypt
+     * @return Transit response
+     * @throws VaultConnectorException on error
+     * @since 1.5.0
+     */
+    TransitResponse transitDecrypt(final String keyName, final String ciphertext) throws VaultConnectorException;
+
+    /**
+     * Hash data in hex format via transit engine from Vault.
+     *
+     * @param algorithm Specifies the hash algorithm to use
+     * @param input     Data to hash
+     * @return Transit response
+     * @throws VaultConnectorException on error
+     * @since 1.5.0
+     */
+    default TransitResponse transitHash(final String algorithm, final String input) throws VaultConnectorException {
+        return transitHash(algorithm, input, "hex");
+    }
+
+    /**
+     * Hash data via transit engine from Vault.
+     *
+     * @param algorithm Specifies the hash algorithm to use
+     * @param input     Data to hash (Base64 encoded)
+     * @param format    Specifies the output encoding (hex/base64)
+     * @return Transit response
+     * @throws VaultConnectorException on error
+     * @since 1.5.0
+     */
+    TransitResponse transitHash(final String algorithm, final String input, final String format)
+        throws VaultConnectorException;
+
+    /**
+     * Hash data via transit engine from Vault.
+     *
+     * @param algorithm Specifies the hash algorithm to use
+     * @param input     Data to hash
+     * @return Transit response
+     * @throws VaultConnectorException on error
+     * @since 1.5.0
+     */
+    default TransitResponse transitHash(final String algorithm, final byte[] input, final String format)
+        throws VaultConnectorException {
+        return transitHash(algorithm, Base64.getEncoder().encodeToString(input), format);
+    }
+
    /**
     * Read credentials for MySQL backend at default mount point.
     *
@ -940,7 +754,9 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     * @return the credentials response
     * @throws VaultConnectorException on error
     * @since 0.5.0
+     * @deprecated use {@link #readDbCredentials(String, String)} your MySQL mountpoint
     */
+    @Deprecated(since = "1.5.0", forRemoval = true)
    default CredentialsResponse readMySqlCredentials(final String role) throws VaultConnectorException {
        return readDbCredentials(role, "mysql");
    }
@ -952,7 +768,9 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     * @return the credentials response
     * @throws VaultConnectorException on error
     * @since 0.5.0
+     * @deprecated use {@link #readDbCredentials(String, String)} your PostgreSQL mountpoint
     */
+    @Deprecated(since = "1.5.0", forRemoval = true)
    default CredentialsResponse readPostgreSqlCredentials(final String role) throws VaultConnectorException {
        return readDbCredentials(role, "postgresql");
    }
@ -964,28 +782,32 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     * @return the credentials response
     * @throws VaultConnectorException on error
     * @since 0.5.0
+     * @deprecated use {@link #readDbCredentials(String, String)} your MSSQL mountpoint
     */
+    @Deprecated(since = "1.5.0", forRemoval = true)
    default CredentialsResponse readMsSqlCredentials(final String role) throws VaultConnectorException {
        return readDbCredentials(role, "mssql");
    }

    /**
-     * Read credentials for MSSQL backend at default mount point.
+     * Read credentials for MongoDB backend at default mount point.
     *
     * @param role the role name
     * @return the credentials response
     * @throws VaultConnectorException on error
     * @since 0.5.0
+     * @deprecated use {@link #readDbCredentials(String, String)} your MongoDB mountpoint
     */
+    @Deprecated(since = "1.5.0", forRemoval = true)
    default CredentialsResponse readMongoDbCredentials(final String role) throws VaultConnectorException {
        return readDbCredentials(role, "mongodb");
    }

    /**
-     * Read credentials for SQL backends.
+     * Read credentials for database backends.
     *
     * @param role  the role name
-     * @param mount mount point of the SQL backend
+     * @param mount mount point of the database backend
     * @return the credentials response
     * @throws VaultConnectorException on error
     * @since 0.5.0
--- a/src/main/java/de/stklcode/jvault/connector/builder/VaultConnectorBuilder.java
+++ b/src/main/java/de/stklcode/jvault/connector/builder/VaultConnectorBuilder.java
@ -1,54 +0,0 @@
-/*
- * Copyright 2016-2021 Stefan Kalscheuer
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package de.stklcode.jvault.connector.builder;
-
-import de.stklcode.jvault.connector.VaultConnector;
-import de.stklcode.jvault.connector.exception.VaultConnectorException;
-
-/**
- * Abstract Vault Connector Builder interface.
- * Provides builder style for Vault connectors.
- *
- * @author Stefan Kalscheuer
- * @since 0.8.0
- */
-public interface VaultConnectorBuilder {
-    /**
-     * Get Factory implementation for HTTP Vault Connector.
-     *
-     * @return HTTP Connector Factory
-     */
-    static HTTPVaultConnectorBuilder http() {
-        return new HTTPVaultConnectorBuilder();
-    }
-
-    /**
-     * Build command, produces connector after initialization.
-     *
-     * @return Vault Connector instance.
-     */
-    VaultConnector build();
-
-    /**
-     * Build connector and authenticate with token set in factory or from environment.
-     *
-     * @return Authenticated Vault connector instance.
-     * @throws VaultConnectorException if authentication failed
-     * @since 0.6.0
-     */
-    VaultConnector buildAndAuth() throws VaultConnectorException;
-}
--- a/src/main/java/de/stklcode/jvault/connector/builder/package-info.java
+++ b/src/main/java/de/stklcode/jvault/connector/builder/package-info.java
@ -1,21 +0,0 @@
-/*
- * Copyright 2016-2021 Stefan Kalscheuer
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-/**
- * This package contains the {@link de.stklcode.jvault.connector.builder.VaultConnectorBuilder} to initialize a
- * connector instance.
- */
-package de.stklcode.jvault.connector.builder;
--- a/src/main/java/de/stklcode/jvault/connector/exception/AuthorizationRequiredException.java
+++ b/src/main/java/de/stklcode/jvault/connector/exception/AuthorizationRequiredException.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -23,4 +23,5 @@ package de.stklcode.jvault.connector.exception;
 * @since 0.1
 */
 public class AuthorizationRequiredException extends VaultConnectorException {
+    private static final long serialVersionUID = 2629577936657393880L;
 }
--- a/src/main/java/de/stklcode/jvault/connector/exception/ConnectionException.java
+++ b/src/main/java/de/stklcode/jvault/connector/exception/ConnectionException.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -23,6 +23,8 @@ package de.stklcode.jvault.connector.exception;
 * @since 0.1
 */
 public class ConnectionException extends VaultConnectorException {
+    private static final long serialVersionUID = 3005430116002990418L;
+
    /**
     * Constructs a new empty exception.
     */
--- a/src/main/java/de/stklcode/jvault/connector/exception/InvalidRequestException.java
+++ b/src/main/java/de/stklcode/jvault/connector/exception/InvalidRequestException.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -23,6 +23,8 @@ package de.stklcode.jvault.connector.exception;
 * @since 0.1
 */
 public class InvalidRequestException extends VaultConnectorException {
+    private static final long serialVersionUID = -6712239648281809159L;
+
    /**
     * Constructs a new empty exception.
     */
--- a/src/main/java/de/stklcode/jvault/connector/exception/InvalidResponseException.java
+++ b/src/main/java/de/stklcode/jvault/connector/exception/InvalidResponseException.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -24,6 +24,8 @@ package de.stklcode.jvault.connector.exception;
 * @since 0.1
 */
 public final class InvalidResponseException extends VaultConnectorException {
+    private static final long serialVersionUID = 2003151038614163479L;
+
    private final Integer statusCode;
    private final String response;

@ -136,30 +138,6 @@ public final class InvalidResponseException extends VaultConnectorException {
        this.response = response;
    }

-    /**
-     * Specify the HTTP status code. Can be retrieved by {@link #getStatusCode()} later.
-     *
-     * @param statusCode The status code
-     * @return self
-     * @deprecated as of 0.6.2, use constructor with status code argument instead
-     */
-    @Deprecated
-    public InvalidResponseException withStatusCode(final Integer statusCode) {
-        return new InvalidResponseException(getMessage(), statusCode, getResponse(), getCause());
-    }
-
-    /**
-     * Specify the response string. Can be retrieved by {@link #getResponse()} later.
-     *
-     * @param response Response text
-     * @return self
-     * @deprecated use constructor with response argument instead
-     */
-    @Deprecated
-    public InvalidResponseException withResponse(final String response) {
-        return new InvalidResponseException(getMessage(), getStatusCode(), response, getCause());
-    }
-
    /**
     * Retrieve the HTTP status code.
     *
--- a/src/main/java/de/stklcode/jvault/connector/exception/PermissionDeniedException.java
+++ b/src/main/java/de/stklcode/jvault/connector/exception/PermissionDeniedException.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -23,6 +23,8 @@ package de.stklcode.jvault.connector.exception;
 * @since 0.1
 */
 public class PermissionDeniedException extends VaultConnectorException {
+    private static final long serialVersionUID = -7149134015090750776L;
+
    /**
     * Constructs a new empty exception.
     */
--- a/src/main/java/de/stklcode/jvault/connector/exception/TlsException.java
+++ b/src/main/java/de/stklcode/jvault/connector/exception/TlsException.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -23,6 +23,8 @@ package de.stklcode.jvault.connector.exception;
 * @since 0.4.0
 */
 public class TlsException extends VaultConnectorException {
+    private static final long serialVersionUID = -5139276834988258086L;
+
    /**
     * Constructs a new empty exception.
     */
--- a/src/main/java/de/stklcode/jvault/connector/exception/VaultConnectorException.java
+++ b/src/main/java/de/stklcode/jvault/connector/exception/VaultConnectorException.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -23,6 +23,8 @@ package de.stklcode.jvault.connector.exception;
 * @since 0.1
 */
 public abstract class VaultConnectorException extends Exception {
+    private static final long serialVersionUID = -2612477894310906036L;
+
    /**
     * Constructs a new empty exception.
     */
--- a/src/main/java/de/stklcode/jvault/connector/exception/package-info.java
+++ b/src/main/java/de/stklcode/jvault/connector/exception/package-info.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/factory/HTTPVaultConnectorFactory.java
+++ b/src/main/java/de/stklcode/jvault/connector/factory/HTTPVaultConnectorFactory.java
@ -1,204 +0,0 @@
-/*
- * Copyright 2016-2021 Stefan Kalscheuer
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package de.stklcode.jvault.connector.factory;
-
-import de.stklcode.jvault.connector.HTTPVaultConnector;
-import de.stklcode.jvault.connector.builder.HTTPVaultConnectorBuilder;
-import de.stklcode.jvault.connector.exception.VaultConnectorException;
-
-import javax.net.ssl.SSLContext;
-import java.nio.file.Path;
-import java.security.cert.X509Certificate;
-
-/**
- * Vault Connector Factory implementation for HTTP Vault connectors.
- *
- * @author Stefan Kalscheuer
- * @since 0.1
- * @deprecated As of 0.8.0 please refer to {@link de.stklcode.jvault.connector.builder.HTTPVaultConnectorBuilder} with identical API.
- */
-@Deprecated
-public final class HTTPVaultConnectorFactory extends VaultConnectorFactory {
-
-    private final HTTPVaultConnectorBuilder delegate;
-
-    /**
-     * Default empty constructor.
-     * Initializes factory with default values.
-     */
-    public HTTPVaultConnectorFactory() {
-        delegate = new HTTPVaultConnectorBuilder();
-    }
-
-    /**
-     * Set hostname (default: 127.0.0.1).
-     *
-     * @param host Hostname or IP address
-     * @return self
-     */
-    public HTTPVaultConnectorFactory withHost(final String host) {
-        delegate.withHost(host);
-        return this;
-    }
-
-    /**
-     * Set port (default: 8200).
-     *
-     * @param port Vault TCP port
-     * @return self
-     */
-    public HTTPVaultConnectorFactory withPort(final Integer port) {
-        delegate.withPort(port);
-        return this;
-    }
-
-    /**
-     * Set TLS usage (default: TRUE).
-     *
-     * @param useTLS use TLS or not
-     * @return self
-     */
-    public HTTPVaultConnectorFactory withTLS(final boolean useTLS) {
-        delegate.withTLS(useTLS);
-        return this;
-    }
-
-    /**
-     * Convenience Method for TLS usage (enabled by default).
-     *
-     * @return self
-     */
-    public HTTPVaultConnectorFactory withTLS() {
-        return withTLS(true);
-    }
-
-    /**
-     * Convenience Method for NOT using TLS.
-     *
-     * @return self
-     */
-    public HTTPVaultConnectorFactory withoutTLS() {
-        return withTLS(false);
-    }
-
-    /**
-     * Set API prefix. Default is "/v1/" and changes should not be necessary for current state of development.
-     *
-     * @param prefix Vault API prefix (default: "/v1/"
-     * @return self
-     */
-    public HTTPVaultConnectorFactory withPrefix(final String prefix) {
-        delegate.withPrefix(prefix);
-        return this;
-    }
-
-    /**
-     * Add a trusted CA certificate for HTTPS connections.
-     *
-     * @param cert path to certificate file
-     * @return self
-     * @throws VaultConnectorException on error
-     * @since 0.4.0
-     */
-    public HTTPVaultConnectorFactory withTrustedCA(final Path cert) throws VaultConnectorException {
-        delegate.withTrustedCA(cert);
-        return this;
-    }
-
-    /**
-     * Add a trusted CA certificate for HTTPS connections.
-     *
-     * @param cert path to certificate file
-     * @return self
-     * @since 0.8.0
-     */
-    public HTTPVaultConnectorFactory withTrustedCA(final X509Certificate cert) {
-        delegate.withTrustedCA(cert);
-        return this;
-    }
-
-    /**
-     * Add a custom SSL context.
-     * Overwrites certificates set by {@link #withTrustedCA}.
-     *
-     * @param sslContext the SSL context
-     * @return self
-     * @since 0.4.0
-     * @deprecated As of 0.8.0 this is no longer supported, please use {@link #withTrustedCA(Path)} or {@link #withTrustedCA(X509Certificate)}.
-     */
-    public HTTPVaultConnectorFactory withSslContext(final SSLContext sslContext) {
-        throw new UnsupportedOperationException("Use of deprecated method, please switch to withTrustedCA()");
-    }
-
-    /**
-     * Set token for automatic authentication, using {@link #buildAndAuth()}.
-     *
-     * @param token Vault token
-     * @return self
-     * @since 0.6.0
-     */
-    public HTTPVaultConnectorFactory withToken(final String token) {
-        delegate.withToken(token);
-        return this;
-    }
-
-    /**
-     * Build connector based on the {@code }VAULT_ADDR} and {@code VAULT_CACERT} (optional) environment variables.
-     *
-     * @return self
-     * @throws VaultConnectorException if Vault address from environment variables is malformed
-     * @since 0.6.0
-     */
-    public HTTPVaultConnectorFactory fromEnv() throws VaultConnectorException {
-        delegate.fromEnv();
-        return this;
-    }
-
-    /**
-     * Define the number of retries to attempt on 5xx errors.
-     *
-     * @param numberOfRetries The number of retries to attempt on 5xx errors (default: 0)
-     * @return self
-     * @since 0.6.0
-     */
-    public HTTPVaultConnectorFactory withNumberOfRetries(final int numberOfRetries) {
-        delegate.withNumberOfRetries(numberOfRetries);
-        return this;
-    }
-
-    /**
-     * Define a custom timeout for the HTTP connection.
-     *
-     * @param milliseconds Timeout value in milliseconds.
-     * @return self
-     * @since 0.6.0
-     */
-    public HTTPVaultConnectorFactory withTimeout(final int milliseconds) {
-        delegate.withTimeout(milliseconds);
-        return this;
-    }
-
-    @Override
-    public HTTPVaultConnector build() {
-        return delegate.build();
-    }
-
-    @Override
-    public HTTPVaultConnector buildAndAuth() throws VaultConnectorException {
-        return delegate.buildAndAuth();
-    }
-}
--- a/src/main/java/de/stklcode/jvault/connector/factory/VaultConnectorFactory.java
+++ b/src/main/java/de/stklcode/jvault/connector/factory/VaultConnectorFactory.java
@ -1,42 +0,0 @@
-/*
- * Copyright 2016-2021 Stefan Kalscheuer
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package de.stklcode.jvault.connector.factory;
-
-import de.stklcode.jvault.connector.builder.VaultConnectorBuilder;
-
-/**
- * Abstract Vault Connector Factory interface.
- * Provides builder pattern style factory for Vault connectors.
- *
- * @author Stefan Kalscheuer
- * @since 0.1
- * @deprecated As of 0.8.0 please refer to {@link VaultConnectorBuilder} with identical API.
- */
-@Deprecated
-public abstract class VaultConnectorFactory implements VaultConnectorBuilder {
-    /**
-     * Get Factory implementation for HTTP Vault Connector.
-     *
-     * @return HTTP Connector Factory
-     * @deprecated As of 0.8.0 please refer to {@link VaultConnectorBuilder#http()}.
-     */
-    @Deprecated
-    public static HTTPVaultConnectorFactory httpFactory() {
-        return new HTTPVaultConnectorFactory();
-    }
-
-}
--- a/src/main/java/de/stklcode/jvault/connector/factory/package-info.java
+++ b/src/main/java/de/stklcode/jvault/connector/factory/package-info.java
@ -1,23 +0,0 @@
-/*
- * Copyright 2016-2021 Stefan Kalscheuer
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-/**
- * This package contains the {@link de.stklcode.jvault.connector.factory.VaultConnectorFactory} to initialize a
- * connector instance.
- *
- * @deprecated As of v0.8.0 please refer to {@link de.stklcode.jvault.connector.builder}.
- */
-package de.stklcode.jvault.connector.factory;
--- a/src/main/java/de/stklcode/jvault/connector/internal/Error.java
+++ b/src/main/java/de/stklcode/jvault/connector/internal/Error.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -29,6 +29,7 @@ final class Error {
    static final String URI_FORMAT = "Invalid URI format";
    static final String RESPONSE_CODE = "Invalid response code";
    static final String INIT_SSL_CONTEXT = "Unable to initialize SSLContext";
+    static final String CONNECTION = "Unable to connect to Vault server";

    /**
     * Constructor hidden, this class should not be instantiated.
--- a/src/main/java/de/stklcode/jvault/connector/internal/RequestHelper.java
+++ b/src/main/java/de/stklcode/jvault/connector/internal/RequestHelper.java
@ -1,30 +1,35 @@
 package de.stklcode.jvault.connector.internal;

 import com.fasterxml.jackson.core.JsonProcessingException;
-import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.DeserializationFeature;
+import com.fasterxml.jackson.databind.SerializationFeature;
+import com.fasterxml.jackson.databind.json.JsonMapper;
+import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
 import de.stklcode.jvault.connector.exception.*;
 import de.stklcode.jvault.connector.model.response.ErrorResponse;
-import org.apache.http.HttpResponse;
-import org.apache.http.client.config.RequestConfig;
-import org.apache.http.client.methods.*;
-import org.apache.http.client.utils.URIBuilder;
-import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
-import org.apache.http.entity.StringEntity;
-import org.apache.http.impl.client.CloseableHttpClient;
-import org.apache.http.impl.client.HttpClientBuilder;
-import org.apache.http.util.EntityUtils;

 import javax.net.ssl.SSLContext;
 import javax.net.ssl.TrustManagerFactory;
 import java.io.*;
+import java.net.URI;
 import java.net.URISyntaxException;
-import java.nio.charset.StandardCharsets;
-import java.security.*;
+import java.net.URLEncoder;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.http.HttpResponse;
+import java.security.KeyManagementException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
+import java.time.Duration;
 import java.util.Map;
+import java.util.concurrent.CompletionException;
 import java.util.stream.Collectors;

+import static java.nio.charset.StandardCharsets.UTF_8;
+
 /**
 * Helper class to bundle Vault HTTP requests.
 *
@ -39,7 +44,7 @@ public final class RequestHelper implements Serializable {
    private final int retries;                      // Number of retries on 5xx errors.
    private final String tlsVersion;                // TLS version (#22).
    private final X509Certificate trustedCaCert;    // Trusted CA certificate.
-    private final ObjectMapper jsonMapper;
+    private final JsonMapper jsonMapper;

    /**
     * Constructor of the request helper.
@ -55,12 +60,16 @@ public final class RequestHelper implements Serializable {
                         final Integer timeout,
                         final String tlsVersion,
                         final X509Certificate trustedCaCert) {
-        this.baseURL = baseURL;
+        this.baseURL = baseURL + (baseURL.endsWith("/") ? "" : "/");
        this.retries = retries;
        this.timeout = timeout;
        this.tlsVersion = tlsVersion;
        this.trustedCaCert = trustedCaCert;
-        this.jsonMapper = new ObjectMapper();
+        this.jsonMapper = JsonMapper.builder()
+            .addModule(new JavaTimeModule())
+            .enable(SerializationFeature.WRITE_DATES_AS_TIMESTAMPS)
+            .disable(DeserializationFeature.ADJUST_DATES_TO_CONTEXT_TIME_ZONE)
+            .build();
    }

    /**
@ -74,26 +83,24 @@ public final class RequestHelper implements Serializable {
     * @since 0.8 Added {@code token} parameter.
     */
    public String post(final String path, final Object payload, final String token) throws VaultConnectorException {
-        /* Initialize post */
-        HttpPost post = new HttpPost(baseURL + path);
+        // Initialize POST.
+        var req = HttpRequest.newBuilder(URI.create(baseURL + path));

-        /* generate JSON from payload */
-        StringEntity input;
+        // Generate JSON from payload.
        try {
-            input = new StringEntity(jsonMapper.writeValueAsString(payload), StandardCharsets.UTF_8);
+            req.POST(HttpRequest.BodyPublishers.ofString(jsonMapper.writeValueAsString(payload), UTF_8));
        } catch (JsonProcessingException e) {
            throw new InvalidRequestException(Error.PARSE_RESPONSE, e);
        }
-        input.setContentEncoding("UTF-8");
-        input.setContentType("application/json");
-        post.setEntity(input);

-        /* Set X-Vault-Token header */
+        req.setHeader("Content-Type", "application/json; charset=utf-8");
+
+        // Set X-Vault-Token header.
        if (token != null) {
-            post.addHeader(HEADER_VAULT_TOKEN, token);
+            req.setHeader(HEADER_VAULT_TOKEN, token);
        }

-        return request(post, retries);
+        return request(req, retries);
    }

    /**
@ -127,7 +134,8 @@ public final class RequestHelper implements Serializable {
     * @throws VaultConnectorException on connection error
     * @since 0.8
     */
-    public void postWithoutResponse(final String path, final Object payload, final String token) throws VaultConnectorException {
+    public void postWithoutResponse(final String path, final Object payload, final String token)
+        throws VaultConnectorException {
        if (!post(path, payload, token).isEmpty()) {
            throw new InvalidResponseException(Error.UNEXPECTED_RESPONSE);
        }
@ -143,27 +151,26 @@ public final class RequestHelper implements Serializable {
     * @throws VaultConnectorException on connection error
     * @since 0.8 Added {@code token} parameter.
     */
-    public String put(final String path, final Map<String, String> payload, final String token) throws VaultConnectorException {
-        /* Initialize put */
-        HttpPut put = new HttpPut(baseURL + path);
+    public String put(final String path, final Map<String, String> payload, final String token)
+        throws VaultConnectorException {
+        // Initialize PUT.
+        var req = HttpRequest.newBuilder(URI.create(baseURL + path));

-        /* generate JSON from payload */
-        StringEntity entity = null;
+        // Generate JSON from payload.
        try {
-            entity = new StringEntity(jsonMapper.writeValueAsString(payload));
-        } catch (UnsupportedEncodingException | JsonProcessingException e) {
+            req.PUT(HttpRequest.BodyPublishers.ofString(jsonMapper.writeValueAsString(payload), UTF_8));
+        } catch (JsonProcessingException e) {
            throw new InvalidRequestException("Payload serialization failed", e);
        }

-        /* Parse parameters */
-        put.setEntity(entity);
+        req.setHeader("Content-Type", "application/json; charset=utf-8");

-        /* Set X-Vault-Token header */
+        // Set X-Vault-Token header.
        if (token != null) {
-            put.addHeader(HEADER_VAULT_TOKEN, token);
+            req.setHeader(HEADER_VAULT_TOKEN, token);
        }

-        return request(put, retries);
+        return request(req, retries);
    }

    /**
@ -214,15 +221,15 @@ public final class RequestHelper implements Serializable {
     * @since 0.8 Added {@code token} parameter.
     */
    public String delete(final String path, final String token) throws VaultConnectorException {
-        /* Initialize delete */
-        HttpDelete delete = new HttpDelete(baseURL + path);
+        // Initialize DELETE.
+        HttpRequest.Builder req = HttpRequest.newBuilder(URI.create(baseURL + path)).DELETE();

-        /* Set X-Vault-Token header */
+        // Set X-Vault-Token header.
        if (token != null) {
-            delete.addHeader(HEADER_VAULT_TOKEN, token);
+            req.setHeader(HEADER_VAULT_TOKEN, token);
        }

-        return request(delete, retries);
+        return request(req, retries);
    }

    /**
@ -251,25 +258,31 @@ public final class RequestHelper implements Serializable {
     */
    public String get(final String path, final Map<String, String> payload, final String token)
        throws VaultConnectorException {
-        HttpGet get;
-        try {
-            /* Add parameters to URI */
-            URIBuilder uriBuilder = new URIBuilder(baseURL + path);
-            payload.forEach(uriBuilder::addParameter);
+        // Add parameters to URI.
+        var uriBuilder = new StringBuilder(baseURL + path);

-            /* Initialize request */
-            get = new HttpGet(uriBuilder.build());
+        if (!payload.isEmpty()) {
+            uriBuilder.append("?").append(
+                payload.entrySet().stream().map(par ->
+                    URLEncoder.encode(par.getKey(), UTF_8) + "=" + URLEncoder.encode(par.getValue(), UTF_8)
+                ).collect(Collectors.joining("&"))
+            );
+        }
+
+        // Initialize GET.
+        try {
+            var req = HttpRequest.newBuilder(new URI(uriBuilder.toString()));
+
+            // Set X-Vault-Token header.
+            if (token != null) {
+                req.setHeader(HEADER_VAULT_TOKEN, token);
+            }
+
+            return request(req, retries);
        } catch (URISyntaxException e) {
            /* this should never occur and may leak sensible information */
            throw new InvalidRequestException(Error.URI_FORMAT);
        }
-
-        /* Set X-Vault-Token header */
-        if (token != null) {
-            get.addHeader(HEADER_VAULT_TOKEN, token);
-        }
-
-        return request(get, retries);
    }

    /**
@ -297,34 +310,40 @@ public final class RequestHelper implements Serializable {
    /**
     * Execute prepared HTTP request and return result.
     *
-     * @param base    Prepares Request
-     * @param retries number of retries
+     * @param requestBuilder Prepared request.
+     * @param retries        Number of retries.
     * @return HTTP response
     * @throws VaultConnectorException on connection error
     */
-    private String request(final HttpRequestBase base, final int retries) throws VaultConnectorException {
-        /* Set JSON Header */
-        base.addHeader("accept", "application/json");
+    private String request(final HttpRequest.Builder requestBuilder, final int retries) throws VaultConnectorException {
+        // Set JSON Header.
+        requestBuilder.setHeader("accept", "application/json");

-        CloseableHttpResponse response = null;
+        var clientBuilder = HttpClient.newBuilder();

-        try (CloseableHttpClient httpClient = HttpClientBuilder.create()
-                .setSSLSocketFactory(createSSLSocketFactory())
-                .build()) {
-            /* Set custom timeout, if defined */
+        // Set custom timeout, if defined.
        if (this.timeout != null) {
-                base.setConfig(RequestConfig.copy(RequestConfig.DEFAULT).setConnectTimeout(timeout).build());
+            clientBuilder.connectTimeout(Duration.ofMillis(timeout));
        }

-            /* Execute request */
-            response = httpClient.execute(base);
+        // Set custom SSL context.
+        clientBuilder.sslContext(createSSLContext());
+
+        HttpClient client = clientBuilder.build();
+
+        // Execute request.
+        try {
+            HttpResponse<InputStream> response = client.sendAsync(
+                requestBuilder.build(),
+                HttpResponse.BodyHandlers.ofInputStream()
+            ).join();

            /* Check if response is valid */
            if (response == null) {
                throw new InvalidResponseException("Response unavailable");
            }

-            switch (response.getStatusLine().getStatusCode()) {
+            switch (response.statusCode()) {
                case 200:
                    return handleResult(response);
                case 204:
@ -332,65 +351,61 @@ public final class RequestHelper implements Serializable {
                case 403:
                    throw new PermissionDeniedException();
                default:
-                    if (response.getStatusLine().getStatusCode() >= 500
-                            && response.getStatusLine().getStatusCode() < 600 && retries > 0) {
-                        /* Retry on 5xx errors */
-                        return request(base, retries - 1);
+                    if (response.statusCode() >= 500 && response.statusCode() < 600 && retries > 0) {
+                        // Retry on 5xx errors.
+                        return request(requestBuilder, retries - 1);
                    } else {
-                        /* Fail on different error code and/or no retries left */
+                        // Fail on different error code and/or no retries left.
                        handleError(response);

-                        /* Throw exception without details, if response entity is empty. */
-                        throw new InvalidResponseException(Error.RESPONSE_CODE,
-                                response.getStatusLine().getStatusCode());
+                        // Throw exception without details, if response entity is empty.
+                        throw new InvalidResponseException(Error.RESPONSE_CODE, response.statusCode());
                    }
            }
-        } catch (IOException e) {
-            throw new InvalidResponseException(Error.READ_RESPONSE, e);
+        } catch (CompletionException e) {
+            throw new ConnectionException(Error.CONNECTION, e.getCause());
        } finally {
-            if (response != null && response.getEntity() != null) {
+            if (client instanceof AutoCloseable) {
+                // Close the client, which is supported since JDK21.
                try {
-                    EntityUtils.consume(response.getEntity());
-                } catch (IOException ignored) {
-                    // Exception ignored.
+                    ((AutoCloseable) client).close();
+                } catch (Exception ignored) {
+                    // Ignore
                }
            }
        }
    }

    /**
-     * Create a custom socket factory from trusted CA certificate.
+     * Create a custom SSL context from trusted CA certificate.
     *
-     * @return The factory.
+     * @return The context.
     * @throws TlsException An error occurred during initialization of the SSL context.
     * @since 0.8.0
+     * @since 0.10 Generate {@link SSLContext} instead of Apache {@code SSLConnectionSocketFactory}
     */
-    private SSLConnectionSocketFactory createSSLSocketFactory() throws TlsException {
+    private SSLContext createSSLContext() throws TlsException {
        try {
-            // Create context..
-            SSLContext context = SSLContext.getInstance(tlsVersion);
+            // Create context.
+            var sslContext = SSLContext.getInstance(tlsVersion);

            if (trustedCaCert != null) {
                // Create Keystore with trusted certificate.
-                KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+                var keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
                keyStore.load(null, null);
                keyStore.setCertificateEntry("trustedCert", trustedCaCert);

                // Initialize TrustManager.
-                TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+                var tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                tmf.init(keyStore);
-                context.init(null, tmf.getTrustManagers(), null);
+                sslContext.init(null, tmf.getTrustManagers(), null);
            } else {
-                context.init(null, null, null);
+                sslContext.init(null, null, null);
            }

-            return new SSLConnectionSocketFactory(
-                    context,
-                    null,
-                    null,
-                    SSLConnectionSocketFactory.getDefaultHostnameVerifier()
-            );
-        } catch (CertificateException | NoSuchAlgorithmException | KeyStoreException | IOException | KeyManagementException e) {
+            return sslContext;
+        } catch (CertificateException | NoSuchAlgorithmException | KeyStoreException | IOException |
+                 KeyManagementException e) {
            throw new TlsException(Error.INIT_SSL_CONTEXT, e);
        }
    }
@ -402,10 +417,9 @@ public final class RequestHelper implements Serializable {
     * @return Complete response body as String
     * @throws InvalidResponseException on reading errors
     */
-    private String handleResult(final HttpResponse response) throws InvalidResponseException {
-        try (BufferedReader br = new BufferedReader(
-                new InputStreamReader(response.getEntity().getContent()))) {
-            return br.lines().collect(Collectors.joining("\n"));
+    private String handleResult(final HttpResponse<InputStream> response) throws InvalidResponseException {
+        try (var reader = new BufferedReader(new InputStreamReader(response.body(), UTF_8))) {
+            return reader.lines().collect(Collectors.joining("\n"));
        } catch (IOException ignored) {
            throw new InvalidResponseException(Error.READ_RESPONSE, 200);
        }
@ -417,21 +431,20 @@ public final class RequestHelper implements Serializable {
     * @param response The raw HTTP response (assuming status code 5xx)
     * @throws VaultConnectorException Expected exception with details to throw
     */
-    private void handleError(final HttpResponse response) throws VaultConnectorException {
-        if (response.getEntity() != null) {
-            try (BufferedReader br = new BufferedReader(
-                    new InputStreamReader(response.getEntity().getContent()))) {
-                String responseString = br.lines().collect(Collectors.joining("\n"));
-                ErrorResponse er = jsonMapper.readValue(responseString, ErrorResponse.class);
+    private void handleError(final HttpResponse<InputStream> response) throws VaultConnectorException {
+        try (var body = response.body()) {
+            if (body != null) {
+                try (var reader = new BufferedReader(new InputStreamReader(body, UTF_8))) {
+                    ErrorResponse er = jsonMapper.readValue(reader, ErrorResponse.class);
                    /* Check for "permission denied" response */
                    if (!er.getErrors().isEmpty() && er.getErrors().get(0).equals("permission denied")) {
                        throw new PermissionDeniedException();
                    }
-                throw new InvalidResponseException(Error.RESPONSE_CODE,
-                        response.getStatusLine().getStatusCode(), er.toString());
+                    throw new InvalidResponseException(Error.RESPONSE_CODE, response.statusCode(), er.toString());
+                }
+            }
        } catch (IOException ignored) {
            // Exception ignored.
        }
    }
 }
-}
--- a/src/main/java/de/stklcode/jvault/connector/model/AppRole.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/AppRole.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -18,27 +18,21 @@ package de.stklcode.jvault.connector.model;

 import com.fasterxml.jackson.annotation.*;

+import java.io.Serializable;
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Objects;

 /**
 * Vault AppRole role metamodel.
 *
 * @author Stefan Kalscheuer
 * @since 0.4.0
+ * @since 1.1 implements {@link Serializable}
 */
@JsonIgnoreProperties(ignoreUnknown = true)
-public final class AppRole {
-    /**
-     * Get {@link Builder} instance.
-     *
-     * @param name Role name.
-     * @return AppRole Builder.
-     * @since 0.8
-     */
-    public static Builder builder(final String name) {
-        return new Builder(name);
-    }
+public final class AppRole implements Serializable {
+    private static final long serialVersionUID = 693228837510483448L;

    @JsonProperty("role_name")
    private String name;
@ -61,9 +55,9 @@ public final class AppRole {
    @JsonInclude(JsonInclude.Include.NON_NULL)
    private Integer secretIdTtl;

-    @JsonProperty("enable_local_secret_ids")
+    @JsonProperty("local_secret_ids")
    @JsonInclude(JsonInclude.Include.NON_NULL)
-    private Boolean enableLocalSecretIds;
+    private Boolean localSecretIds;

    @JsonProperty("token_ttl")
    @JsonInclude(JsonInclude.Include.NON_NULL)
@ -105,53 +99,6 @@ public final class AppRole {
    public AppRole() {
    }

-    /**
-     * Construct complete {@link AppRole} object.
-     * <p>
-     * This constructor is used for transition from {@code bound_cidr_list} to {@code secret_id_bound_cidrs} only.
-     *
-     * @param name                 Role name (required)
-     * @param id                   Role ID (optional)
-     * @param bindSecretId         Bind secret ID (optional)
-     * @param secretIdBoundCidrs   Whitelist of subnets in CIDR notation (optional)
-     * @param secretIdNumUses      Maximum number of uses per secret (optional)
-     * @param secretIdTtl          Maximum TTL in seconds for secrets (optional)
-     * @param enableLocalSecretIds Enable local secret IDs (optional)
-     * @param tokenTtl             Token TTL in seconds (optional)
-     * @param tokenMaxTtl          Maximum token TTL in seconds, including renewals (optional)
-     * @param tokenPolicies        List of token policies (optional)
-     * @param tokenBoundCidrs      Whitelist of subnets in CIDR notation for associated tokens (optional)
-     * @param tokenExplicitMaxTtl  Explicit maximum TTL for associated tokens (optional)
-     * @param tokenNoDefaultPolicy Enable or disable default policy for associated tokens (optional)
-     * @param tokenNumUses         Number of uses for tokens (optional)
-     * @param tokenPeriod          Duration in seconds, if set the token is a periodic token (optional)
-     * @param tokenType            Token type (optional)
-     * @deprecated As of 0.9 in favor of {@link #builder(String)}. Will be removed with next major release.
-     */
-    @Deprecated
-    AppRole(final String name, final String id, final Boolean bindSecretId, final List<String> secretIdBoundCidrs,
-            final Integer secretIdNumUses, final Integer secretIdTtl, final Boolean enableLocalSecretIds,
-            final Integer tokenTtl, final Integer tokenMaxTtl, final List<String> tokenPolicies,
-            final List<String> tokenBoundCidrs, final Integer tokenExplicitMaxTtl, final Boolean tokenNoDefaultPolicy,
-            final Integer tokenNumUses, final Integer tokenPeriod, final String tokenType) {
-        this.name = name;
-        this.id = id;
-        this.bindSecretId = bindSecretId;
-        this.secretIdBoundCidrs = secretIdBoundCidrs;
-        this.tokenPolicies = tokenPolicies;
-        this.secretIdNumUses = secretIdNumUses;
-        this.secretIdTtl = secretIdTtl;
-        this.enableLocalSecretIds = enableLocalSecretIds;
-        this.tokenTtl = tokenTtl;
-        this.tokenMaxTtl = tokenMaxTtl;
-        this.tokenBoundCidrs = tokenBoundCidrs;
-        this.tokenExplicitMaxTtl = tokenExplicitMaxTtl;
-        this.tokenNoDefaultPolicy = tokenNoDefaultPolicy;
-        this.tokenNumUses = tokenNumUses;
-        this.tokenPeriod = tokenPeriod;
-        this.tokenType = tokenType;
-    }
-
    /**
     * Construct {@link AppRole} object from {@link AppRole.Builder}.
     *
@ -164,7 +111,7 @@ public final class AppRole {
        this.secretIdBoundCidrs = builder.secretIdBoundCidrs;
        this.secretIdNumUses = builder.secretIdNumUses;
        this.secretIdTtl = builder.secretIdTtl;
-        this.enableLocalSecretIds = builder.enableLocalSecretIds;
+        this.localSecretIds = builder.localSecretIds;
        this.tokenTtl = builder.tokenTtl;
        this.tokenMaxTtl = builder.tokenMaxTtl;
        this.tokenPolicies = builder.tokenPolicies;
@ -176,6 +123,17 @@ public final class AppRole {
        this.tokenType = builder.tokenType != null ? builder.tokenType.value() : null;
    }

+    /**
+     * Get {@link Builder} instance.
+     *
+     * @param name Role name.
+     * @return AppRole Builder.
+     * @since 0.8
+     */
+    public static Builder builder(final String name) {
+        return new Builder(name);
+    }
+
    /**
     * @return the role name
     */
@ -265,16 +223,6 @@ public final class AppRole {
        return tokenPolicies;
    }

-    /**
-     * @return list of token policies
-     * @deprecated Use {@link #getTokenPolicies()} instead.
-     */
-    @Deprecated
-    @JsonIgnore
-    public List<String> getPolicies() {
-        return getTokenPolicies();
-    }
-
    /**
     * @param tokenPolicies list of token policies
     * @since 0.9
@ -284,16 +232,6 @@ public final class AppRole {
        this.tokenPolicies = tokenPolicies;
    }

-    /**
-     * @param policies list of policies
-     * @deprecated Use {@link #setTokenPolicies(List)} instead.
-     */
-    @Deprecated
-    @JsonIgnore
-    public void setPolicies(final List<String> policies) {
-        setTokenPolicies(policies);
-    }
-
    /**
     * @return list of policies as comma-separated {@link String}
     * @since 0.9
@ -307,16 +245,6 @@ public final class AppRole {
        return String.join(",", tokenPolicies);
    }

-    /**
-     * @return list of policies as comma-separated {@link String}
-     * @deprecated Use {@link #getTokenPoliciesString()} instead.
-     */
-    @Deprecated
-    @JsonIgnore
-    public String getPoliciesString() {
-        return getTokenPoliciesString();
-    }
-
    /**
     * @return maximum number of uses per secret
     */
@ -334,9 +262,10 @@ public final class AppRole {
    /**
     * @return Enable local secret IDs?
     * @since 0.9
+     * @since 1.3 renamed to {@code getLocalSecretIds()}
     */
-    public Boolean getEnableLocalSecretIds() {
-        return enableLocalSecretIds;
+    public Boolean getLocalSecretIds() {
+        return localSecretIds;
    }

    /**
@ -385,16 +314,6 @@ public final class AppRole {
        return tokenPeriod;
    }

-    /**
-     * @return duration in seconds, if specified
-     * @deprecated Use {@link #getTokenPeriod()} instead.
-     */
-    @Deprecated
-    @JsonIgnore
-    public Integer getPeriod() {
-        return getTokenPeriod();
-    }
-
    /**
     * @return duration in seconds, if specified
     * @since 0.9
@ -403,6 +322,39 @@ public final class AppRole {
        return tokenType;
    }

+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        AppRole appRole = (AppRole) o;
+        return Objects.equals(name, appRole.name) &&
+            Objects.equals(id, appRole.id) &&
+            Objects.equals(bindSecretId, appRole.bindSecretId) &&
+            Objects.equals(secretIdBoundCidrs, appRole.secretIdBoundCidrs) &&
+            Objects.equals(secretIdNumUses, appRole.secretIdNumUses) &&
+            Objects.equals(secretIdTtl, appRole.secretIdTtl) &&
+            Objects.equals(localSecretIds, appRole.localSecretIds) &&
+            Objects.equals(tokenTtl, appRole.tokenTtl) &&
+            Objects.equals(tokenMaxTtl, appRole.tokenMaxTtl) &&
+            Objects.equals(tokenPolicies, appRole.tokenPolicies) &&
+            Objects.equals(tokenBoundCidrs, appRole.tokenBoundCidrs) &&
+            Objects.equals(tokenExplicitMaxTtl, appRole.tokenExplicitMaxTtl) &&
+            Objects.equals(tokenNoDefaultPolicy, appRole.tokenNoDefaultPolicy) &&
+            Objects.equals(tokenNumUses, appRole.tokenNumUses) &&
+            Objects.equals(tokenPeriod, appRole.tokenPeriod) &&
+            Objects.equals(tokenType, appRole.tokenType);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(name, id, bindSecretId, secretIdBoundCidrs, secretIdNumUses, secretIdTtl,
+            localSecretIds, tokenTtl, tokenMaxTtl, tokenPolicies, tokenBoundCidrs, tokenExplicitMaxTtl,
+            tokenNoDefaultPolicy, tokenNumUses, tokenPeriod, tokenType);
+    }
+

    /**
     * A builder for vault AppRole roles..
@ -419,7 +371,7 @@ public final class AppRole {
        private List<String> tokenPolicies;
        private Integer secretIdNumUses;
        private Integer secretIdTtl;
-        private Boolean enableLocalSecretIds;
+        private Boolean localSecretIds;
        private Integer tokenTtl;
        private Integer tokenMaxTtl;
        private List<String> tokenBoundCidrs;
@ -536,18 +488,6 @@ public final class AppRole {
            return this;
        }

-        /**
-         * Add given policies.
-         *
-         * @param policies the policies
-         * @return self
-         * @deprecated Use {@link #withTokenPolicies(List)} instead.
-         */
-        @Deprecated
-        public Builder withPolicies(final List<String> policies) {
-            return withTokenPolicies(policies);
-        }
-
        /**
         * Add a single policy.
         *
@ -563,18 +503,6 @@ public final class AppRole {
            return this;
        }

-        /**
-         * Add a single policy.
-         *
-         * @param policy the policy
-         * @return self
-         * @deprecated Use {@link #withTokenPolicy(String)} instead.
-         */
-        @Deprecated
-        public Builder withPolicy(final String policy) {
-            return withTokenPolicy(policy);
-        }
-
        /**
         * Set number of uses for sectet IDs.
         *
@ -600,12 +528,13 @@ public final class AppRole {
        /**
         * Enable or disable local secret IDs.
         *
-         * @param enableLocalSecretIds Enable local secret IDs?
+         * @param localSecretIds Enable local secret IDs?
         * @return self
         * @since 0.9
+         * @since 1.3 renamed to {@code withLocalSecretIds()}
         */
-        public Builder withEnableLocalSecretIds(final Boolean enableLocalSecretIds) {
-            this.enableLocalSecretIds = enableLocalSecretIds;
+        public Builder withLocalSecretIds(final Boolean localSecretIds) {
+            this.localSecretIds = localSecretIds;
            return this;
        }

@ -703,23 +632,11 @@ public final class AppRole {
         * @return self
         * @since 0.9
         */
-        public Builder wit0hTokenPeriod(final Integer tokenPeriod) {
+        public Builder withTokenPeriod(final Integer tokenPeriod) {
            this.tokenPeriod = tokenPeriod;
            return this;
        }

-        /**
-         * Set renewal period for generated token in seconds.
-         *
-         * @param period period in seconds
-         * @return self
-         * @deprecated Use {@link #wit0hTokenPeriod(Integer)} instead.
-         */
-        @Deprecated
-        public Builder withPeriod(final Integer period) {
-            return wit0hTokenPeriod(period);
-        }
-
        /**
         * Set type of generated token.
         *
--- a/src/main/java/de/stklcode/jvault/connector/model/AppRoleBuilder.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/AppRoleBuilder.java
@ -1,365 +0,0 @@
-/*
- * Copyright 2016-2021 Stefan Kalscheuer
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package de.stklcode.jvault.connector.model;
-
-import java.util.ArrayList;
-import java.util.List;
-
-/**
- * A builder for vault AppRole roles..
- *
- * @author Stefan Kalscheuer
- * @since 0.4.0
- * @deprecated As of 0.9 in favor of {@link AppRole.Builder}.
- */
-@Deprecated
-public final class AppRoleBuilder {
-    private String name;
-    private String id;
-    private Boolean bindSecretId;
-    private List<String> secretIdBoundCidrs;
-    private List<String> tokenPolicies;
-    private Integer secretIdNumUses;
-    private Integer secretIdTtl;
-    private Boolean enableLocalSecretIds;
-    private Integer tokenTtl;
-    private Integer tokenMaxTtl;
-    private List<String> tokenBoundCidrs;
-    private Integer tokenExplicitMaxTtl;
-    private Boolean tokenNoDefaultPolicy;
-    private Integer tokenNumUses;
-    private Integer tokenPeriod;
-    private Token.Type tokenType;
-
-    /**
-     * Construct {@link AppRoleBuilder} with only the role name set.
-     *
-     * @param name Role name
-     */
-    public AppRoleBuilder(final String name) {
-        this.name = name;
-    }
-
-    /**
-     * Add custom role ID. (optional)
-     *
-     * @param id the ID
-     * @return self
-     */
-    public AppRoleBuilder withId(final String id) {
-        this.id = id;
-        return this;
-    }
-
-    /**
-     * Set if role is bound to secret ID.
-     *
-     * @param bindSecretId the display name
-     * @return self
-     */
-    public AppRoleBuilder withBindSecretID(final Boolean bindSecretId) {
-        this.bindSecretId = bindSecretId;
-        return this;
-    }
-
-    /**
-     * Bind role to secret ID.
-     * Convenience method for {@link #withBindSecretID(Boolean)}
-     *
-     * @return self
-     */
-    public AppRoleBuilder withBindSecretID() {
-        return withBindSecretID(true);
-    }
-
-    /**
-     * Do not bind role to secret ID.
-     * Convenience method for {@link #withBindSecretID(Boolean)}
-     *
-     * @return self
-     */
-    public AppRoleBuilder withoutBindSecretID() {
-        return withBindSecretID(false);
-    }
-
-    /**
-     * Set bound CIDR blocks.
-     *
-     * @param secretIdBoundCidrs List of CIDR blocks which can perform login
-     * @return self
-     * @since 0.8 replaces {@code withBoundCidrList(List)}
-     */
-    public AppRoleBuilder withSecretIdBoundCidrs(final List<String> secretIdBoundCidrs) {
-        if (this.secretIdBoundCidrs == null) {
-            this.secretIdBoundCidrs = new ArrayList<>();
-        }
-        this.secretIdBoundCidrs.addAll(secretIdBoundCidrs);
-        return this;
-    }
-
-    /**
-     * Add a CIDR block to list of bound blocks for secret.
-     *
-     * @param secretBoundCidr the CIDR block
-     * @return self
-     * @since 0.9
-     */
-    public AppRoleBuilder withSecretBoundCidr(final String secretBoundCidr) {
-        if (secretIdBoundCidrs == null) {
-            secretIdBoundCidrs = new ArrayList<>();
-        }
-        secretIdBoundCidrs.add(secretBoundCidr);
-        return this;
-    }
-
-    /**
-     * Add given policies.
-     *
-     * @param tokenPolicies the token policies
-     * @return self
-     * @since 0.9
-     */
-    public AppRoleBuilder withTokenPolicies(final List<String> tokenPolicies) {
-        if (this.tokenPolicies == null) {
-            this.tokenPolicies = new ArrayList<>();
-        }
-        this.tokenPolicies.addAll(tokenPolicies);
-        return this;
-    }
-
-    /**
-     * Add given policies.
-     *
-     * @param policies the policies
-     * @return self
-     * @deprecated Use {@link #withTokenPolicies(List)} instead.
-     */
-    @Deprecated
-    public AppRoleBuilder withPolicies(final List<String> policies) {
-        return withTokenPolicies(policies);
-    }
-
-    /**
-     * Add a single policy.
-     *
-     * @param tokenPolicy the token policy
-     * @return self
-     * @since 0.9
-     */
-    public AppRoleBuilder withTokenPolicy(final String tokenPolicy) {
-        if (this.tokenPolicies == null) {
-            this.tokenPolicies = new ArrayList<>();
-        }
-        tokenPolicies.add(tokenPolicy);
-        return this;
-    }
-
-    /**
-     * Add a single policy.
-     *
-     * @param policy the policy
-     * @return self
-     * @deprecated Use {@link #withTokenPolicy(String)} instead.
-     */
-    @Deprecated
-    public AppRoleBuilder withPolicy(final String policy) {
-        return withTokenPolicy(policy);
-    }
-
-    /**
-     * Set number of uses for secret IDs.
-     *
-     * @param secretIdNumUses the number of uses
-     * @return self
-     */
-    public AppRoleBuilder withSecretIdNumUses(final Integer secretIdNumUses) {
-        this.secretIdNumUses = secretIdNumUses;
-        return this;
-    }
-
-    /**
-     * Set default secret ID TTL in seconds.
-     *
-     * @param secretIdTtl the TTL
-     * @return self
-     */
-    public AppRoleBuilder withSecretIdTtl(final Integer secretIdTtl) {
-        this.secretIdTtl = secretIdTtl;
-        return this;
-    }
-
-    /**
-     * Enable or disable local secret IDs.
-     *
-     * @param enableLocalSecretIds Enable local secret IDs?
-     * @return self
-     * @since 0.9
-     */
-    public AppRoleBuilder withEnableLocalSecretIds(final Boolean enableLocalSecretIds) {
-        this.enableLocalSecretIds = enableLocalSecretIds;
-        return this;
-    }
-
-    /**
-     * Set default token TTL in seconds.
-     *
-     * @param tokenTtl the TTL
-     * @return self
-     */
-    public AppRoleBuilder withTokenTtl(final Integer tokenTtl) {
-        this.tokenTtl = tokenTtl;
-        return this;
-    }
-
-    /**
-     * Set maximum token TTL in seconds.
-     *
-     * @param tokenMaxTtl the TTL
-     * @return self
-     */
-    public AppRoleBuilder withTokenMaxTtl(final Integer tokenMaxTtl) {
-        this.tokenMaxTtl = tokenMaxTtl;
-        return this;
-    }
-
-    /**
-     * Set bound CIDR blocks for associated tokens.
-     *
-     * @param tokenBoundCidrs List of CIDR blocks which can perform login
-     * @return self
-     * @since 0.9
-     */
-    public AppRoleBuilder withTokenBoundCidrs(final List<String> tokenBoundCidrs) {
-        if (this.tokenBoundCidrs == null) {
-            this.tokenBoundCidrs = new ArrayList<>();
-        }
-        this.tokenBoundCidrs.addAll(tokenBoundCidrs);
-        return this;
-    }
-
-    /**
-     * Add a CIDR block to list of bound blocks for token.
-     *
-     * @param tokenBoundCidr the CIDR block
-     * @return self
-     * @since 0.9
-     */
-    public AppRoleBuilder withTokenBoundCidr(final String tokenBoundCidr) {
-        if (tokenBoundCidrs == null) {
-            tokenBoundCidrs = new ArrayList<>();
-        }
-        tokenBoundCidrs.add(tokenBoundCidr);
-        return this;
-    }
-
-    /**
-     * Set explicit maximum token TTL in seconds.
-     *
-     * @param tokenExplicitMaxTtl the TTL
-     * @return self
-     */
-    public AppRoleBuilder withTokenExplicitMaxTtl(final Integer tokenExplicitMaxTtl) {
-        this.tokenExplicitMaxTtl = tokenExplicitMaxTtl;
-        return this;
-    }
-
-    /**
-     * Enable or disable default policy for generated token.
-     *
-     * @param tokenNoDefaultPolicy Enable default policy for token?
-     * @return self
-     * @since 0.9
-     */
-    public AppRoleBuilder withTokenNoDefaultPolicy(final Boolean tokenNoDefaultPolicy) {
-        this.tokenNoDefaultPolicy = tokenNoDefaultPolicy;
-        return this;
-    }
-
-    /**
-     * Set number of uses for generated tokens.
-     *
-     * @param tokenNumUses number of uses for tokens
-     * @return self
-     * @since 0.9
-     */
-    public AppRoleBuilder withTokenNumUses(final Integer tokenNumUses) {
-        this.tokenNumUses = tokenNumUses;
-        return this;
-    }
-
-    /**
-     * Set renewal period for generated token in seconds.
-     *
-     * @param tokenPeriod period in seconds
-     * @return self
-     * @since 0.9
-     */
-    public AppRoleBuilder wit0hTokenPeriod(final Integer tokenPeriod) {
-        this.tokenPeriod = tokenPeriod;
-        return this;
-    }
-
-    /**
-     * Set renewal period for generated token in seconds.
-     *
-     * @param period period in seconds
-     * @return self
-     * @deprecated Use {@link #wit0hTokenPeriod(Integer)} instead.
-     */
-    @Deprecated
-    public AppRoleBuilder withPeriod(final Integer period) {
-        return wit0hTokenPeriod(period);
-    }
-
-    /**
-     * Set type of generated token.
-     *
-     * @param tokenType token type
-     * @return self
-     * @since 0.9
-     */
-    public AppRoleBuilder withTokenType(final Token.Type tokenType) {
-        this.tokenType = tokenType;
-        return this;
-    }
-
-    /**
-     * Build the AppRole role based on given parameters.
-     *
-     * @return the role
-     */
-    public AppRole build() {
-        return new AppRole(
-                name,
-                id,
-                bindSecretId,
-                secretIdBoundCidrs,
-                secretIdNumUses,
-                secretIdTtl,
-                enableLocalSecretIds,
-                tokenTtl,
-                tokenMaxTtl,
-                tokenPolicies,
-                tokenBoundCidrs,
-                tokenExplicitMaxTtl,
-                tokenNoDefaultPolicy,
-                tokenNumUses,
-                tokenPeriod,
-                tokenType != null ? tokenType.value() : null
-        );
-    }
-}
--- a/src/main/java/de/stklcode/jvault/connector/model/AppRoleSecret.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/AppRoleSecret.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -18,17 +18,22 @@ package de.stklcode.jvault.connector.model;

 import com.fasterxml.jackson.annotation.*;

+import java.io.Serializable;
 import java.util.List;
 import java.util.Map;
+import java.util.Objects;

 /**
 * Vault AppRole role metamodel.
 *
 * @author Stefan Kalscheuer
 * @since 0.4.0
+ * @since 1.1 implements {@link Serializable}
 */
@JsonIgnoreProperties(ignoreUnknown = true)
-public final class AppRoleSecret {
+public final class AppRoleSecret implements Serializable {
+    private static final long serialVersionUID = -3401074170145792641L;
+
    @JsonProperty("secret_id")
    @JsonInclude(JsonInclude.Include.NON_NULL)
    private String id;
@ -166,4 +171,29 @@ public final class AppRoleSecret {
    public Integer getTtl() {
        return ttl;
    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        AppRoleSecret that = (AppRoleSecret) o;
+        return Objects.equals(id, that.id) &&
+            Objects.equals(accessor, that.accessor) &&
+            Objects.equals(metadata, that.metadata) &&
+            Objects.equals(cidrList, that.cidrList) &&
+            Objects.equals(creationTime, that.creationTime) &&
+            Objects.equals(expirationTime, that.expirationTime) &&
+            Objects.equals(lastUpdatedTime, that.lastUpdatedTime) &&
+            Objects.equals(numUses, that.numUses) &&
+            Objects.equals(ttl, that.ttl);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(id, accessor, metadata, cidrList, creationTime, expirationTime, lastUpdatedTime, numUses,
+            ttl);
+    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/AuthBackend.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/AuthBackend.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -24,7 +24,6 @@ package de.stklcode.jvault.connector.model;
 */
 public enum AuthBackend {
    TOKEN("token"),
-    APPID("app-id"),
    APPROLE("approle"),
    USERPASS("userpass"),
    GITHUB("github"),   // Not supported yet.
--- a/src/main/java/de/stklcode/jvault/connector/model/Token.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/Token.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -20,6 +20,7 @@ import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonInclude;
 import com.fasterxml.jackson.annotation.JsonProperty;

+import java.io.Serializable;
 import java.util.*;

 /**
@ -27,18 +28,11 @@ import java.util.*;
 *
 * @author Stefan Kalscheuer
 * @since 0.4.0
+ * @since 1.1 implements {@link Serializable}
 */
@JsonIgnoreProperties(ignoreUnknown = true)
-public final class Token {
-    /**
-     * Get {@link Builder} instance.
-     *
-     * @return Token Builder.
-     * @since 0.8
-     */
-    public static Builder builder() {
-        return new Builder();
-    }
+public final class Token implements Serializable {
+    private static final long serialVersionUID = 5208508683665365287L;

    @JsonProperty("id")
    @JsonInclude(JsonInclude.Include.NON_NULL)
@ -98,71 +92,6 @@ public final class Token {
    public Token() {
    }

-    /**
-     * Construct complete {@link Token} object with default type.
-     *
-     * @param id              Token ID (optional)
-     * @param displayName     Token display name (optional)
-     * @param noParent        Token has no parent (optional)
-     * @param noDefaultPolicy Do not add default policy (optional)
-     * @param ttl             Token TTL in seconds (optional)
-     * @param numUses         Number of uses (optional)
-     * @param policies        List of policies (optional)
-     * @param meta            Metadata (optional)
-     * @param renewable       Is the token renewable (optional)
-     * @deprecated As of 0.9 in favor of {@link #builder()}. Will be removed with next major release.
-     */
-    @Deprecated
-    public Token(final String id,
-                 final String displayName,
-                 final Boolean noParent,
-                 final Boolean noDefaultPolicy,
-                 final Integer ttl,
-                 final Integer numUses,
-                 final List<String> policies,
-                 final Map<String, String> meta,
-                 final Boolean renewable) {
-        this(id, Type.DEFAULT.value(), displayName, noParent, noDefaultPolicy, ttl, numUses, policies, meta, renewable);
-    }
-
-    /**
-     * Construct complete {@link Token} object.
-     *
-     * @param id              Token ID (optional)
-     * @param type            Token type (optional)
-     * @param displayName     Token display name (optional)
-     * @param noParent        Token has no parent (optional)
-     * @param noDefaultPolicy Do not add default policy (optional)
-     * @param ttl             Token TTL in seconds (optional)
-     * @param numUses         Number of uses (optional)
-     * @param policies        List of policies (optional)
-     * @param meta            Metadata (optional)
-     * @param renewable       Is the token renewable (optional)
-     * @deprecated As of 0.9 in favor of {@link #builder()}. Will be removed with next major release.
-     */
-    @Deprecated
-    public Token(final String id,
-                 final String type,
-                 final String displayName,
-                 final Boolean noParent,
-                 final Boolean noDefaultPolicy,
-                 final Integer ttl,
-                 final Integer numUses,
-                 final List<String> policies,
-                 final Map<String, String> meta,
-                 final Boolean renewable) {
-        this.id = id;
-        this.type = type;
-        this.displayName = displayName;
-        this.ttl = ttl;
-        this.numUses = numUses;
-        this.noParent = noParent;
-        this.noDefaultPolicy = noDefaultPolicy;
-        this.policies = policies;
-        this.meta = meta;
-        this.renewable = renewable;
-    }
-
    /**
     * Construct {@link Token} object from {@link Builder}.
     *
@ -184,6 +113,16 @@ public final class Token {
        this.entityAlias = builder.entityAlias;
    }

+    /**
+     * Get {@link Builder} instance.
+     *
+     * @return Token Builder.
+     * @since 0.8
+     */
+    public static Builder builder() {
+        return new Builder();
+    }
+
    /**
     * @return Token ID
     */
@ -279,6 +218,35 @@ public final class Token {
        return entityAlias;
    }

+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        Token token = (Token) o;
+        return Objects.equals(id, token.id) &&
+            Objects.equals(type, token.type) &&
+            Objects.equals(displayName, token.displayName) &&
+            Objects.equals(noParent, token.noParent) &&
+            Objects.equals(noDefaultPolicy, token.noDefaultPolicy) &&
+            Objects.equals(ttl, token.ttl) &&
+            Objects.equals(explicitMaxTtl, token.explicitMaxTtl) &&
+            Objects.equals(numUses, token.numUses) &&
+            Objects.equals(policies, token.policies) &&
+            Objects.equals(meta, token.meta) &&
+            Objects.equals(renewable, token.renewable) &&
+            Objects.equals(period, token.period) &&
+            Objects.equals(entityAlias, token.entityAlias);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(id, type, displayName, noParent, noDefaultPolicy, ttl, explicitMaxTtl, numUses, policies,
+            meta, renewable, period, entityAlias);
+    }
+
    /**
     * Constants for token types.
     */
--- a/src/main/java/de/stklcode/jvault/connector/model/TokenBuilder.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/TokenBuilder.java
@ -1,275 +0,0 @@
-/*
- * Copyright 2016-2021 Stefan Kalscheuer
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package de.stklcode.jvault.connector.model;
-
-import java.util.*;
-
-/**
- * A builder for vault tokens.
- *
- * @author Stefan Kalscheuer
- * @since 0.4.0
- * @deprecated As of 0.9 in favor of {@link Token.Builder}.
- */
-@Deprecated
-public final class TokenBuilder {
-    private String id;
-    private Token.Type type;
-    private String displayName;
-    private Boolean noParent;
-    private Boolean noDefaultPolicy;
-    private Integer ttl;
-    private Integer numUses;
-    private List<String> policies;
-    private Map<String, String> meta;
-    private Boolean renewable;
-
-    /**
-     * Add token ID. (optional)
-     *
-     * @param id the ID
-     * @return self
-     */
-    public TokenBuilder withId(final String id) {
-        this.id = id;
-        return this;
-    }
-
-    /**
-     * Specify token type.
-     *
-     * @param type the type
-     * @return self
-     * @since 0.9
-     */
-    public TokenBuilder withType(final Token.Type type) {
-        this.type = type;
-        return this;
-    }
-
-    /**
-     * Add display name.
-     *
-     * @param displayName the display name
-     * @return self
-     */
-    public TokenBuilder withDisplayName(final String displayName) {
-        this.displayName = displayName;
-        return this;
-    }
-
-    /**
-     * Set desired time to live.
-     *
-     * @param ttl the ttl
-     * @return self
-     */
-    public TokenBuilder withTtl(final Integer ttl) {
-        this.ttl = ttl;
-        return this;
-    }
-
-    /**
-     * Set desired number of uses.
-     *
-     * @param numUses the number of uses
-     * @return self
-     */
-    public TokenBuilder withNumUses(final Integer numUses) {
-        this.numUses = numUses;
-        return this;
-    }
-
-    /**
-     * Set TRUE if the token should be created without parent.
-     *
-     * @param noParent if TRUE, token is created as orphan
-     * @return self
-     */
-    public TokenBuilder withNoParent(final boolean noParent) {
-        this.noParent = noParent;
-        return this;
-    }
-
-    /**
-     * Create token without parent.
-     * Convenience method for withNoParent()
-     *
-     * @return self
-     */
-    public TokenBuilder asOrphan() {
-        return withNoParent(true);
-    }
-
-    /**
-     * Create token with parent.
-     * Convenience method for withNoParent()
-     *
-     * @return self
-     */
-    public TokenBuilder withParent() {
-        return withNoParent(false);
-    }
-
-    /**
-     * Set TRUE if the default policy should not be part of this token.
-     *
-     * @param noDefaultPolicy if TRUE, default policy is not attached
-     * @return self
-     */
-    public TokenBuilder withNoDefaultPolicy(final boolean noDefaultPolicy) {
-        this.noDefaultPolicy = noDefaultPolicy;
-        return this;
-    }
-
-    /**
-     * Attach default policy to token.
-     * Convenience method for withNoDefaultPolicy()
-     *
-     * @return self
-     */
-    public TokenBuilder withDefaultPolicy() {
-        return withNoDefaultPolicy(false);
-    }
-
-    /**
-     * Do not attach default policy to token.
-     * Convenience method for withNoDefaultPolicy()
-     *
-     * @return self
-     */
-    public TokenBuilder withoutDefaultPolicy() {
-        return withNoDefaultPolicy(true);
-    }
-
-    /**
-     * Add given policies.
-     *
-     * @param policies the policies
-     * @return self
-     * @since 0.5.0
-     */
-    public TokenBuilder withPolicies(final String... policies) {
-        return withPolicies(Arrays.asList(policies));
-    }
-
-    /**
-     * Add given policies.
-     *
-     * @param policies the policies
-     * @return self
-     */
-    public TokenBuilder withPolicies(final List<String> policies) {
-        if (this.policies == null) {
-            this.policies = new ArrayList<>();
-        }
-        this.policies.addAll(policies);
-        return this;
-    }
-
-    /**
-     * Add a single policy.
-     *
-     * @param policy the policy
-     * @return self
-     */
-    public TokenBuilder withPolicy(final String policy) {
-        if (this.policies == null) {
-            this.policies = new ArrayList<>();
-        }
-        policies.add(policy);
-        return this;
-    }
-
-    /**
-     * Add meta data.
-     *
-     * @param meta the metadata
-     * @return self
-     */
-    public TokenBuilder withMeta(final Map<String, String> meta) {
-        if (this.meta == null) {
-            this.meta = new HashMap<>();
-        }
-        this.meta.putAll(meta);
-        return this;
-    }
-
-    /**
-     * Add meta data.
-     *
-     * @param key   the key
-     * @param value the value
-     * @return self
-     */
-    public TokenBuilder withMeta(final String key, final String value) {
-        if (this.meta == null) {
-            this.meta = new HashMap<>();
-        }
-        this.meta.put(key, value);
-        return this;
-    }
-
-    /**
-     * Set if token is renewable.
-     *
-     * @param renewable TRUE, if renewable
-     * @return self
-     */
-    public TokenBuilder withRenewable(final Boolean renewable) {
-        this.renewable = renewable;
-        return this;
-    }
-
-    /**
-     * Set token to be renewable.
-     * Convenience method for withRenewable()
-     *
-     * @return self
-     */
-    public TokenBuilder renewable() {
-        return withRenewable(true);
-    }
-
-    /**
-     * Set token to be not renewable.
-     * Convenience method for withRenewable()
-     *
-     * @return self
-     */
-    public TokenBuilder notRenewable() {
-        return withRenewable(false);
-    }
-
-    /**
-     * Build the token based on given parameters.
-     *
-     * @return the token
-     */
-    public Token build() {
-        return new Token(id,
-                type != null ? type.value() : null,
-                displayName,
-                noParent,
-                noDefaultPolicy,
-                ttl,
-                numUses,
-                policies,
-                meta,
-                renewable);
-    }
-}
--- a/src/main/java/de/stklcode/jvault/connector/model/TokenRole.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/TokenRole.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -20,25 +20,21 @@ import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonInclude;
 import com.fasterxml.jackson.annotation.JsonProperty;

+import java.io.Serializable;
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Objects;

 /**
 * Vault Token Role metamodel.
 *
 * @author Stefan Kalscheuer
 * @since 0.9
+ * @since 1.1 implements {@link Serializable}
 */
@JsonIgnoreProperties(ignoreUnknown = true)
-public final class TokenRole {
-    /**
-     * Get {@link Builder} instance.
-     *
-     * @return Token Role Builder.
-     */
-    public static Builder builder() {
-        return new Builder();
-    }
+public final class TokenRole implements Serializable {
+    private static final long serialVersionUID = -3505215215838576321L;

    @JsonProperty("name")
    @JsonInclude(JsonInclude.Include.NON_NULL)
@ -48,10 +44,18 @@ public final class TokenRole {
    @JsonInclude(JsonInclude.Include.NON_NULL)
    private List<String> allowedPolicies;

+    @JsonProperty("allowed_policies_glob")
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private List<String> allowedPoliciesGlob;
+
    @JsonProperty("disallowed_policies")
    @JsonInclude(JsonInclude.Include.NON_NULL)
    private List<String> disallowedPolicies;

+    @JsonProperty("disallowed_policies_glob")
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private List<String> disallowedPoliciesGlob;
+
    @JsonProperty("orphan")
    @JsonInclude(JsonInclude.Include.NON_NULL)
    private Boolean orphan;
@ -101,7 +105,9 @@ public final class TokenRole {
    public TokenRole(final Builder builder) {
        this.name = builder.name;
        this.allowedPolicies = builder.allowedPolicies;
+        this.allowedPoliciesGlob = builder.allowedPoliciesGlob;
        this.disallowedPolicies = builder.disallowedPolicies;
+        this.disallowedPoliciesGlob = builder.disallowedPoliciesGlob;
        this.orphan = builder.orphan;
        this.renewable = builder.renewable;
        this.pathSuffix = builder.pathSuffix;
@ -114,6 +120,15 @@ public final class TokenRole {
        this.tokenType = builder.tokenType != null ? builder.tokenType.value() : null;
    }

+    /**
+     * Get {@link Builder} instance.
+     *
+     * @return Token Role Builder.
+     */
+    public static Builder builder() {
+        return new Builder();
+    }
+
    /**
     * @return Token Role name
     */
@ -128,6 +143,14 @@ public final class TokenRole {
        return allowedPolicies;
    }

+    /**
+     * @return List of allowed policy glob patterns
+     * @since 1.1
+     */
+    public List<String> getAllowedPoliciesGlob() {
+        return allowedPoliciesGlob;
+    }
+
    /**
     * @return List of disallowed policies
     */
@ -135,6 +158,14 @@ public final class TokenRole {
        return disallowedPolicies;
    }

+    /**
+     * @return List of disallowed policy glob patterns
+     * @since 1.1
+     */
+    public List<String> getDisallowedPoliciesGlob() {
+        return disallowedPoliciesGlob;
+    }
+
    /**
     * @return Is Token Role orphan?
     */
@ -205,6 +236,38 @@ public final class TokenRole {
        return tokenType;
    }

+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        TokenRole tokenRole = (TokenRole) o;
+        return Objects.equals(name, tokenRole.name) &&
+            Objects.equals(allowedPolicies, tokenRole.allowedPolicies) &&
+            Objects.equals(allowedPoliciesGlob, tokenRole.allowedPoliciesGlob) &&
+            Objects.equals(disallowedPolicies, tokenRole.disallowedPolicies) &&
+            Objects.equals(disallowedPoliciesGlob, tokenRole.disallowedPoliciesGlob) &&
+            Objects.equals(orphan, tokenRole.orphan) &&
+            Objects.equals(renewable, tokenRole.renewable) &&
+            Objects.equals(pathSuffix, tokenRole.pathSuffix) &&
+            Objects.equals(allowedEntityAliases, tokenRole.allowedEntityAliases) &&
+            Objects.equals(tokenBoundCidrs, tokenRole.tokenBoundCidrs) &&
+            Objects.equals(tokenExplicitMaxTtl, tokenRole.tokenExplicitMaxTtl) &&
+            Objects.equals(tokenNoDefaultPolicy, tokenRole.tokenNoDefaultPolicy) &&
+            Objects.equals(tokenNumUses, tokenRole.tokenNumUses) &&
+            Objects.equals(tokenPeriod, tokenRole.tokenPeriod) &&
+            Objects.equals(tokenType, tokenRole.tokenType);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(name, allowedPolicies, allowedPoliciesGlob, disallowedPolicies, disallowedPoliciesGlob,
+            orphan, renewable, pathSuffix, allowedEntityAliases, tokenBoundCidrs, tokenExplicitMaxTtl,
+            tokenNoDefaultPolicy, tokenNumUses, tokenPeriod, tokenType);
+    }
+
    /**
     * A builder for vault token roles.
     *
@ -214,7 +277,9 @@ public final class TokenRole {
    public static final class Builder {
        private String name;
        private List<String> allowedPolicies;
+        private List<String> allowedPoliciesGlob;
        private List<String> disallowedPolicies;
+        private List<String> disallowedPoliciesGlob;
        private Boolean orphan;
        private Boolean renewable;
        private String pathSuffix;
@ -269,6 +334,40 @@ public final class TokenRole {
            return this;
        }

+        /**
+         * Add an allowed policy glob pattern.
+         *
+         * @param allowedPolicyGlob allowed policy glob pattern to add
+         * @return self
+         * @since 1.1
+         */
+        public Builder withAllowedPolicyGlob(final String allowedPolicyGlob) {
+            if (allowedPolicyGlob != null) {
+                if (this.allowedPoliciesGlob == null) {
+                    this.allowedPoliciesGlob = new ArrayList<>();
+                }
+                this.allowedPoliciesGlob.add(allowedPolicyGlob);
+            }
+            return this;
+        }
+
+        /**
+         * Add allowed policy glob patterns.
+         *
+         * @param allowedPoliciesGlob list of allowed policy glob patterns
+         * @return self
+         * @since 1.1
+         */
+        public Builder withAllowedPoliciesGlob(final List<String> allowedPoliciesGlob) {
+            if (allowedPoliciesGlob != null) {
+                if (this.allowedPoliciesGlob == null) {
+                    this.allowedPoliciesGlob = new ArrayList<>();
+                }
+                this.allowedPoliciesGlob.addAll(allowedPoliciesGlob);
+            }
+            return this;
+        }
+
        /**
         * Add a disallowed policy.
         *
@ -301,6 +400,40 @@ public final class TokenRole {
            return this;
        }

+        /**
+         * Add an allowed policy glob pattern.
+         *
+         * @param disallowedPolicyGlob disallowed policy glob pattern to add
+         * @return self
+         * @since 1.1
+         */
+        public Builder withDisallowedPolicyGlob(final String disallowedPolicyGlob) {
+            if (disallowedPolicyGlob != null) {
+                if (this.disallowedPoliciesGlob == null) {
+                    this.disallowedPoliciesGlob = new ArrayList<>();
+                }
+                this.disallowedPoliciesGlob.add(disallowedPolicyGlob);
+            }
+            return this;
+        }
+
+        /**
+         * Add disallowed policy glob patterns.
+         *
+         * @param disallowedPoliciesGlob list of disallowed policy glob patterns
+         * @return self
+         * @since 1.1
+         */
+        public Builder withDisallowedPoliciesGlob(final List<String> disallowedPoliciesGlob) {
+            if (disallowedPoliciesGlob != null) {
+                if (this.disallowedPoliciesGlob == null) {
+                    this.disallowedPoliciesGlob = new ArrayList<>();
+                }
+                this.disallowedPoliciesGlob.addAll(disallowedPoliciesGlob);
+            }
+            return this;
+        }
+
        /**
         * Set TRUE if the token role should be created orphan.
         *
--- a/src/main/java/de/stklcode/jvault/connector/model/package-info.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/package-info.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/model/response/AppRoleResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/AppRoleResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -17,13 +17,10 @@
 package de.stklcode.jvault.connector.model.response;

 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import com.fasterxml.jackson.annotation.JsonProperty;
 import de.stklcode.jvault.connector.model.AppRole;

-import java.io.IOException;
-import java.util.HashMap;
-import java.util.Map;
+import java.util.Objects;

 /**
 * Vault response for AppRole lookup.
@ -33,24 +30,10 @@ import java.util.Map;
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public final class AppRoleResponse extends VaultDataResponse {
-    private AppRole role;
+    private static final long serialVersionUID = -6536422219633829177L;

-    @Override
-    public void setData(final Map<String, Object> data) throws InvalidResponseException {
-        ObjectMapper mapper = new ObjectMapper();
-        try {
-            /* null empty strings on list objects */
-            Map<String, Object> filteredData = new HashMap<>(data.size(), 1);
-            data.forEach((k, v) -> {
-                if (!(v instanceof String && ((String) v).isEmpty())) {
-                    filteredData.put(k, v);
-                }
-            });
-            this.role = mapper.readValue(mapper.writeValueAsString(filteredData), AppRole.class);
-        } catch (IOException e) {
-            throw new InvalidResponseException("Failed deserializing response", e);
-        }
-    }
+    @JsonProperty("data")
+    private AppRole role;

    /**
     * @return The role
@ -58,4 +41,20 @@ public final class AppRoleResponse extends VaultDataResponse {
    public AppRole getRole() {
        return role;
    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass() || !super.equals(o)) {
+            return false;
+        }
+        AppRoleResponse that = (AppRoleResponse) o;
+        return Objects.equals(role, that.role);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(super.hashCode(), role);
+    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/AppRoleSecretResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/AppRoleSecretResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -17,13 +17,10 @@
 package de.stklcode.jvault.connector.model.response;

 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import com.fasterxml.jackson.annotation.JsonProperty;
 import de.stklcode.jvault.connector.model.AppRoleSecret;

-import java.io.IOException;
-import java.util.HashMap;
-import java.util.Map;
+import java.util.Objects;

 /**
 * Vault response for AppRole lookup.
@ -33,24 +30,10 @@ import java.util.Map;
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public final class AppRoleSecretResponse extends VaultDataResponse {
-    private AppRoleSecret secret;
+    private static final long serialVersionUID = -2484103304072370585L;

-    @Override
-    public void setData(final Map<String, Object> data) throws InvalidResponseException {
-        ObjectMapper mapper = new ObjectMapper();
-        try {
-            /* null empty strings on list objects */
-            Map<String, Object> filteredData = new HashMap<>(data.size(), 1);
-            data.forEach((k, v) -> {
-                if (!(v instanceof String && ((String) v).isEmpty())) {
-                    filteredData.put(k, v);
-                }
-            });
-            this.secret = mapper.readValue(mapper.writeValueAsString(filteredData), AppRoleSecret.class);
-        } catch (IOException e) {
-            throw new InvalidResponseException("Failed deserializing response", e);
-        }
-    }
+    @JsonProperty("data")
+    private AppRoleSecret secret;

    /**
     * @return The secret
@ -58,4 +41,20 @@ public final class AppRoleSecretResponse extends VaultDataResponse {
    public AppRoleSecret getSecret() {
        return secret;
    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass() || !super.equals(o)) {
+            return false;
+        }
+        AppRoleSecretResponse that = (AppRoleSecretResponse) o;
+        return Objects.equals(secret, that.secret);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(super.hashCode(), secret);
+    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/AuthMethodsResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/AuthMethodsResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -17,13 +17,12 @@
 package de.stklcode.jvault.connector.model.response;

 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import com.fasterxml.jackson.annotation.JsonProperty;
 import de.stklcode.jvault.connector.model.response.embedded.AuthMethod;

-import java.io.IOException;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.Objects;

 /**
 * Authentication method response.
@ -33,6 +32,9 @@ import java.util.Map;
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public final class AuthMethodsResponse extends VaultDataResponse {
+    private static final long serialVersionUID = -1802724129533405375L;
+
+    @JsonProperty("data")
    private Map<String, AuthMethod> supportedMethods;

    /**
@ -42,23 +44,26 @@ public final class AuthMethodsResponse extends VaultDataResponse {
        this.supportedMethods = new HashMap<>();
    }

-    @Override
-    public void setData(final Map<String, Object> data) throws InvalidResponseException {
-        ObjectMapper mapper = new ObjectMapper();
-        for (Map.Entry<String, Object> entry : data.entrySet()) {
-            try {
-                this.supportedMethods.put(entry.getKey(),
-                        mapper.readValue(mapper.writeValueAsString(entry.getValue()), AuthMethod.class));
-            } catch (IOException e) {
-                throw new InvalidResponseException();
-            }
-        }
-    }
-
    /**
     * @return Supported authentication methods
     */
    public Map<String, AuthMethod> getSupportedMethods() {
        return supportedMethods;
    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass() || !super.equals(o)) {
+            return false;
+        }
+        AuthMethodsResponse that = (AuthMethodsResponse) o;
+        return Objects.equals(supportedMethods, that.supportedMethods);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(super.hashCode(), supportedMethods);
+    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/AuthResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/AuthResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -17,14 +17,8 @@
 package de.stklcode.jvault.connector.model.response;

 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
-import com.fasterxml.jackson.annotation.JsonProperty;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import de.stklcode.jvault.connector.exception.InvalidResponseException;
 import de.stklcode.jvault.connector.model.response.embedded.AuthData;

-import java.io.IOException;
-import java.util.Map;
-
 /**
 * Vault response for authentication providing auth info in {@link AuthData} field.
 *
@ -33,42 +27,5 @@ import java.util.Map;
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public final class AuthResponse extends VaultDataResponse {
-    private Map<String, Object> data;
-
-    private AuthData auth;
-
-    /**
-     * Set authentication data. The input will be mapped to the {@link AuthData} model.
-     *
-     * @param auth Raw authentication data
-     * @throws InvalidResponseException on mapping errors
-     */
-    @JsonProperty("auth")
-    public void setAuth(final Map<String, Object> auth) throws InvalidResponseException {
-        ObjectMapper mapper = new ObjectMapper();
-        try {
-            this.auth = mapper.readValue(mapper.writeValueAsString(auth), AuthData.class);
-        } catch (IOException e) {
-            throw new InvalidResponseException("Failed deserializing response", e);
-        }
-    }
-
-    @Override
-    public void setData(final Map<String, Object> data) {
-        this.data = data;
-    }
-
-    /**
-     * @return Raw data
-     */
-    public Map<String, Object> getData() {
-        return data;
-    }
-
-    /**
-     * @return Authentication data
-     */
-    public AuthData getAuth() {
-        return auth;
-    }
+    private static final long serialVersionUID = 1628851361067456715L;
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/CredentialsResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/CredentialsResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -25,7 +25,8 @@ import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 * @since 0.5.0
 */
@JsonIgnoreProperties(ignoreUnknown = true)
-public final class CredentialsResponse extends SecretResponse {
+public final class CredentialsResponse extends PlainSecretResponse {
+    private static final long serialVersionUID = -1439692963299045425L;

    /**
     * @return Username
--- a/src/main/java/de/stklcode/jvault/connector/model/response/ErrorResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/ErrorResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -20,6 +20,7 @@ import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;

 import java.util.List;
+import java.util.Objects;

 /**
 * Vault response in case of errors.
@ -29,6 +30,8 @@ import java.util.List;
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public final class ErrorResponse implements VaultResponse {
+    private static final long serialVersionUID = -6227368087842549149L;
+
    @JsonProperty("errors")
    private List<String> errors;

@ -47,4 +50,20 @@ public final class ErrorResponse implements VaultResponse {
            return errors.get(0);
        }
    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        ErrorResponse that = (ErrorResponse) o;
+        return Objects.equals(errors, that.errors);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(errors);
+    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/HealthResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/HealthResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -19,6 +19,8 @@ package de.stklcode.jvault.connector.model.response;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;

+import java.util.Objects;
+
 /**
 * Vault response for health query.
 *
@ -27,6 +29,8 @@ import com.fasterxml.jackson.annotation.JsonProperty;
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public final class HealthResponse implements VaultResponse {
+    private static final long serialVersionUID = 8675155916902904516L;
+
    @JsonProperty("cluster_id")
    private String clusterID;

@ -48,7 +52,7 @@ public final class HealthResponse implements VaultResponse {
    @JsonProperty("initialized")
    private Boolean initialized;

-    @JsonProperty("replication_perf_mode")
+    @JsonProperty("replication_performance_mode")
    private String replicationPerfMode;

    @JsonProperty("replication_dr_mode")
@ -57,6 +61,18 @@ public final class HealthResponse implements VaultResponse {
    @JsonProperty("performance_standby")
    private Boolean performanceStandby;

+    @JsonProperty("echo_duration_ms")
+    private Long echoDurationMs;
+
+    @JsonProperty("clock_skew_ms")
+    private Long clockSkewMs;
+
+    @JsonProperty("replication_primary_canary_age_ms")
+    private Long replicationPrimaryCanaryAgeMs;
+
+    @JsonProperty("enterprise")
+    private Boolean enterprise;
+
    /**
     * @return The Cluster ID.
     */
@ -129,4 +145,67 @@ public final class HealthResponse implements VaultResponse {
    public Boolean isPerformanceStandby() {
        return performanceStandby;
    }
+
+    /**
+     * @return Heartbeat echo duration in milliseconds (since Vault 1.16)
+     * @since 1.3
+     */
+    public Long getEchoDurationMs() {
+        return echoDurationMs;
+    }
+
+    /**
+     * @return Clock skew in milliseconds (since Vault 1.16)
+     * @since 1.3
+     */
+    public Long getClockSkewMs() {
+        return clockSkewMs;
+    }
+
+    /**
+     * @return Replication primary canary age in milliseconds (since Vault 1.17)
+     * @since 1.3
+     */
+    public Long getReplicationPrimaryCanaryAgeMs() {
+        return replicationPrimaryCanaryAgeMs;
+    }
+
+    /**
+     * @return Enterprise instance? (since Vault 1.17)
+     * @since 1.3
+     */
+    public Boolean isEnterprise() {
+        return enterprise;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        HealthResponse that = (HealthResponse) o;
+        return Objects.equals(clusterID, that.clusterID) &&
+            Objects.equals(clusterName, that.clusterName) &&
+            Objects.equals(version, that.version) &&
+            Objects.equals(serverTimeUTC, that.serverTimeUTC) &&
+            Objects.equals(standby, that.standby) &&
+            Objects.equals(sealed, that.sealed) &&
+            Objects.equals(initialized, that.initialized) &&
+            Objects.equals(replicationPerfMode, that.replicationPerfMode) &&
+            Objects.equals(replicationDrMode, that.replicationDrMode) &&
+            Objects.equals(performanceStandby, that.performanceStandby) &&
+            Objects.equals(echoDurationMs, that.echoDurationMs) &&
+            Objects.equals(clockSkewMs, that.clockSkewMs) &&
+            Objects.equals(replicationPrimaryCanaryAgeMs, that.replicationPrimaryCanaryAgeMs) &&
+            Objects.equals(enterprise, that.enterprise);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(clusterID, clusterName, version, serverTimeUTC, standby, sealed, initialized,
+            replicationPerfMode, replicationDrMode, performanceStandby, echoDurationMs, clockSkewMs,
+            replicationPrimaryCanaryAgeMs, enterprise);
+    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/HelpResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/HelpResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -19,6 +19,8 @@ package de.stklcode.jvault.connector.model.response;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;

+import java.util.Objects;
+
 /**
 * Vault response for help request.
 *
@ -27,6 +29,8 @@ import com.fasterxml.jackson.annotation.JsonProperty;
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public final class HelpResponse implements VaultResponse {
+    private static final long serialVersionUID = -1152070966642848490L;
+
    @JsonProperty("help")
    private String help;

@ -36,4 +40,20 @@ public final class HelpResponse implements VaultResponse {
    public String getHelp() {
        return help;
    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        HelpResponse that = (HelpResponse) o;
+        return Objects.equals(help, that.help);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(help);
+    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/MetaSecretResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/MetaSecretResponse.java
@ -0,0 +1,75 @@
+/*
+ * Copyright 2016-2025 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import de.stklcode.jvault.connector.model.response.embedded.SecretWrapper;
+import de.stklcode.jvault.connector.model.response.embedded.VersionMetadata;
+
+import java.io.Serializable;
+import java.util.Collections;
+import java.util.Map;
+import java.util.Objects;
+
+/**
+ * Vault response for secret responses with metadata.
+ *
+ * @author Stefan Kalscheuer
+ * @since 1.1 abstract
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class MetaSecretResponse extends SecretResponse {
+    private static final long serialVersionUID = -1076542846391240162L;
+
+    @JsonProperty("data")
+    private SecretWrapper secret;
+
+    @Override
+    public final Map<String, Serializable> getData() {
+        if (secret != null) {
+            return secret.getData();
+        } else {
+            return Collections.emptyMap();
+        }
+    }
+
+    @Override
+    public final VersionMetadata getMetadata() {
+        if (secret != null) {
+            return secret.getMetadata();
+        } else {
+            return null;
+        }
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass() || !super.equals(o)) {
+            return false;
+        }
+        MetaSecretResponse that = (MetaSecretResponse) o;
+        return Objects.equals(secret, that.secret);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(super.hashCode(), secret);
+    }
+}
--- a/src/main/java/de/stklcode/jvault/connector/model/response/MetadataResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/MetadataResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -17,12 +17,11 @@
 package de.stklcode.jvault.connector.model.response;

 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import com.fasterxml.jackson.annotation.JsonProperty;
 import de.stklcode.jvault.connector.model.response.embedded.SecretMetadata;

-import java.io.IOException;
-import java.util.Map;
+import java.util.Objects;
+

 /**
 * Vault response for secret metadata (KV v2).
@ -32,19 +31,11 @@ import java.util.Map;
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public class MetadataResponse extends VaultDataResponse {
+    private static final long serialVersionUID = -3679762333630984679L;

+    @JsonProperty("data")
    private SecretMetadata metadata;

-    @Override
-    public final void setData(final Map<String, Object> data) throws InvalidResponseException {
-        ObjectMapper mapper = new ObjectMapper();
-        try {
-            this.metadata = mapper.readValue(mapper.writeValueAsString(data), SecretMetadata.class);
-        } catch (IOException e) {
-            throw new InvalidResponseException("Failed deserializing response", e);
-        }
-    }
-
    /**
     * Get the actual metadata.
     *
@ -53,4 +44,20 @@ public class MetadataResponse extends VaultDataResponse {
    public SecretMetadata getMetadata() {
        return metadata;
    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass() || !super.equals(o)) {
+            return false;
+        }
+        MetadataResponse that = (MetadataResponse) o;
+        return Objects.equals(metadata, that.metadata);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(super.hashCode(), metadata);
+    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/PlainSecretResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/PlainSecretResponse.java
@ -0,0 +1,66 @@
+/*
+ * Copyright 2016-2025 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import de.stklcode.jvault.connector.model.response.embedded.VersionMetadata;
+
+import java.io.Serializable;
+import java.util.Collections;
+import java.util.Map;
+import java.util.Objects;
+
+/**
+ * Vault response for plain secret responses.
+ *
+ * @author Stefan Kalscheuer
+ * @since 1.1 abstract
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class PlainSecretResponse extends SecretResponse {
+    private static final long serialVersionUID = 3010138542437913023L;
+
+    @JsonProperty("data")
+    private Map<String, Serializable> data;
+
+    @Override
+    public final Map<String, Serializable> getData() {
+        return Objects.requireNonNullElseGet(data, Collections::emptyMap);
+    }
+
+    @Override
+    public final VersionMetadata getMetadata() {
+        return null;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass() || !super.equals(o)) {
+            return false;
+        }
+        PlainSecretResponse that = (PlainSecretResponse) o;
+        return Objects.equals(data, that.data);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(super.hashCode(), data);
+    }
+}
--- a/src/main/java/de/stklcode/jvault/connector/model/response/RawDataResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/RawDataResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -17,8 +17,11 @@
 package de.stklcode.jvault.connector.model.response;

 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;

+import java.io.Serializable;
 import java.util.Map;
+import java.util.Objects;

 /**
 * Simple Vault data response.
@ -28,17 +31,31 @@ import java.util.Map;
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public final class RawDataResponse extends VaultDataResponse {
-    private Map<String, Object> data;
+    private static final long serialVersionUID = -319727427792124071L;

-    @Override
-    public void setData(final Map<String, Object> data) {
-        this.data = data;
-    }
+    @JsonProperty("data")
+    private Map<String, Serializable> data;

    /**
     * @return Raw data {@link Map}
     */
-    public Map<String, Object> getData() {
+    public Map<String, Serializable> getData() {
        return data;
    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass() || !super.equals(o)) {
+            return false;
+        }
+        RawDataResponse that = (RawDataResponse) o;
+        return Objects.equals(data, that.data);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(super.hashCode(), data);
+    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/SealResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/SealResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -19,6 +19,9 @@ package de.stklcode.jvault.connector.model.response;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;

+import java.time.ZonedDateTime;
+import java.util.Objects;
+
 /**
 * Vault response for seal status or unseal request.
 *
@ -27,6 +30,8 @@ import com.fasterxml.jackson.annotation.JsonProperty;
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public final class SealResponse implements VaultResponse {
+    private static final long serialVersionUID = -6000309255473305787L;
+
    @JsonProperty("type")
    private String type;

@ -48,6 +53,9 @@ public final class SealResponse implements VaultResponse {
    @JsonProperty("version")
    private String version;

+    @JsonProperty("build_date")
+    private ZonedDateTime buildDate;
+
    @JsonProperty("nonce")
    private String nonce;

@ -57,6 +65,15 @@ public final class SealResponse implements VaultResponse {
    @JsonProperty("cluster_id")
    private String clusterId;

+    @JsonProperty("migration")
+    private Boolean migration;
+
+    @JsonProperty("recovery_seal")
+    private Boolean recoverySeal;
+
+    @JsonProperty("storage_type")
+    private String storageType;
+
    /**
     * @return Seal type.
     * @since 0.8
@ -109,6 +126,14 @@ public final class SealResponse implements VaultResponse {
        return version;
    }

+    /**
+     * @return Vault build date.
+     * @since 1.2
+     */
+    public ZonedDateTime getBuildDate() {
+        return buildDate;
+    }
+
    /**
     * @return A random nonce.
     * @since 0.8
@ -132,4 +157,58 @@ public final class SealResponse implements VaultResponse {
    public String getClusterId() {
        return clusterId;
    }
+
+    /**
+     * @return Migration status (since Vault 1.4)
+     * @since 1.1
+     */
+    public Boolean getMigration() {
+        return migration;
+    }
+
+    /**
+     * @return Recovery seal status.
+     * @since 1.1
+     */
+    public Boolean getRecoverySeal() {
+        return recoverySeal;
+    }
+
+    /**
+     * @return Storage type (since Vault 1.3).
+     * @since 1.1
+     */
+    public String getStorageType() {
+        return storageType;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        SealResponse that = (SealResponse) o;
+        return sealed == that.sealed &&
+            initialized == that.initialized &&
+            Objects.equals(type, that.type) &&
+            Objects.equals(threshold, that.threshold) &&
+            Objects.equals(numberOfShares, that.numberOfShares) &&
+            Objects.equals(progress, that.progress) &&
+            Objects.equals(version, that.version) &&
+            Objects.equals(buildDate, that.buildDate) &&
+            Objects.equals(nonce, that.nonce) &&
+            Objects.equals(clusterName, that.clusterName) &&
+            Objects.equals(clusterId, that.clusterId) &&
+            Objects.equals(migration, that.migration) &&
+            Objects.equals(recoverySeal, that.recoverySeal) &&
+            Objects.equals(storageType, that.storageType);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(type, sealed, initialized, threshold, numberOfShares, progress, version, buildDate, nonce,
+            clusterName, clusterId, migration, recoverySeal, storageType);
+    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/SecretListResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/SecretListResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -18,10 +18,11 @@ package de.stklcode.jvault.connector.model.response;

 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
-import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import de.stklcode.jvault.connector.model.response.embedded.SecretListWrapper;

+import java.util.Collections;
 import java.util.List;
-import java.util.Map;
+import java.util.Objects;

 /**
 * Vault response for secret list request.
@ -31,27 +32,34 @@ import java.util.Map;
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public final class SecretListResponse extends VaultDataResponse {
-    private List<String> keys;

-    /**
-     * Set data. Extracts list of keys from raw response data.
-     *
-     * @param data Raw data
-     * @throws InvalidResponseException on parsing errors
-     */
+    private static final long serialVersionUID = 8597121175002967213L;
    @JsonProperty("data")
-    public void setData(final Map<String, Object> data) throws InvalidResponseException {
-        try {
-            this.keys = (List<String>) data.get("keys");
-        } catch (ClassCastException e) {
-            throw new InvalidResponseException("Keys could not be parsed from data.", e);
-        }
-    }
+    private SecretListWrapper data;

    /**
     * @return List of secret keys
     */
    public List<String> getKeys() {
-        return keys;
+        if (data == null) {
+            return Collections.emptyList();
+        }
+        return Objects.requireNonNullElseGet(data.getKeys(), Collections::emptyList);
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass() || !super.equals(o)) {
+            return false;
+        }
+        SecretListResponse that = (SecretListResponse) o;
+        return Objects.equals(data, that.data);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(super.hashCode(), data);
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/SecretResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/SecretResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -17,12 +17,15 @@
 package de.stklcode.jvault.connector.model.response;

 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
-import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.DeserializationFeature;
+import com.fasterxml.jackson.databind.SerializationFeature;
+import com.fasterxml.jackson.databind.json.JsonMapper;
+import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
 import de.stklcode.jvault.connector.exception.InvalidResponseException;
 import de.stklcode.jvault.connector.model.response.embedded.VersionMetadata;

 import java.io.IOException;
-import java.util.Collections;
+import java.io.Serializable;
 import java.util.Map;

 /**
@ -30,46 +33,20 @@ import java.util.Map;
 *
 * @author Stefan Kalscheuer
 * @since 0.1
+ * @since 1.1 abstract
 */
@JsonIgnoreProperties(ignoreUnknown = true)
-public class SecretResponse extends VaultDataResponse {
-    private static final String KEY_DATA = "data";
-    private static final String KEY_METADATA = "metadata";
-
-    private Map<String, Object> data;
-    private VersionMetadata metadata;
-
-    @Override
-    public final void setData(final Map<String, Object> data) throws InvalidResponseException {
-        if (data.size() == 2
-                && data.containsKey(KEY_DATA) && data.get(KEY_DATA) instanceof Map
-                && data.containsKey(KEY_METADATA) && data.get(KEY_METADATA) instanceof Map) {
-            ObjectMapper mapper = new ObjectMapper();
-            try {
-                // This is apparently a KV v2 value.
-                this.data = (Map<String, Object>) data.get(KEY_DATA);
-                this.metadata = mapper.readValue(mapper.writeValueAsString(data.get(KEY_METADATA)), VersionMetadata.class);
-            } catch (ClassCastException | IOException e) {
-                throw new InvalidResponseException("Failed deserializing response", e);
-            }
-        } else {
-            // For KV v1 without metadata just store the data map.
-            this.data = data;
-        }
-    }
+public abstract class SecretResponse extends VaultDataResponse {
+    private static final long serialVersionUID = 5198088815871692951L;

    /**
     * Get complete data object.
     *
     * @return data map
     * @since 0.4.0
+     * @since 1.1 Serializable map value.
     */
-    public final Map<String, Object> getData() {
-        if (data == null) {
-            return Collections.emptyMap();
-        }
-        return data;
-    }
+    public abstract Map<String, Serializable> getData();

    /**
     * Get secret metadata. This is only available for KV v2 secrets.
@ -77,9 +54,7 @@ public class SecretResponse extends VaultDataResponse {
     * @return Metadata of the secret.
     * @since 0.8
     */
-    public final VersionMetadata getMetadata() {
-        return metadata;
-    }
+    public abstract VersionMetadata getMetadata();

    /**
     * Get a single value for given key.
@ -89,60 +64,39 @@ public class SecretResponse extends VaultDataResponse {
     * @since 0.4.0
     */
    public final Object get(final String key) {
-        if (data == null) {
-            return null;
-        }
        return getData().get(key);
    }

-    /**
-     * Get data element for key "value".
-     * Method for backwards compatibility in case of simple secrets.
-     *
-     * @return the value
-     * @deprecated Deprecated artifact, will be removed at latest at v1.0.0
-     */
-    @Deprecated
-    public final String getValue() {
-        Object value = get("value");
-        if (value == null) {
-            return null;
-        }
-        return value.toString();
-    }
-
-    /**
-     * Get response parsed as JSON.
-     *
-     * @param type Class to parse response
-     * @param <T>  Class to parse response
-     * @return Parsed object
-     * @throws InvalidResponseException on parsing error
-     * @since 0.3
-     * @deprecated Deprecated artifact, will be removed at latest at v1.0.0
-     */
-    @Deprecated
-    public final <T> T getValue(final Class<T> type) throws InvalidResponseException {
-        return get("value", type);
-    }
-
    /**
     * Get response parsed as JSON.
     *
     * @param key  the key
     * @param type Class to parse response
-     * @param <T>  Class to parse response
+     * @param <C>  Class to parse response
     * @return Parsed object or {@code null} if absent
     * @throws InvalidResponseException on parsing error
     * @since 0.4.0
     */
-    public final <T> T get(final String key, final Class<T> type) throws InvalidResponseException {
+    public final <C> C get(final String key, final Class<C> type) throws InvalidResponseException {
        try {
            Object rawValue = get(key);
            if (rawValue == null) {
                return null;
+            } else if (type.isInstance(rawValue)) {
+                return type.cast(rawValue);
+            } else {
+                var om = JsonMapper.builder()
+                    .addModule(new JavaTimeModule())
+                    .enable(SerializationFeature.WRITE_DATES_AS_TIMESTAMPS)
+                    .disable(DeserializationFeature.ADJUST_DATES_TO_CONTEXT_TIME_ZONE)
+                    .build();
+
+                if (rawValue instanceof String) {
+                    return om.readValue((String) rawValue, type);
+                } else {
+                    return om.readValue(om.writeValueAsString(rawValue), type);
+                }
            }
-            return new ObjectMapper().readValue(rawValue.toString(), type);
        } catch (IOException e) {
            throw new InvalidResponseException("Unable to parse response payload: " + e.getMessage());
        }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/SecretVersionResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/SecretVersionResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -17,12 +17,10 @@
 package de.stklcode.jvault.connector.model.response;

 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import com.fasterxml.jackson.annotation.JsonProperty;
 import de.stklcode.jvault.connector.model.response.embedded.VersionMetadata;

-import java.io.IOException;
-import java.util.Map;
+import java.util.Objects;

 /**
 * Vault response for a single secret version metadata, i.e. after update (KV v2).
@ -32,19 +30,11 @@ import java.util.Map;
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public class SecretVersionResponse extends VaultDataResponse {
+    private static final long serialVersionUID = 2748635005258576174L;

+    @JsonProperty("data")
    private VersionMetadata metadata;

-    @Override
-    public final void setData(final Map<String, Object> data) throws InvalidResponseException {
-        ObjectMapper mapper = new ObjectMapper();
-        try {
-            this.metadata = mapper.readValue(mapper.writeValueAsString(data), VersionMetadata.class);
-        } catch (IOException e) {
-            throw new InvalidResponseException("Failed deserializing response", e);
-        }
-    }
-
    /**
     * Get the actual metadata.
     *
@ -53,4 +43,20 @@ public class SecretVersionResponse extends VaultDataResponse {
    public VersionMetadata getMetadata() {
        return metadata;
    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass() || !super.equals(o)) {
+            return false;
+        }
+        SecretVersionResponse that = (SecretVersionResponse) o;
+        return Objects.equals(metadata, that.metadata);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(super.hashCode(), metadata);
+    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/TokenResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/TokenResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -18,12 +18,9 @@ package de.stklcode.jvault.connector.model.response;

 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import de.stklcode.jvault.connector.exception.InvalidResponseException;
 import de.stklcode.jvault.connector.model.response.embedded.TokenData;

-import java.io.IOException;
-import java.util.Map;
+import java.util.Objects;

 /**
 * Vault response from token lookup providing Token information in {@link TokenData} field.
@ -33,31 +30,32 @@ import java.util.Map;
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public final class TokenResponse extends VaultDataResponse {
+    private static final long serialVersionUID = -4341114947980033457L;
+
+    @JsonProperty("data")
    private TokenData data;

-    @JsonProperty("auth")
-    private Boolean auth;
-
-    /**
-     * Set data. Parses response data map to {@link TokenData}.
-     *
-     * @param data Raw response data
-     * @throws InvalidResponseException on parsing errors
-     */
-    @Override
-    public void setData(final Map<String, Object> data) throws InvalidResponseException {
-        ObjectMapper mapper = new ObjectMapper();
-        try {
-            this.data = mapper.readValue(mapper.writeValueAsString(data), TokenData.class);
-        } catch (IOException e) {
-            throw new InvalidResponseException("Failed deserializing response", e);
-        }
-    }
-
    /**
     * @return Token data
     */
    public TokenData getData() {
        return data;
    }
+
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass() || !super.equals(o)) {
+            return false;
+        }
+        TokenResponse that = (TokenResponse) o;
+        return Objects.equals(data, that.data);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(super.hashCode(), data);
+    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/TokenRoleResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/TokenRoleResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -17,13 +17,11 @@
 package de.stklcode.jvault.connector.model.response;

 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import com.fasterxml.jackson.annotation.JsonProperty;
 import de.stklcode.jvault.connector.model.TokenRole;
 import de.stklcode.jvault.connector.model.response.embedded.TokenData;

-import java.io.IOException;
-import java.util.Map;
+import java.util.Objects;

 /**
 * Vault response from token role lookup providing Token information in {@link TokenData} field.
@ -33,23 +31,10 @@ import java.util.Map;
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public final class TokenRoleResponse extends VaultDataResponse {
-    private TokenRole data;
+    private static final long serialVersionUID = 5265363857731948626L;

-    /**
-     * Set data. Parses response data map to {@link TokenRole}.
-     *
-     * @param data Raw response data
-     * @throws InvalidResponseException on parsing errors
-     */
-    @Override
-    public void setData(final Map<String, Object> data) throws InvalidResponseException {
-        ObjectMapper mapper = new ObjectMapper();
-        try {
-            this.data = mapper.readValue(mapper.writeValueAsString(data), TokenRole.class);
-        } catch (IOException e) {
-            throw new InvalidResponseException("Failed deserializing response", e);
-        }
-    }
+    @JsonProperty("data")
+    private TokenRole data;

    /**
     * @return TokenRole data
@ -57,4 +42,20 @@ public final class TokenRoleResponse extends VaultDataResponse {
    public TokenRole getData() {
        return data;
    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass() || !super.equals(o)) {
+            return false;
+        }
+        TokenRoleResponse that = (TokenRoleResponse) o;
+        return Objects.equals(data, that.data);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(super.hashCode(), data);
+    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/TransitResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/TransitResponse.java
@ -0,0 +1,92 @@
+/*
+ * Copyright 2016-2025 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response;
+
+import com.fasterxml.jackson.annotation.JsonSetter;
+
+import java.util.Map;
+import java.util.Objects;
+
+/**
+ * Response entity for transit operations.
+ *
+ * @author Stefan Kalscheuer
+ * @since 1.5.0
+ */
+public class TransitResponse extends VaultDataResponse {
+
+    private static final long serialVersionUID = 6873804240772242771L;
+
+    private String ciphertext;
+    private String plaintext;
+    private String sum;
+
+    @JsonSetter("data")
+    private void setData(Map<String, String> data) {
+        ciphertext = data.get("ciphertext");
+        plaintext = data.get("plaintext");
+        sum = data.get("sum");
+    }
+
+    /**
+     * Get ciphertext.
+     * Populated after encryption.
+     *
+     * @return Ciphertext
+     */
+    public String getCiphertext() {
+        return ciphertext;
+    }
+
+    /**
+     * Get plaintext.
+     * Base64 encoded, populated after decryption.
+     *
+     * @return Plaintext
+     */
+    public String getPlaintext() {
+        return plaintext;
+    }
+
+    /**
+     * Get hash sum.
+     * Hex or Base64 string. Populated after hashing.
+     *
+     * @return Hash sum
+     */
+    public String getSum() {
+        return sum;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass() || !super.equals(o)) {
+            return false;
+        }
+        TransitResponse that = (TransitResponse) o;
+        return Objects.equals(ciphertext, that.ciphertext) &&
+            Objects.equals(plaintext, that.plaintext) &&
+            Objects.equals(sum, that.sum);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(super.hashCode(), ciphertext, plaintext, sum);
+    }
+}
--- a/src/main/java/de/stklcode/jvault/connector/model/response/VaultDataResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/VaultDataResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -17,10 +17,11 @@
 package de.stklcode.jvault.connector.model.response;

 import com.fasterxml.jackson.annotation.JsonProperty;
-import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import de.stklcode.jvault.connector.model.response.embedded.AuthData;
+import de.stklcode.jvault.connector.model.response.embedded.WrapInfo;

 import java.util.List;
-import java.util.Map;
+import java.util.Objects;

 /**
 * Abstract Vault response with default payload fields.
@ -29,6 +30,11 @@ import java.util.Map;
 * @since 0.1
 */
 public abstract class VaultDataResponse implements VaultResponse {
+    private static final long serialVersionUID = 4787715235558510045L;
+
+    @JsonProperty("request_id")
+    private String requestId;
+
    @JsonProperty("lease_id")
    private String leaseId;

@ -41,14 +47,22 @@ public abstract class VaultDataResponse implements VaultResponse {
    @JsonProperty("warnings")
    private List<String> warnings;

+    @JsonProperty("wrap_info")
+    private WrapInfo wrapInfo;
+
+    @JsonProperty("auth")
+    private AuthData auth;
+
+    @JsonProperty("mount_type")
+    private String mountType;
+
    /**
-     * Set data. To be implemented in the specific subclasses, as data can be of arbitrary structure.
-     *
-     * @param data Raw response data
-     * @throws InvalidResponseException on parsing errors
+     * @return Request ID
+     * @since 1.1
     */
-    @JsonProperty("data")
-    public abstract void setData(final Map<String, Object> data) throws InvalidResponseException;
+    public final String getRequestId() {
+        return requestId;
+    }

    /**
     * @return Lease ID
@ -77,4 +91,51 @@ public abstract class VaultDataResponse implements VaultResponse {
    public final List<String> getWarnings() {
        return warnings;
    }
+
+    /**
+     * @return Wrapping information
+     * @since 1.1
+     */
+    public final WrapInfo getWrapInfo() {
+        return wrapInfo;
+    }
+
+    /**
+     * @return Authentication information for this response
+     * @since 1.3
+     */
+    public final AuthData getAuth() {
+        return auth;
+    }
+
+    /**
+     * @return Information about the type of mount this secret is from (since Vault 1.17)
+     * @since 1.3
+     */
+    public final String getMountType() {
+        return mountType;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        VaultDataResponse that = (VaultDataResponse) o;
+        return renewable == that.renewable &&
+            Objects.equals(requestId, that.requestId) &&
+            Objects.equals(leaseId, that.leaseId) &&
+            Objects.equals(leaseDuration, that.leaseDuration) &&
+            Objects.equals(warnings, that.warnings) &&
+            Objects.equals(wrapInfo, that.wrapInfo) &&
+            Objects.equals(auth, that.auth) &&
+            Objects.equals(mountType, that.mountType);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(requestId, leaseId, renewable, leaseDuration, warnings, wrapInfo, auth, mountType);
+    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/VaultResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/VaultResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -16,11 +16,14 @@

 package de.stklcode.jvault.connector.model.response;

+import java.io.Serializable;
+
 /**
 * Marker interface for responses from Vault backend.
 *
 * @author Stefan Kalscheuer
 * @since 0.1
+ * @since 1.1 extends {@link Serializable}
 */
-public interface VaultResponse {
+public interface VaultResponse extends Serializable {
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/AuthData.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/AuthData.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -19,17 +19,22 @@ package de.stklcode.jvault.connector.model.response.embedded;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;

+import java.io.Serializable;
 import java.util.List;
 import java.util.Map;
+import java.util.Objects;

 /**
 * Embedded authorization information inside Vault response.
 *
 * @author Stefan Kalscheuer
 * @since 0.1
+ * @since 1.1 implements {@link Serializable}
 */
@JsonIgnoreProperties(ignoreUnknown = true)
-public final class AuthData {
+public final class AuthData implements Serializable {
+    private static final long serialVersionUID = 5969334512309655317L;
+
    @JsonProperty("client_token")
    private String clientToken;

@ -60,6 +65,12 @@ public final class AuthData {
    @JsonProperty("orphan")
    private boolean orphan;

+    @JsonProperty("num_uses")
+    private Integer numUses;
+
+    @JsonProperty("mfa_requirement")
+    private MfaRequirement mfaRequirement;
+
    /**
     * @return Client token
     */
@ -126,6 +137,14 @@ public final class AuthData {
        return accessor;
    }

+    /**
+     * @return allowed number of uses for the issued token
+     * @since 1.3
+     */
+    public Integer getNumUses() {
+        return numUses;
+    }
+
    /**
     * @return Token is orphan
     * @since 0.9
@ -133,4 +152,41 @@ public final class AuthData {
    public boolean isOrphan() {
        return orphan;
    }
+
+    /**
+     * @return multi-factor requirement
+     * @since 1.2
+     */
+    public MfaRequirement getMfaRequirement() {
+        return mfaRequirement;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        }
+        if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        AuthData authData = (AuthData) o;
+        return renewable == authData.renewable &&
+            orphan == authData.orphan &&
+            Objects.equals(clientToken, authData.clientToken) &&
+            Objects.equals(accessor, authData.accessor) &&
+            Objects.equals(policies, authData.policies) &&
+            Objects.equals(tokenPolicies, authData.tokenPolicies) &&
+            Objects.equals(metadata, authData.metadata) &&
+            Objects.equals(leaseDuration, authData.leaseDuration) &&
+            Objects.equals(entityId, authData.entityId) &&
+            Objects.equals(tokenType, authData.tokenType) &&
+            Objects.equals(numUses, authData.numUses) &&
+            Objects.equals(mfaRequirement, authData.mfaRequirement);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(clientToken, accessor, policies, tokenPolicies, metadata, leaseDuration, renewable,
+            entityId, tokenType, orphan, numUses, mfaRequirement);
+    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/AuthMethod.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/AuthMethod.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -21,28 +21,60 @@ import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.annotation.JsonSetter;
 import de.stklcode.jvault.connector.model.AuthBackend;

+import java.io.Serializable;
 import java.util.Map;
+import java.util.Objects;

 /**
 * Embedded authentication method response.
 *
 * @author Stefan Kalscheuer
 * @since 0.1
+ * @since 1.1 implements {@link Serializable}
 */
@JsonIgnoreProperties(ignoreUnknown = true)
-public final class AuthMethod {
+public final class AuthMethod implements Serializable {
+    private static final long serialVersionUID = -439987082190917691L;
+
    private AuthBackend type;
    private String rawType;

+    @JsonProperty("accessor")
+    private String accessor;
+
+    @JsonProperty("deprecation_status")
+    private String deprecationStatus;
+
    @JsonProperty("description")
    private String description;

    @JsonProperty("config")
-    private Map<String, String> config;
+    private MountConfig config;
+
+    @JsonProperty("external_entropy_access")
+    private boolean externalEntropyAccess;

    @JsonProperty("local")
    private boolean local;

+    @JsonProperty("options")
+    private Map<String, String> options;
+
+    @JsonProperty("plugin_version")
+    private String pluginVersion;
+
+    @JsonProperty("running_plugin_version")
+    private String runningPluginVersion;
+
+    @JsonProperty("running_sha256")
+    private String runningSha256;
+
+    @JsonProperty("seal_wrap")
+    private boolean sealWrap;
+
+    @JsonProperty("uuid")
+    private String uuid;
+
    /**
     * @param type Backend type, passed to {@link AuthBackend#forType(String)}
     */
@ -66,6 +98,22 @@ public final class AuthMethod {
        return rawType;
    }

+    /**
+     * @return Accessor
+     * @since 1.1
+     */
+    public String getAccessor() {
+        return accessor;
+    }
+
+    /**
+     * @return Deprecation status
+     * @since 1.2
+     */
+    public String getDeprecationStatus() {
+        return deprecationStatus;
+    }
+
    /**
     * @return Description
     */
@ -75,15 +123,103 @@ public final class AuthMethod {

    /**
     * @return Configuration data
+     * @since 0.2
+     * @since 1.2 Returns {@link MountConfig} instead of {@link Map}
     */
-    public Map<String, String> getConfig() {
+    public MountConfig getConfig() {
        return config;
    }

+    /**
+     * @return Backend has access to external entropy source
+     * @since 1.1
+     */
+    public boolean isExternalEntropyAccess() {
+        return externalEntropyAccess;
+    }
+
    /**
     * @return Is local backend
     */
    public boolean isLocal() {
        return local;
    }
+
+    /**
+     * @return Options
+     * @since 1.2
+     */
+    public Map<String, String> getOptions() {
+        return options;
+    }
+
+    /**
+     * @return Plugin version
+     * @since 1.2
+     */
+    public String getPluginVersion() {
+        return pluginVersion;
+    }
+
+    /**
+     * @return Running plugin version
+     * @since 1.2
+     */
+    public String getRunningPluginVersion() {
+        return runningPluginVersion;
+    }
+
+    /**
+     * @return Running SHA256
+     * @since 1.2
+     */
+    public String getRunningSha256() {
+        return runningSha256;
+    }
+
+    /**
+     * @return Seal wrapping enabled
+     * @since 1.1
+     */
+    public boolean isSealWrap() {
+        return sealWrap;
+    }
+
+    /**
+     * @return Backend UUID
+     * @since 1.1
+     */
+    public String getUuid() {
+        return uuid;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        AuthMethod that = (AuthMethod) o;
+        return local == that.local &&
+            type == that.type &&
+            externalEntropyAccess == that.externalEntropyAccess &&
+            sealWrap == that.sealWrap &&
+            Objects.equals(rawType, that.rawType) &&
+            Objects.equals(accessor, that.accessor) &&
+            Objects.equals(deprecationStatus, that.deprecationStatus) &&
+            Objects.equals(description, that.description) &&
+            Objects.equals(config, that.config) &&
+            Objects.equals(options, that.options) &&
+            Objects.equals(pluginVersion, that.pluginVersion) &&
+            Objects.equals(runningPluginVersion, that.runningPluginVersion) &&
+            Objects.equals(runningSha256, that.runningSha256) &&
+            Objects.equals(uuid, that.uuid);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(type, rawType, accessor, deprecationStatus, description, config, externalEntropyAccess,
+            local, options, pluginVersion, runningPluginVersion, runningSha256, sealWrap, uuid);
+    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/MfaConstraintAny.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/MfaConstraintAny.java
@ -0,0 +1,62 @@
+/*
+ * Copyright 2016-2025 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response.embedded;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.io.Serializable;
+import java.util.List;
+import java.util.Objects;
+
+/**
+ * Embedded multi-factor-authentication (MFA) constraint "any".
+ *
+ * @author Stefan Kalscheuer
+ * @since 1.2
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public final class MfaConstraintAny implements Serializable {
+    private static final long serialVersionUID = 1226126781813149627L;
+
+    @JsonProperty("any")
+    private List<MfaMethodId> any;
+
+    /**
+     * @return List of "any" MFA methods
+     */
+    public List<MfaMethodId> getAny() {
+        return any;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        }
+        if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        MfaConstraintAny mfaRequirement = (MfaConstraintAny) o;
+        return Objects.equals(any, mfaRequirement.any);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(any);
+    }
+}
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/MfaMethodId.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/MfaMethodId.java
@ -0,0 +1,94 @@
+/*
+ * Copyright 2016-2025 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response.embedded;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.io.Serializable;
+import java.util.Objects;
+
+/**
+ * Embedded multi-factor-authentication (MFA) requirement.
+ *
+ * @author Stefan Kalscheuer
+ * @since 1.2
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public final class MfaMethodId implements Serializable {
+    private static final long serialVersionUID = 691298070242998814L;
+
+    @JsonProperty("type")
+    private String type;
+
+    @JsonProperty("id")
+    private String id;
+
+    @JsonProperty("uses_passcode")
+    private Boolean usesPasscode;
+
+    @JsonProperty("name")
+    private String name;
+
+    /**
+     * @return MFA method type
+     */
+    public String getType() {
+        return type;
+    }
+
+    /**
+     * @return MFA method id
+     */
+    public String getId() {
+        return id;
+    }
+
+    /**
+     * @return MFA uses passcode id
+     */
+    public Boolean getUsesPasscode() {
+        return usesPasscode;
+    }
+
+    /**
+     * @return MFA method name
+     */
+    public String getName() {
+        return name;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        }
+        if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        MfaMethodId mfaMethodId = (MfaMethodId) o;
+        return Objects.equals(type, mfaMethodId.type) &&
+            Objects.equals(id, mfaMethodId.id) &&
+            Objects.equals(usesPasscode, mfaMethodId.usesPasscode) &&
+            Objects.equals(name, mfaMethodId.name);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(type, id, usesPasscode, name);
+    }
+}
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/MfaRequirement.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/MfaRequirement.java
@ -0,0 +1,73 @@
+/*
+ * Copyright 2016-2025 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response.embedded;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.io.Serializable;
+import java.util.Map;
+import java.util.Objects;
+
+/**
+ * Embedded multi-factor-authentication (MFA) requirement.
+ *
+ * @author Stefan Kalscheuer
+ * @since 1.2
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public final class MfaRequirement implements Serializable {
+    private static final long serialVersionUID = -2516941512455319638L;
+
+    @JsonProperty("mfa_request_id")
+    private String mfaRequestId;
+
+    @JsonProperty("mfa_constraints")
+    private Map<String, MfaConstraintAny> mfaConstraints;
+
+    /**
+     * @return MFA request ID
+     */
+    public String getMfaRequestId() {
+        return mfaRequestId;
+    }
+
+    /**
+     * @return MFA constraints
+     */
+    public Map<String, MfaConstraintAny> getMfaConstraints() {
+        return mfaConstraints;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        }
+        if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        MfaRequirement mfaRequirement = (MfaRequirement) o;
+        return Objects.equals(mfaRequestId, mfaRequirement.mfaRequestId) &&
+            Objects.equals(mfaConstraints, mfaRequirement.mfaConstraints);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(mfaRequestId, mfaConstraints);
+    }
+}
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/MountConfig.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/MountConfig.java
@ -0,0 +1,168 @@
+package de.stklcode.jvault.connector.model.response.embedded;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.io.Serializable;
+import java.util.List;
+import java.util.Objects;
+
+/**
+ * Embedded mount config output.
+ *
+ * @author Stefan Kalscheuer
+ * @since 1.2
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class MountConfig implements Serializable {
+    private static final long serialVersionUID = -8653909672663717792L;
+
+    @JsonProperty("default_lease_ttl")
+    private Integer defaultLeaseTtl;
+
+    @JsonProperty("max_lease_ttl")
+    private Integer maxLeaseTtl;
+
+    @JsonProperty("force_no_cache")
+    private Boolean forceNoCache;
+
+    @JsonProperty("token_type")
+    private String tokenType;
+
+    @JsonProperty("audit_non_hmac_request_keys")
+    private List<String> auditNonHmacRequestKeys;
+
+    @JsonProperty("audit_non_hmac_response_keys")
+    private List<String> auditNonHmacResponseKeys;
+
+    @JsonProperty("listing_visibility")
+    private String listingVisibility;
+
+    @JsonProperty("passthrough_request_headers")
+    private List<String> passthroughRequestHeaders;
+
+    @JsonProperty("allowed_response_headers")
+    private List<String> allowedResponseHeaders;
+
+    @JsonProperty("allowed_managed_keys")
+    private List<String> allowedManagedKeys;
+
+    @JsonProperty("delegated_auth_accessors")
+    private List<String> delegatedAuthAccessors;
+
+    @JsonProperty("user_lockout_config")
+    private UserLockoutConfig userLockoutConfig;
+
+    /**
+     * @return Default lease TTL
+     */
+    public Integer getDefaultLeaseTtl() {
+        return defaultLeaseTtl;
+    }
+
+    /**
+     * @return Maximum lease TTL
+     */
+    public Integer getMaxLeaseTtl() {
+        return maxLeaseTtl;
+    }
+
+    /**
+     * @return Force no cache?
+     */
+    public Boolean getForceNoCache() {
+        return forceNoCache;
+    }
+
+    /**
+     * @return Token type
+     */
+    public String getTokenType() {
+        return tokenType;
+    }
+
+    /**
+     * @return Audit non HMAC request keys
+     */
+    public List<String> getAuditNonHmacRequestKeys() {
+        return auditNonHmacRequestKeys;
+    }
+
+    /**
+     * @return Audit non HMAC response keys
+     */
+    public List<String> getAuditNonHmacResponseKeys() {
+        return auditNonHmacResponseKeys;
+    }
+
+    /**
+     * @return Listing visibility
+     */
+    public String getListingVisibility() {
+        return listingVisibility;
+    }
+
+    /**
+     * @return Passthrough request headers
+     */
+    public List<String> getPassthroughRequestHeaders() {
+        return passthroughRequestHeaders;
+    }
+
+    /**
+     * @return Allowed response headers
+     */
+    public List<String> getAllowedResponseHeaders() {
+        return allowedResponseHeaders;
+    }
+
+    /**
+     * @return Allowed managed keys
+     */
+    public List<String> getAllowedManagedKeys() {
+        return allowedManagedKeys;
+    }
+
+    /**
+     * @return Delegated auth accessors
+     */
+    public List<String> getDelegatedAuthAccessors() {
+        return delegatedAuthAccessors;
+    }
+
+    /**
+     * @return User lockout config
+     */
+    public UserLockoutConfig getUserLockoutConfig() {
+        return userLockoutConfig;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        MountConfig that = (MountConfig) o;
+        return Objects.equals(defaultLeaseTtl, that.defaultLeaseTtl) &&
+            Objects.equals(maxLeaseTtl, that.maxLeaseTtl) &&
+            Objects.equals(forceNoCache, that.forceNoCache) &&
+            Objects.equals(tokenType, that.tokenType) &&
+            Objects.equals(auditNonHmacRequestKeys, that.auditNonHmacRequestKeys) &&
+            Objects.equals(auditNonHmacResponseKeys, that.auditNonHmacResponseKeys) &&
+            Objects.equals(listingVisibility, that.listingVisibility) &&
+            Objects.equals(passthroughRequestHeaders, that.passthroughRequestHeaders) &&
+            Objects.equals(allowedResponseHeaders, that.allowedResponseHeaders) &&
+            Objects.equals(allowedManagedKeys, that.allowedManagedKeys) &&
+            Objects.equals(delegatedAuthAccessors, that.delegatedAuthAccessors) &&
+            Objects.equals(userLockoutConfig, that.userLockoutConfig);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(defaultLeaseTtl, maxLeaseTtl, forceNoCache, tokenType, auditNonHmacRequestKeys,
+            auditNonHmacResponseKeys, listingVisibility, passthroughRequestHeaders, allowedResponseHeaders,
+            allowedManagedKeys, delegatedAuthAccessors, userLockoutConfig);
+    }
+}
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/SecretListWrapper.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/SecretListWrapper.java
@ -0,0 +1,42 @@
+package de.stklcode.jvault.connector.model.response.embedded;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.io.Serializable;
+import java.util.List;
+import java.util.Objects;
+
+/**
+ * Wrapper object for secret key lists.
+ *
+ * @author Stefan Kalscheuer
+ * @since 1.1
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class SecretListWrapper implements Serializable {
+
+    private static final long serialVersionUID = -8777605197063766125L;
+    @JsonProperty("keys")
+    private List<String> keys;
+
+    public List<String> getKeys() {
+        return keys;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        SecretListWrapper that = (SecretListWrapper) o;
+        return Objects.equals(keys, that.keys);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(keys);
+    }
+}
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/SecretMetadata.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/SecretMetadata.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -19,23 +19,25 @@ package de.stklcode.jvault.connector.model.response.embedded;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;

+import java.io.Serializable;
 import java.time.ZonedDateTime;
-import java.time.format.DateTimeFormatter;
-import java.time.format.DateTimeParseException;
+import java.util.HashMap;
 import java.util.Map;
+import java.util.Objects;

 /**
 * Embedded metadata for Key-Value v2 secrets.
 *
 * @author Stefan Kalscheuer
 * @since 0.8
+ * @since 1.1 implements {@link Serializable}
 */
@JsonIgnoreProperties(ignoreUnknown = true)
-public final class SecretMetadata {
-    private static final DateTimeFormatter TIME_FORMAT = DateTimeFormatter.ofPattern("yyyy-MM-dd'T'HH:mm:ss.SSSSSSSSSX");
+public final class SecretMetadata implements Serializable {
+    private static final long serialVersionUID = -905059942871916214L;

    @JsonProperty("created_time")
-    private String createdTimeString;
+    private ZonedDateTime createdTime;

    @JsonProperty("current_version")
    private Integer currentVersion;
@ -47,31 +49,25 @@ public final class SecretMetadata {
    private Integer oldestVersion;

    @JsonProperty("updated_time")
-    private String updatedTime;
+    private ZonedDateTime updatedTime;

    @JsonProperty("versions")
    private Map<Integer, VersionMetadata> versions;

-    /**
-     * @return Time of secret creation as raw string representation.
-     */
-    public String getCreatedTimeString() {
-        return createdTimeString;
-    }
+    @JsonProperty("cas_required")
+    private Boolean casRequired;
+
+    @JsonProperty("custom_metadata")
+    private HashMap<String, String> customMetadata;
+
+    @JsonProperty("delete_version_after")
+    private String deleteVersionAfter;

    /**
     * @return Time of secret creation.
     */
    public ZonedDateTime getCreatedTime() {
-        if (createdTimeString != null && !createdTimeString.isEmpty()) {
-            try {
-                return ZonedDateTime.parse(createdTimeString, TIME_FORMAT);
-            } catch (DateTimeParseException e) {
-                // Ignore.
-            }
-        }
-
-        return null;
+        return createdTime;
    }

    /**
@ -96,25 +92,10 @@ public final class SecretMetadata {
    }

    /**
-     * @return Time of secret update as raw string representation.
-     */
-    public String getUpdatedTimeString() {
-        return updatedTime;
-    }
-
-    /**
-     * @return Time of secret update..
+     * @return Time of secret update.
     */
    public ZonedDateTime getUpdatedTime() {
-        if (updatedTime != null && !updatedTime.isEmpty()) {
-            try {
-                return ZonedDateTime.parse(updatedTime, TIME_FORMAT);
-            } catch (DateTimeParseException e) {
-                // Ignore.
-            }
-        }
-
-        return null;
+        return updatedTime;
    }

    /**
@ -124,4 +105,52 @@ public final class SecretMetadata {
        return versions;
    }

+    /**
+     * @return CAS required?
+     * @since 1.3
+     */
+    public Boolean isCasRequired() {
+        return casRequired;
+    }
+
+    /**
+     * @return Custom metadata.
+     * @since 1.3
+     */
+    public Map<String, String> getCustomMetadata() {
+        return customMetadata;
+    }
+
+    /**
+     * @return time duration to delete version
+     * @since 1.3
+     */
+    public String getDeleteVersionAfter() {
+        return deleteVersionAfter;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        SecretMetadata that = (SecretMetadata) o;
+        return Objects.equals(createdTime, that.createdTime) &&
+            Objects.equals(currentVersion, that.currentVersion) &&
+            Objects.equals(maxVersions, that.maxVersions) &&
+            Objects.equals(oldestVersion, that.oldestVersion) &&
+            Objects.equals(updatedTime, that.updatedTime) &&
+            Objects.equals(versions, that.versions) &&
+            Objects.equals(casRequired, that.casRequired) &&
+            Objects.equals(customMetadata, that.customMetadata) &&
+            Objects.equals(deleteVersionAfter, that.deleteVersionAfter);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(createdTime, currentVersion, maxVersions, oldestVersion, updatedTime, versions, casRequired,
+            customMetadata, deleteVersionAfter);
+    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/SecretWrapper.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/SecretWrapper.java
@ -0,0 +1,49 @@
+package de.stklcode.jvault.connector.model.response.embedded;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.io.Serializable;
+import java.util.Map;
+import java.util.Objects;
+
+/**
+ * Wrapper object for secret data and metadata.
+ *
+ * @author Stefan Kalscheuer
+ * @since 1.1
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class SecretWrapper implements Serializable {
+    private static final long serialVersionUID = 8600413181758893378L;
+
+    @JsonProperty("data")
+    private Map<String, Serializable> data;
+
+    @JsonProperty("metadata")
+    private VersionMetadata metadata;
+
+    public Map<String, Serializable> getData() {
+        return data;
+    }
+
+    public VersionMetadata getMetadata() {
+        return metadata;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        SecretWrapper that = (SecretWrapper) o;
+        return Objects.equals(data, that.data) && Objects.equals(metadata, that.metadata);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(data, metadata);
+    }
+}
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/TokenData.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/TokenData.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -19,18 +19,23 @@ package de.stklcode.jvault.connector.model.response.embedded;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;

+import java.io.Serializable;
 import java.time.ZonedDateTime;
 import java.util.List;
 import java.util.Map;
+import java.util.Objects;

 /**
 * Embedded token information inside Vault response.
 *
 * @author Stefan Kalscheuer
 * @since 0.1
+ * @since 1.1 implements {@link Serializable}
 */
@JsonIgnoreProperties(ignoreUnknown = true)
-public final class TokenData {
+public final class TokenData implements Serializable {
+    private static final long serialVersionUID = -5749716740973138916L;
+
    @JsonProperty("accessor")
    private String accessor;

@ -47,7 +52,7 @@ public final class TokenData {
    private String entityId;

    @JsonProperty("expire_time")
-    private String expireTime;
+    private ZonedDateTime expireTime;

    @JsonProperty("explicit_max_ttl")
    private Integer explicitMaxTtl;
@ -56,7 +61,7 @@ public final class TokenData {
    private String id;

    @JsonProperty("issue_time")
-    private String issueTime;
+    private ZonedDateTime issueTime;

    @JsonProperty("meta")
    private Map<String, Object> meta;
@ -118,24 +123,12 @@ public final class TokenData {
        return entityId;
    }

-    /**
-     * @return Expire time as raw string value
-     * @since 0.9
-     */
-    public String getExpireTimeString() {
-        return expireTime;
-    }
-
    /**
     * @return Expire time (parsed)
     * @since 0.9
     */
    public ZonedDateTime getExpireTime() {
-        if (expireTime == null) {
-            return null;
-        } else {
-            return ZonedDateTime.parse(expireTime);
-        }
+        return expireTime;
    }

    /**
@ -153,24 +146,12 @@ public final class TokenData {
        return id;
    }

-    /**
-     * @return Issue time as raw string value
-     * @since 0.9
-     */
-    public String getIssueTimeString() {
-        return issueTime;
-    }
-
    /**
     * @return Expire time (parsed)
     * @since 0.9
     */
    public ZonedDateTime getIssueTime() {
-        if (issueTime == null) {
-            return null;
-        } else {
-            return ZonedDateTime.parse(issueTime);
-        }
+        return issueTime;
    }

    /**
@ -231,4 +212,37 @@ public final class TokenData {
    public Map<String, Object> getMeta() {
        return meta;
    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        TokenData tokenData = (TokenData) o;
+        return orphan == tokenData.orphan &&
+            renewable == tokenData.renewable &&
+            Objects.equals(accessor, tokenData.accessor) &&
+            Objects.equals(creationTime, tokenData.creationTime) &&
+            Objects.equals(creationTtl, tokenData.creationTtl) &&
+            Objects.equals(name, tokenData.name) &&
+            Objects.equals(entityId, tokenData.entityId) &&
+            Objects.equals(expireTime, tokenData.expireTime) &&
+            Objects.equals(explicitMaxTtl, tokenData.explicitMaxTtl) &&
+            Objects.equals(id, tokenData.id) &&
+            Objects.equals(issueTime, tokenData.issueTime) &&
+            Objects.equals(meta, tokenData.meta) &&
+            Objects.equals(numUses, tokenData.numUses) &&
+            Objects.equals(path, tokenData.path) &&
+            Objects.equals(policies, tokenData.policies) &&
+            Objects.equals(ttl, tokenData.ttl) &&
+            Objects.equals(type, tokenData.type);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(accessor, creationTime, creationTtl, name, entityId, expireTime, explicitMaxTtl, id,
+            issueTime, meta, numUses, orphan, path, policies, renewable, ttl, type);
+    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/UserLockoutConfig.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/UserLockoutConfig.java
@ -0,0 +1,77 @@
+package de.stklcode.jvault.connector.model.response.embedded;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.io.Serializable;
+import java.util.Objects;
+
+/**
+ * Embedded user lockout config output.
+ *
+ * @author Stefan Kalscheuer
+ * @since 1.2
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class UserLockoutConfig implements Serializable {
+    private static final long serialVersionUID = -8051060041593140550L;
+
+    @JsonProperty("lockout_threshold")
+    private Integer lockoutThreshold;
+
+    @JsonProperty("lockout_duration")
+    private Integer lockoutDuration;
+
+    @JsonProperty("lockout_counter_reset_duration")
+    private Integer lockoutCounterResetDuration;
+
+    @JsonProperty("lockout_disable")
+    private Boolean lockoutDisable;
+
+    /**
+     * @return Lockout threshold
+     */
+    public Integer getLockoutThreshold() {
+        return lockoutThreshold;
+    }
+
+    /**
+     * @return Lockout duration
+     */
+    public Integer getLockoutDuration() {
+        return lockoutDuration;
+    }
+
+    /**
+     * @return Lockout counter reset duration
+     */
+    public Integer getLockoutCounterResetDuration() {
+        return lockoutCounterResetDuration;
+    }
+
+    /**
+     * @return Lockout disabled?
+     */
+    public Boolean getLockoutDisable() {
+        return lockoutDisable;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        UserLockoutConfig that = (UserLockoutConfig) o;
+        return Objects.equals(lockoutThreshold, that.lockoutThreshold) &&
+            Objects.equals(lockoutDuration, that.lockoutDuration) &&
+            Objects.equals(lockoutCounterResetDuration, that.lockoutCounterResetDuration) &&
+            Objects.equals(lockoutDisable, that.lockoutDisable);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(lockoutThreshold, lockoutDuration, lockoutCounterResetDuration, lockoutDisable);
+    }
+}
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/VersionMetadata.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/VersionMetadata.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -19,25 +19,28 @@ package de.stklcode.jvault.connector.model.response.embedded;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;

+import java.io.Serializable;
 import java.time.ZonedDateTime;
-import java.time.format.DateTimeFormatter;
-import java.time.format.DateTimeParseException;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Objects;

 /**
 * Embedded metadata for a single Key-Value v2 version.
 *
 * @author Stefan Kalscheuer
 * @since 0.8
+ * @since 1.1 implements {@link Serializable}
 */
@JsonIgnoreProperties(ignoreUnknown = true)
-public final class VersionMetadata {
-    private static final DateTimeFormatter TIME_FORMAT = DateTimeFormatter.ofPattern("yyyy-MM-dd'T'HH:mm:ss.SSSSSSSSSX");
+public final class VersionMetadata implements Serializable {
+    private static final long serialVersionUID = 8495687554714216478L;

    @JsonProperty("created_time")
-    private String createdTimeString;
+    private ZonedDateTime createdTime;

    @JsonProperty("deletion_time")
-    private String deletionTimeString;
+    private ZonedDateTime deletionTime;

    @JsonProperty("destroyed")
    private boolean destroyed;
@ -45,48 +48,21 @@ public final class VersionMetadata {
    @JsonProperty("version")
    private Integer version;

-    /**
-     * @return Time of secret creation as raw string representation.
-     */
-    public String getCreatedTimeString() {
-        return createdTimeString;
-    }
+    @JsonProperty("custom_metadata")
+    private HashMap<String, String> customMetadata;

    /**
     * @return Time of secret creation.
     */
    public ZonedDateTime getCreatedTime() {
-        if (createdTimeString != null && !createdTimeString.isEmpty()) {
-            try {
-                return ZonedDateTime.parse(createdTimeString, TIME_FORMAT);
-            } catch (DateTimeParseException e) {
-                // Ignore.
-            }
-        }
-
-        return null;
-    }
-
-    /**
-     * @return Time for secret deletion as raw string representation.
-     */
-    public String getDeletionTimeString() {
-        return deletionTimeString;
+        return createdTime;
    }

    /**
     * @return Time for secret deletion.
     */
    public ZonedDateTime getDeletionTime() {
-        if (deletionTimeString != null && !deletionTimeString.isEmpty()) {
-            try {
-                return ZonedDateTime.parse(deletionTimeString, TIME_FORMAT);
-            } catch (DateTimeParseException e) {
-                // Ignore.
-            }
-        }
-
-        return null;
+        return deletionTime;
    }

    /**
@ -103,4 +79,31 @@ public final class VersionMetadata {
        return version;
    }

+    /**
+     * @return Custom metadata.
+     * @since 1.3
+     */
+    public Map<String, String> getCustomMetadata() {
+        return customMetadata;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        VersionMetadata that = (VersionMetadata) o;
+        return destroyed == that.destroyed &&
+            Objects.equals(createdTime, that.createdTime) &&
+            Objects.equals(deletionTime, that.deletionTime) &&
+            Objects.equals(version, that.version) &&
+            Objects.equals(customMetadata, that.customMetadata);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(createdTime, deletionTime, destroyed, version, customMetadata);
+    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/WrapInfo.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/WrapInfo.java
@ -0,0 +1,92 @@
+/*
+ * Copyright 2016-2025 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response.embedded;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.io.Serializable;
+import java.time.ZonedDateTime;
+import java.util.Objects;
+
+/**
+ * Wrapping information object.
+ *
+ * @author Stefan Kalscheuer
+ * @since 1.1
+ */
+public class WrapInfo implements Serializable {
+    private static final long serialVersionUID = 4864973237090355607L;
+
+    @JsonProperty("token")
+    private String token;
+
+    @JsonProperty("ttl")
+    private Integer ttl;
+
+    @JsonProperty("creation_time")
+    private ZonedDateTime creationTime;
+
+    @JsonProperty("creation_path")
+    private String creationPath;
+
+    /**
+     * @return Token
+     */
+    public String getToken() {
+        return token;
+    }
+
+    /**
+     * @return TTL (in seconds)
+     */
+    public Integer getTtl() {
+        return ttl;
+    }
+
+    /**
+     * @return Creation time
+     */
+    public ZonedDateTime getCreationTime() {
+        return creationTime;
+    }
+
+    /**
+     * @return Creation path
+     */
+    public String getCreationPath() {
+        return creationPath;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        } else if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        WrapInfo that = (WrapInfo) o;
+        return Objects.equals(token, that.token) &&
+            Objects.equals(ttl, that.ttl) &&
+            Objects.equals(creationTime, that.creationTime) &&
+            Objects.equals(creationPath, that.creationPath);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(token, ttl, creationTime, creationPath);
+    }
+}
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/package-info.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/package-info.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/model/response/package-info.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/package-info.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/package-info.java
+++ b/src/main/java/de/stklcode/jvault/connector/package-info.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/module-info.java
+++ b/src/main/java/module-info.java
@ -0,0 +1,37 @@
+/*
+ * Copyright 2016-2025 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * JVaultConnector module.
+ *
+ * @author Stefan Kalscheuer
+ */
+module de.stklcode.jvault.connector {
+    exports de.stklcode.jvault.connector;
+    exports de.stklcode.jvault.connector.exception;
+    exports de.stklcode.jvault.connector.model;
+    exports de.stklcode.jvault.connector.model.response;
+    exports de.stklcode.jvault.connector.model.response.embedded;
+
+    opens de.stklcode.jvault.connector.model to com.fasterxml.jackson.databind;
+    opens de.stklcode.jvault.connector.model.response to com.fasterxml.jackson.databind;
+    opens de.stklcode.jvault.connector.model.response.embedded to com.fasterxml.jackson.databind;
+
+    requires java.net.http;
+    requires com.fasterxml.jackson.annotation;
+    requires com.fasterxml.jackson.databind;
+    requires com.fasterxml.jackson.datatype.jsr310;
+}
--- a/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorBuilderTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorBuilderTest.java
@ -0,0 +1,249 @@
+/*
+ * Copyright 2016-2025 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector;
+
+import com.github.stefanbirkner.systemlambda.SystemLambda;
+import de.stklcode.jvault.connector.exception.ConnectionException;
+import de.stklcode.jvault.connector.exception.TlsException;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.io.TempDir;
+
+import java.io.File;
+import java.lang.reflect.Field;
+import java.net.URISyntaxException;
+import java.nio.file.Files;
+import java.nio.file.NoSuchFileException;
+import java.nio.file.Paths;
+import java.util.concurrent.atomic.AtomicReference;
+
+import static com.github.stefanbirkner.systemlambda.SystemLambda.withEnvironmentVariable;
+import static org.junit.jupiter.api.Assertions.*;
+
+/**
+ * JUnit test for HTTP Vault connector factory
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.8.0
+ */
+class HTTPVaultConnectorBuilderTest {
+    private static final String VAULT_ADDR = "https://localhost:8201";
+    private static final String VAULT_ADDR_2 = "http://localhost";
+    private static final String VAULT_ADDR_3 = "https://localhost/vault/";
+    private static final Integer VAULT_MAX_RETRIES = 13;
+    private static final String VAULT_TOKEN = "00001111-2222-3333-4444-555566667777";
+
+    @TempDir
+    File tempDir;
+
+    /**
+     * Test the builder.
+     */
+    @Test
+    void builderTest() throws Exception {
+        // Minimal configuration.
+        HTTPVaultConnector connector = HTTPVaultConnector.builder().withHost("vault.example.com").build();
+
+        assertEquals("https://vault.example.com:8200/v1/", getRequestHelperPrivate(connector, "baseURL"), "URL not set correctly");
+        assertNull(getRequestHelperPrivate(connector, "trustedCaCert"), "Trusted CA cert set when no cert provided");
+        assertEquals(0, getRequestHelperPrivate(connector, "retries"), "Number of retries unexpectedly set");
+
+        // Specify all options.
+        HTTPVaultConnectorBuilder builder = HTTPVaultConnector.builder()
+                .withHost("vault2.example.com")
+                .withoutTLS()
+                .withPort(1234)
+                .withPrefix("/foo/")
+                .withTimeout(5678)
+                .withNumberOfRetries(9);
+        connector = builder.build();
+
+        assertEquals("http://vault2.example.com:1234/foo/", getRequestHelperPrivate(connector, "baseURL"), "URL not set correctly");
+        assertNull(getRequestHelperPrivate(connector, "trustedCaCert"), "Trusted CA cert set when no cert provided");
+        assertEquals(9, getRequestHelperPrivate(connector, "retries"), "Unexpected number of retries");
+        assertEquals(5678, getRequestHelperPrivate(connector, "timeout"), "Number timeout value");
+        assertThrows(ConnectionException.class, builder::buildAndAuth, "Immediate authentication should throw exception without token");
+
+        // Initialization from URL.
+        assertThrows(
+                URISyntaxException.class,
+                () -> HTTPVaultConnector.builder().withBaseURL("foo:/\\1nv4l1d_UrL"),
+                "Initialization from invalid URL should fail"
+        );
+        connector = assertDoesNotThrow(
+                () -> HTTPVaultConnector.builder().withBaseURL("https://vault3.example.com:5678/bar/").build(),
+                "Initialization from valid URL should not fail"
+        );
+        assertEquals("https://vault3.example.com:5678/bar/", getRequestHelperPrivate(connector, "baseURL"), "URL not set correctly");
+
+        // Port numbers.
+        assertThrows(IllegalArgumentException.class, () -> HTTPVaultConnector.builder().withPort(65536), "Too large port number should throw an exception");
+        assertThrows(IllegalArgumentException.class, () -> HTTPVaultConnector.builder().withPort(0), "Port number 0 should throw an exception");
+        builder = assertDoesNotThrow(() -> HTTPVaultConnector.builder().withPort(-1), "Port number -1 should not throw an exception");
+        assertNull(builder.getPort(), "Port number -1 should be omitted");
+        builder = assertDoesNotThrow(() -> HTTPVaultConnector.builder().withPort(null), "Port number NULL should not throw an exception");
+        assertNull(builder.getPort(), "Port number NULL should be passed through");
+    }
+
+    /**
+     * Test building from environment variables
+     */
+    @Test
+    void testFromEnv() throws Exception {
+        // Provide address only should be enough.
+        withVaultEnv(VAULT_ADDR, null, null, null).execute(() -> {
+            HTTPVaultConnectorBuilder builder = assertDoesNotThrow(
+                    () -> HTTPVaultConnector.builder().fromEnv(),
+                    "Factory creation from minimal environment failed"
+            );
+            HTTPVaultConnector connector = builder.build();
+
+            assertEquals(VAULT_ADDR + "/v1/", getRequestHelperPrivate(connector, "baseURL"), "URL not set correctly");
+            assertNull(getRequestHelperPrivate(connector, "trustedCaCert"), "Trusted CA cert set when no cert provided");
+            assertEquals(0, getRequestHelperPrivate(connector, "retries"), "Non-default number of retries, when none set");
+
+            return null;
+        });
+        withVaultEnv(VAULT_ADDR_2, null, null, null).execute(() -> {
+            HTTPVaultConnectorBuilder builder = assertDoesNotThrow(
+                    () -> HTTPVaultConnector.builder().fromEnv(),
+                    "Factory creation from minimal environment failed"
+            );
+            assertEquals(VAULT_ADDR_2 + "/v1/", getRequestHelperPrivate(builder.build(), "baseURL"), "URL without port not set correctly");
+            return null;
+        });
+        withVaultEnv(VAULT_ADDR_3, null, null, null).execute(() -> {
+            HTTPVaultConnectorBuilder builder = assertDoesNotThrow(
+                    () -> HTTPVaultConnector.builder().fromEnv(),
+                    "Factory creation from minimal environment failed"
+            );
+            assertEquals(VAULT_ADDR_3, getRequestHelperPrivate(builder.build(), "baseURL"), "URL with custom path not set correctly");
+            return null;
+        });
+
+        // Provide address and number of retries.
+        withVaultEnv(VAULT_ADDR, null, VAULT_MAX_RETRIES.toString(), null).execute(() -> {
+            HTTPVaultConnectorBuilder builder = assertDoesNotThrow(
+                    () -> HTTPVaultConnector.builder().fromEnv(),
+                    "Factory creation from environment failed"
+            );
+            HTTPVaultConnector connector = builder.build();
+
+            assertEquals(VAULT_ADDR + "/v1/", getRequestHelperPrivate(connector, "baseURL"), "URL not set correctly");
+            assertNull(getRequestHelperPrivate(connector, "trustedCaCert"), "Trusted CA cert set when no cert provided");
+            assertEquals(VAULT_MAX_RETRIES, getRequestHelperPrivate(connector, "retries"), "Number of retries not set correctly");
+
+            return null;
+        });
+
+        // Automatic authentication.
+        withVaultEnv(VAULT_ADDR, null, VAULT_MAX_RETRIES.toString(), VAULT_TOKEN).execute(() -> {
+            HTTPVaultConnectorBuilder builder = assertDoesNotThrow(
+                    () -> HTTPVaultConnector.builder().fromEnv(),
+                    "Factory creation from minimal environment failed"
+            );
+            assertEquals(VAULT_TOKEN, getPrivate(builder, "token"), "Token not set correctly");
+
+            return null;
+        });
+
+        // Invalid URL.
+        withVaultEnv("This is not a valid URL!", null, VAULT_MAX_RETRIES.toString(), VAULT_TOKEN).execute(() -> {
+            assertThrows(
+                    ConnectionException.class,
+                    () -> HTTPVaultConnector.builder().fromEnv(),
+                    "Invalid URL from environment should raise an exception"
+            );
+
+            return null;
+        });
+    }
+
+    /**
+     * Test CA certificate handling from environment variables
+     */
+    @Test
+    void testCertificateFromEnv() throws Exception {
+        // From direct PEM content
+        String pem = Files.readString(Paths.get(getClass().getResource("/tls/ca.pem").toURI()));
+        AtomicReference<Object> certFromPem = new AtomicReference<>();
+        withVaultEnv(VAULT_ADDR, pem, null, null).execute(() -> {
+            HTTPVaultConnectorBuilder builder = assertDoesNotThrow(
+                    () -> HTTPVaultConnector.builder().fromEnv(),
+                    "Builder with PEM certificate from environment failed"
+            );
+            HTTPVaultConnector connector = builder.build();
+
+            certFromPem.set(getRequestHelperPrivate(connector, "trustedCaCert"));
+            assertNotNull(certFromPem.get(), "Trusted CA cert from PEM not set");
+
+            return null;
+        });
+
+        // From file path
+        String file = Paths.get(getClass().getResource("/tls/ca.pem").toURI()).toString();
+        AtomicReference<Object> certFromFile = new AtomicReference<>();
+        withVaultEnv(VAULT_ADDR, file, null, null).execute(() -> {
+            HTTPVaultConnectorBuilder builder = assertDoesNotThrow(
+                    () -> HTTPVaultConnector.builder().fromEnv(),
+                    "Builder with certificate path from environment failed"
+            );
+            HTTPVaultConnector connector = builder.build();
+
+            certFromFile.set(getRequestHelperPrivate(connector, "trustedCaCert"));
+            assertNotNull(certFromFile.get(), "Trusted CA cert from file not set");
+
+            return null;
+        });
+
+        assertEquals(certFromPem.get(), certFromFile.get(), "Certificates from PEM and file should be equal");
+
+        // Non-existing path CA certificate path
+        String doesNotExist = tempDir.toString() + "/doesnotexist";
+        withVaultEnv(VAULT_ADDR, doesNotExist, VAULT_MAX_RETRIES.toString(), null).execute(() -> {
+            TlsException e = assertThrows(
+                    TlsException.class,
+                    () -> HTTPVaultConnector.builder().fromEnv(),
+                    "Creation with unknown cert path failed"
+            );
+            assertEquals(doesNotExist, assertInstanceOf(NoSuchFileException.class, e.getCause()).getFile());
+
+            return null;
+        });
+    }
+
+    private SystemLambda.WithEnvironmentVariables withVaultEnv(String vaultAddr, String vaultCacert, String vaultMaxRetries, String vaultToken) {
+        return withEnvironmentVariable("VAULT_ADDR", vaultAddr)
+                .and("VAULT_CACERT", vaultCacert)
+                .and("VAULT_MAX_RETRIES", vaultMaxRetries)
+                .and("VAULT_TOKEN", vaultToken);
+    }
+
+    private Object getRequestHelperPrivate(HTTPVaultConnector connector, String fieldName) throws NoSuchFieldException, IllegalAccessException {
+        return getPrivate(getPrivate(connector, "request"), fieldName);
+    }
+
+    private Object getPrivate(Object target, String fieldName) throws NoSuchFieldException, IllegalAccessException {
+        Field field = target.getClass().getDeclaredField(fieldName);
+        if (field.canAccess(target)) {
+            return field.get(target);
+        }
+        field.setAccessible(true);
+        Object value = field.get(target);
+        field.setAccessible(false);
+        return value;
+    }
+}
--- a/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorIT.java
+++ b/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorIT.java
--- a/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorOfflineTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorOfflineTest.java
@ -1,380 +0,0 @@
-/*
- * Copyright 2016-2021 Stefan Kalscheuer
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package de.stklcode.jvault.connector;
-
-import de.stklcode.jvault.connector.exception.InvalidRequestException;
-import de.stklcode.jvault.connector.exception.InvalidResponseException;
-import de.stklcode.jvault.connector.exception.PermissionDeniedException;
-import de.stklcode.jvault.connector.exception.VaultConnectorException;
-import org.apache.http.ProtocolVersion;
-import org.apache.http.client.methods.CloseableHttpResponse;
-import org.apache.http.entity.ContentType;
-import org.apache.http.entity.StringEntity;
-import org.apache.http.impl.client.CloseableHttpClient;
-import org.apache.http.impl.client.HttpClientBuilder;
-import org.apache.http.message.BasicStatusLine;
-import org.junit.jupiter.api.*;
-import org.junit.jupiter.api.function.Executable;
-import org.mockito.MockedStatic;
-
-import java.io.IOException;
-import java.io.InputStream;
-import java.lang.reflect.Field;
-import java.security.cert.CertificateException;
-import java.security.cert.CertificateFactory;
-import java.security.cert.X509Certificate;
-import java.util.Collections;
-
-import static org.hamcrest.CoreMatchers.instanceOf;
-import static org.hamcrest.CoreMatchers.nullValue;
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.core.Is.is;
-import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
-import static org.junit.jupiter.api.Assertions.assertThrows;
-import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.Mockito.*;
-
-/**
- * JUnit test for HTTP Vault connector.
- * This test suite contains tests that do not require connection to an actual Vault instance.
- *
- * @author Stefan Kalscheuer
- * @since 0.7.0
- */
-class HTTPVaultConnectorOfflineTest {
-    private static final String INVALID_URL = "foo:/\\1nv4l1d_UrL";
-
-    private static MockedStatic<HttpClientBuilder> hcbMock;
-    private static CloseableHttpClient httpMock;
-    private final CloseableHttpResponse responseMock = mock(CloseableHttpResponse.class);
-
-    @BeforeAll
-    static void prepare() {
-        // Mock the static HTTPClient creation.
-        hcbMock = mockStatic(HttpClientBuilder.class);
-        hcbMock.when(HttpClientBuilder::create).thenReturn(new MockedHttpClientBuilder());
-    }
-
-     @AfterAll
-     static void tearDown() {
-         hcbMock.close();
-     }
-
-    @BeforeEach
-    void init() {
-        // Re-initialize HTTP mock to ensure fresh (empty) results.
-        httpMock = mock(CloseableHttpClient.class);
-    }
-
-
-    /**
-     * Test exceptions thrown during request.
-     */
-    @Test
-    void requestExceptionTest() throws IOException {
-        HTTPVaultConnector connector = new HTTPVaultConnector("http://127.0.0.1", null, 0, 250);
-
-        // Test invalid response code.
-        final int responseCode = 400;
-        mockResponse(responseCode, "", ContentType.APPLICATION_JSON);
-        InvalidResponseException e = assertThrows(
-                InvalidResponseException.class,
-                connector::getHealth,
-                "Querying health status succeeded on invalid instance"
-        );
-        assertThat("Unexpected exception message", e.getMessage(), is("Invalid response code"));
-        assertThat("Unexpected status code in exception", ((InvalidResponseException) e).getStatusCode(), is(responseCode));
-        assertThat("Response message where none was expected", ((InvalidResponseException) e).getResponse(), is(nullValue()));
-
-        // Simulate permission denied response.
-        mockResponse(responseCode, "{\"errors\":[\"permission denied\"]}", ContentType.APPLICATION_JSON);
-        assertThrows(
-                PermissionDeniedException.class,
-                connector::getHealth,
-                "Querying health status succeeded on invalid instance"
-        );
-
-        // Test exception thrown during request.
-        when(httpMock.execute(any())).thenThrow(new IOException("Test Exception"));
-        e = assertThrows(
-                InvalidResponseException.class,
-                connector::getHealth,
-                "Querying health status succeeded on invalid instance"
-        );
-        assertThat("Unexpected exception message", e.getMessage(), is("Unable to read response"));
-        assertThat("Unexpected cause", e.getCause(), instanceOf(IOException.class));
-
-        // Now simulate a failing request that succeeds on second try.
-        connector = new HTTPVaultConnector("https://127.0.0.1", null, 1, 250);
-        doReturn(responseMock).doReturn(responseMock).when(httpMock).execute(any());
-        doReturn(new BasicStatusLine(new ProtocolVersion("HTTP", 1, 1), 500, ""))
-                .doReturn(new BasicStatusLine(new ProtocolVersion("HTTP", 1, 1), 500, ""))
-                .doReturn(new BasicStatusLine(new ProtocolVersion("HTTP", 1, 1), 500, ""))
-                .doReturn(new BasicStatusLine(new ProtocolVersion("HTTP", 1, 1), 200, ""))
-                .when(responseMock).getStatusLine();
-        when(responseMock.getEntity()).thenReturn(new StringEntity("{}", ContentType.APPLICATION_JSON));
-
-        assertDoesNotThrow(connector::getHealth, "Request failed unexpectedly");
-    }
-
-    /**
-     * Test constructors of the {@link HTTPVaultConnector} class.
-     */
-    @Test
-    void constructorTest() throws IOException, CertificateException {
-        final String url = "https://vault.example.net/test/";
-        final String hostname = "vault.example.com";
-        final Integer port = 1337;
-        final String prefix = "/custom/prefix/";
-        final int retries = 42;
-        final String expectedNoTls = "http://" + hostname + "/v1/";
-        final String expectedCustomPort = "https://" + hostname + ":" + port + "/v1/";
-        final String expectedCustomPrefix = "https://" + hostname + ":" + port + prefix;
-        X509Certificate trustedCaCert;
-
-        try (InputStream is = getClass().getResourceAsStream("/tls/ca.pem")) {
-            trustedCaCert = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(is);
-        }
-
-        // Most basic constructor expects complete URL.
-        HTTPVaultConnector connector = new HTTPVaultConnector(url);
-        assertThat("Unexpected base URL", getRequestHelperPrivate(connector, "baseURL"), is(url));
-
-        // Now override TLS usage.
-        connector = new HTTPVaultConnector(hostname, false);
-        assertThat("Unexpected base URL with TLS disabled", getRequestHelperPrivate(connector, "baseURL"), is(expectedNoTls));
-
-        // Specify custom port.
-        connector = new HTTPVaultConnector(hostname, true, port);
-        assertThat("Unexpected base URL with custom port", getRequestHelperPrivate(connector, "baseURL"), is(expectedCustomPort));
-
-        // Specify custom prefix.
-        connector = new HTTPVaultConnector(hostname, true, port, prefix);
-        assertThat("Unexpected base URL with custom prefix", getRequestHelperPrivate(connector, "baseURL"), is(expectedCustomPrefix));
-        assertThat("Trusted CA cert set, but not specified", getRequestHelperPrivate(connector, "trustedCaCert"), is(nullValue()));
-
-        // Provide custom SSL context.
-        connector = new HTTPVaultConnector(hostname, true, port, prefix, trustedCaCert);
-        assertThat("Unexpected base URL with custom prefix", getRequestHelperPrivate(connector, "baseURL"), is(expectedCustomPrefix));
-        assertThat("Trusted CA cert not filled correctly", getRequestHelperPrivate(connector, "trustedCaCert"), is(trustedCaCert));
-
-        // Specify number of retries.
-        connector = new HTTPVaultConnector(url, trustedCaCert, retries);
-        assertThat("Number of retries not set correctly", getRequestHelperPrivate(connector, "retries"), is(retries));
-
-        // Test TLS version (#22).
-        assertThat("TLS version should be 1.2 if not specified", getRequestHelperPrivate(connector, "tlsVersion"), is("TLSv1.2"));
-        // Now override.
-        connector = new HTTPVaultConnector(url, trustedCaCert, retries, null, "TLSv1.1");
-        assertThat("Overridden TLS version 1.1 not correct", getRequestHelperPrivate(connector, "tlsVersion"), is("TLSv1.1"));
-    }
-
-    /**
-     * This test is designed to test exceptions caught and thrown by seal-methods if Vault is not reachable.
-     */
-    @Test
-    void sealExceptionTest() {
-        HTTPVaultConnector connector = new HTTPVaultConnector(INVALID_URL);
-        VaultConnectorException e = assertThrows(
-                InvalidRequestException.class,
-                connector::sealStatus,
-                "Querying seal status succeeded on invalid URL"
-        );
-        assertThat("Unexpected exception message", e.getMessage(), is("Invalid URI format"));
-
-        // Simulate NULL response (mock not supplied with data).
-        connector = new HTTPVaultConnector("https://127.0.0.1", null, 0, 250);
-        e = assertThrows(
-                InvalidResponseException.class,
-                connector::sealStatus,
-                "Querying seal status succeeded on invalid instance"
-        );
-        assertThat("Unexpected exception message", e.getMessage(), is("Response unavailable"));
-    }
-
-    /**
-     * This test is designed to test exceptions caught and thrown by seal-methods if Vault is not reachable.
-     */
-    @Test
-    void healthExceptionTest() {
-        HTTPVaultConnector connector = new HTTPVaultConnector(INVALID_URL);
-        VaultConnectorException e = assertThrows(
-                InvalidRequestException.class,
-                connector::getHealth,
-                "Querying health status succeeded on invalid URL"
-        );
-        assertThat("Unexpected exception message", e.getMessage(), is("Invalid URI format"));
-
-        // Simulate NULL response (mock not supplied with data).
-        connector = new HTTPVaultConnector("https://127.0.0.1", null, 0, 250);
-        e = assertThrows(
-                InvalidResponseException.class,
-                connector::getHealth,
-                "Querying health status succeeded on invalid instance"
-        );
-        assertThat("Unexpected exception message", e.getMessage(), is("Response unavailable"));
-    }
-
-    /**
-     * Test behavior on unparsable responses.
-     */
-    @Test
-    void parseExceptionTest() throws IOException {
-        HTTPVaultConnector connector = new HTTPVaultConnector("https://127.0.0.1", null, 0, 250);
-        // Mock authorization.
-        setPrivate(connector, "authorized", true);
-        // Mock response.
-        mockResponse(200, "invalid", ContentType.APPLICATION_JSON);
-
-        // Now test the methods.
-        assertParseError(connector::sealStatus, "sealStatus() succeeded on invalid instance");
-        assertParseError(() -> connector.unseal("key"), "unseal() succeeded on invalid instance");
-        assertParseError(connector::getHealth, "getHealth() succeeded on invalid instance");
-        assertParseError(connector::getAuthBackends, "getAuthBackends() succeeded on invalid instance");
-        assertParseError(() -> connector.authToken("token"), "authToken() succeeded on invalid instance");
-        assertParseError(() -> connector.lookupAppRole("roleName"), "lookupAppRole() succeeded on invalid instance");
-        assertParseError(() -> connector.getAppRoleID("roleName"), "getAppRoleID() succeeded on invalid instance");
-        assertParseError(() -> connector.createAppRoleSecret("roleName"), "createAppRoleSecret() succeeded on invalid instance");
-        assertParseError(() -> connector.lookupAppRoleSecret("roleName", "secretID"), "lookupAppRoleSecret() succeeded on invalid instance");
-        assertParseError(connector::listAppRoles, "listAppRoles() succeeded on invalid instance");
-        assertParseError(() -> connector.listAppRoleSecrets("roleName"), "listAppRoleSecrets() succeeded on invalid instance");
-        assertParseError(() -> connector.read("key"), "read() succeeded on invalid instance");
-        assertParseError(() -> connector.list("path"), "list() succeeded on invalid instance");
-        assertParseError(() -> connector.renew("leaseID"), "renew() succeeded on invalid instance");
-        assertParseError(() -> connector.lookupToken("token"), "lookupToken() succeeded on invalid instance");
-    }
-
-    private void assertParseError(Executable executable, String message) {
-        InvalidResponseException e = assertThrows(InvalidResponseException.class, executable, message);
-        assertThat("Unexpected exception message", e.getMessage(), is("Unable to parse response"));
-    }
-
-    /**
-     * Test requests that expect an empty response with code 204, but receive a 200 body.
-     */
-    @Test
-    void nonEmpty204ResponseTest() throws IOException {
-        HTTPVaultConnector connector = new HTTPVaultConnector("https://127.0.0.1", null, 0, 250);
-        // Mock authorization.
-        setPrivate(connector, "authorized", true);
-        // Mock response.
-        mockResponse(200, "{}", ContentType.APPLICATION_JSON);
-
-        // Now test the methods expecting a 204.
-        assertThrows(
-                InvalidResponseException.class,
-                () -> connector.registerAppId("appID", "policy", "displayName"),
-                "registerAppId() with 200 response succeeded"
-        );
-
-        assertThrows(
-                InvalidResponseException.class,
-                () -> connector.registerUserId("appID", "userID"),
-                "registerUserId() with 200 response succeeded"
-        );
-
-        assertThrows(
-                InvalidResponseException.class,
-                () -> connector.createAppRole("appID", Collections.singletonList("policy")),
-                "createAppRole() with 200 response succeeded"
-        );
-
-        assertThrows(
-                InvalidResponseException.class,
-                () -> connector.deleteAppRole("roleName"),
-                "deleteAppRole() with 200 response succeeded"
-        );
-
-        assertThrows(
-                InvalidResponseException.class,
-                () -> connector.setAppRoleID("roleName", "roleID"),
-                "setAppRoleID() with 200 response succeeded"
-        );
-
-        assertThrows(
-                InvalidResponseException.class,
-                () -> connector.destroyAppRoleSecret("roleName", "secretID"),
-                "destroyAppRoleSecret() with 200 response succeeded"
-        );
-
-        assertThrows(
-                InvalidResponseException.class,
-                () -> connector.destroyAppRoleSecret("roleName", "secretUD"),
-                "destroyAppRoleSecret() with 200 response succeeded"
-        );
-
-        assertThrows(
-                InvalidResponseException.class,
-                () -> connector.delete("key"),
-                "delete() with 200 response succeeded"
-        );
-
-        assertThrows(
-                InvalidResponseException.class,
-                () -> connector.revoke("leaseID"),
-                "destroyAppRoleSecret() with 200 response succeeded"
-        );
-    }
-
-    private Object getRequestHelperPrivate(HTTPVaultConnector connector, String fieldName) {
-        try {
-            return getPrivate(getPrivate(connector, "request"), fieldName);
-        } catch (NoSuchFieldException | IllegalAccessException e) {
-            return null;
-        }
-    }
-
-    private Object getPrivate(Object target, String fieldName) throws NoSuchFieldException, IllegalAccessException {
-        Field field = target.getClass().getDeclaredField(fieldName);
-        if (field.isAccessible()) {
-            return field.get(target);
-        }
-        field.setAccessible(true);
-        Object value = field.get(target);
-        field.setAccessible(false);
-        return value;
-    }
-
-    private void setPrivate(Object target, String fieldName, Object value) {
-        try {
-            Field field = target.getClass().getDeclaredField(fieldName);
-            boolean accessible = field.isAccessible();
-            field.setAccessible(true);
-            field.set(target, value);
-            field.setAccessible(accessible);
-        } catch (NoSuchFieldException | IllegalAccessException e) {
-            // Should not occur, to be taken care of in test code.
-        }
-    }
-
-    private void mockResponse(int status, String body, ContentType type) throws IOException {
-        when(httpMock.execute(any())).thenReturn(responseMock);
-        when(responseMock.getStatusLine()).thenReturn(new BasicStatusLine(new ProtocolVersion("HTTP", 1, 1), status, ""));
-        when(responseMock.getEntity()).thenReturn(new StringEntity(body, type));
-    }
-
-    /**
-     * Mocked {@link HttpClientBuilder} that always returns the mocked client.
-     */
-    private static class MockedHttpClientBuilder extends HttpClientBuilder {
-        @Override
-        public CloseableHttpClient build() {
-            return httpMock;
-        }
-    }
-
-}
--- a/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorTest.java
--- a/src/test/java/de/stklcode/jvault/connector/builder/HTTPVaultConnectorBuilderTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/builder/HTTPVaultConnectorBuilderTest.java
@ -1,132 +0,0 @@
-/*
- * Copyright 2016-2021 Stefan Kalscheuer
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package de.stklcode.jvault.connector.builder;
-
-import com.github.stefanbirkner.systemlambda.SystemLambda;
-import de.stklcode.jvault.connector.HTTPVaultConnector;
-import de.stklcode.jvault.connector.exception.TlsException;
-import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.io.TempDir;
-
-import java.io.File;
-import java.lang.reflect.Field;
-import java.nio.file.NoSuchFileException;
-import java.util.concurrent.Callable;
-
-import static com.github.stefanbirkner.systemlambda.SystemLambda.withEnvironmentVariable;
-import static org.hamcrest.CoreMatchers.*;
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
-import static org.junit.jupiter.api.Assertions.assertThrows;
-
-/**
- * JUnit test for HTTP Vault connector factory
- *
- * @author Stefan Kalscheuer
- * @since 0.8.0
- */
-class HTTPVaultConnectorBuilderTest {
-    private static final String VAULT_ADDR = "https://localhost:8201";
-    private static final Integer VAULT_MAX_RETRIES = 13;
-    private static final String VAULT_TOKEN = "00001111-2222-3333-4444-555566667777";
-
-    @TempDir
-    File tempDir;
-
-    /**
-     * Test building from environment variables
-     */
-    @Test
-    void testFromEnv() throws Exception {
-        /* Provide address only should be enough */
-        withVaultEnv(VAULT_ADDR, null, null, null).execute(() -> {
-            HTTPVaultConnectorBuilder builder = assertDoesNotThrow(
-                    () -> VaultConnectorBuilder.http().fromEnv(),
-                    "Factory creation from minimal environment failed"
-            );
-            HTTPVaultConnector connector = builder.build();
-
-            assertThat("URL nor set correctly", getRequestHelperPrivate(connector, "baseURL"), is(equalTo(VAULT_ADDR + "/v1/")));
-            assertThat("Trusted CA cert set when no cert provided", getRequestHelperPrivate(connector, "trustedCaCert"), is(nullValue()));
-            assertThat("Non-default number of retries, when none set", getRequestHelperPrivate(connector, "retries"), is(0));
-
-            return null;
-        });
-
-        /* Provide address and number of retries */
-        withVaultEnv(VAULT_ADDR, null, VAULT_MAX_RETRIES.toString(), null).execute(() -> {
-            HTTPVaultConnectorBuilder builder = assertDoesNotThrow(
-                    () -> VaultConnectorBuilder.http().fromEnv(),
-                    "Factory creation from environment failed"
-            );
-            HTTPVaultConnector connector = builder.build();
-
-            assertThat("URL nor set correctly", getRequestHelperPrivate(connector, "baseURL"), is(equalTo(VAULT_ADDR + "/v1/")));
-            assertThat("Trusted CA cert set when no cert provided", getRequestHelperPrivate(connector, "trustedCaCert"), is(nullValue()));
-            assertThat("Number of retries not set correctly", getRequestHelperPrivate(connector, "retries"), is(VAULT_MAX_RETRIES));
-
-            return null;
-        });
-
-        /* Provide CA certificate */
-        String VAULT_CACERT = tempDir.toString() + "/doesnotexist";
-        withVaultEnv(VAULT_ADDR, VAULT_CACERT, VAULT_MAX_RETRIES.toString(), null).execute(() -> {
-            TlsException e = assertThrows(
-                    TlsException.class,
-                    () -> VaultConnectorBuilder.http().fromEnv(),
-                    "Creation with unknown cert path failed."
-            );
-            assertThat(e.getCause(), is(instanceOf(NoSuchFileException.class)));
-            assertThat(((NoSuchFileException) e.getCause()).getFile(), is(VAULT_CACERT));
-
-            return null;
-        });
-
-        /* Automatic authentication */
-        withVaultEnv(VAULT_ADDR, null, VAULT_MAX_RETRIES.toString(), VAULT_TOKEN).execute(() -> {
-            HTTPVaultConnectorBuilder builder = assertDoesNotThrow(
-                    () -> VaultConnectorBuilder.http().fromEnv(),
-                    "Factory creation from minimal environment failed"
-            );
-            assertThat("Token nor set correctly", getPrivate(builder, "token"), is(equalTo(VAULT_TOKEN)));
-
-            return null;
-        });
-    }
-
-    private SystemLambda.WithEnvironmentVariables withVaultEnv(String vault_addr, String vault_cacert, String vault_max_retries, String vault_token) {
-        return withEnvironmentVariable("VAULT_ADDR", vault_addr)
-                .and("VAULT_CACERT", vault_cacert)
-                .and("VAULT_MAX_RETRIES", vault_max_retries)
-                .and("VAULT_TOKEN", vault_token);
-    }
-
-    private Object getRequestHelperPrivate(HTTPVaultConnector connector, String fieldName) throws NoSuchFieldException, IllegalAccessException {
-        return getPrivate(getPrivate(connector, "request"), fieldName);
-    }
-
-    private Object getPrivate(Object target, String fieldName) throws NoSuchFieldException, IllegalAccessException {
-        Field field = target.getClass().getDeclaredField(fieldName);
-        if (field.isAccessible()) {
-            return field.get(target);
-        }
-        field.setAccessible(true);
-        Object value = field.get(target);
-        field.setAccessible(false);
-        return value;
-    }
-}
--- a/src/test/java/de/stklcode/jvault/connector/exception/VaultConnectorExceptionTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/exception/VaultConnectorExceptionTest.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -18,10 +18,8 @@ package de.stklcode.jvault.connector.exception;

 import org.junit.jupiter.api.Test;

-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.instanceOf;
-import static org.hamcrest.Matchers.nullValue;
-import static org.hamcrest.core.Is.is;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNull;

 /**
 * Common JUnit test for Exceptions extending {@link VaultConnectorException}.
@ -65,42 +63,39 @@ class VaultConnectorExceptionTest {

        // Constructor with message and status code.
        InvalidResponseException e = new InvalidResponseException(MSG, STATUS_CODE);
-        assertThat(e.getMessage(), is(MSG));
-        assertThat(e.getCause(), is(nullValue()));
-        assertThat(e.getStatusCode(), is(STATUS_CODE));
-        assertThat(e.getResponse(), is(nullValue()));
+        assertEquals(MSG, e.getMessage());
+        assertNull(e.getCause());
+        assertEquals(STATUS_CODE, e.getStatusCode());
+        assertNull(e.getResponse());

        // Constructor with message, status code and cause.
        e = new InvalidResponseException(MSG, STATUS_CODE, CAUSE);
-        assertThat(e.getMessage(), is(MSG));
-        assertThat(e.getCause(), is(CAUSE));
-        assertThat(e.getStatusCode(), is(STATUS_CODE));
-        assertThat(e.getResponse(), is(nullValue()));
+        assertEquals(MSG, e.getMessage());
+        assertEquals(CAUSE, e.getCause());
+        assertEquals(STATUS_CODE, e.getStatusCode());
+        assertNull(e.getResponse());

        // Constructor with message, status code and response.
        e = new InvalidResponseException(MSG, STATUS_CODE, RESPONSE);
-        assertThat(e.getMessage(), is(MSG));
-        assertThat(e.getCause(), is(nullValue()));
-        assertThat(e.getStatusCode(), is(STATUS_CODE));
-        assertThat(e.getResponse(), is(RESPONSE));
+        assertEquals(MSG, e.getMessage());
+        assertNull(e.getCause());
+        assertEquals(STATUS_CODE, e.getStatusCode());
+        assertEquals(RESPONSE, e.getResponse());

        // Constructor with message, status code, response and cause.
        e = new InvalidResponseException(MSG, STATUS_CODE, RESPONSE, CAUSE);
-        assertThat(e.getMessage(), is(MSG));
-        assertThat(e.getCause(), is(CAUSE));
-        assertThat(e.getStatusCode(), is(STATUS_CODE));
-        assertThat(e.getResponse(), is(RESPONSE));
+        assertEquals(MSG, e.getMessage());
+        assertEquals(CAUSE, e.getCause());
+        assertEquals(STATUS_CODE, e.getStatusCode());
+        assertEquals(RESPONSE, e.getResponse());
    }

    @Test
    void permissionDeniedExceptionTest() {
        // Default message overwritten.
        PermissionDeniedException e = new PermissionDeniedException();
-        assertThat(e, is(instanceOf(VaultConnectorException.class)));
-        assertThat(e, is(instanceOf(Exception.class)));
-        assertThat(e, is(instanceOf(Throwable.class)));
-        assertThat(e.getMessage(), is("Permission denied"));
-        assertThat(e.getCause(), is(nullValue()));
+        assertEquals("Permission denied", e.getMessage());
+        assertNull(e.getCause());

        assertMsgConstructor(new PermissionDeniedException(MSG));
        assertCauseConstructor(new PermissionDeniedException(CAUSE));
@ -121,11 +116,8 @@ class VaultConnectorExceptionTest {
     * @param e the exception
     */
    private void assertEmptyConstructor(VaultConnectorException e) {
-        assertThat(e, is(instanceOf(VaultConnectorException.class)));
-        assertThat(e, is(instanceOf(Exception.class)));
-        assertThat(e, is(instanceOf(Throwable.class)));
-        assertThat(e.getMessage(), is(nullValue()));
-        assertThat(e.getCause(), is(nullValue()));
+        assertNull(e.getMessage());
+        assertNull(e.getCause());
    }

    /**
@ -134,8 +126,8 @@ class VaultConnectorExceptionTest {
     * @param e the exception
     */
    private void assertMsgConstructor(VaultConnectorException e) {
-        assertThat(e.getMessage(), is(MSG));
-        assertThat(e.getCause(), is(nullValue()));
+        assertEquals(MSG, e.getMessage());
+        assertNull(e.getCause());
    }

    /**
@ -144,8 +136,8 @@ class VaultConnectorExceptionTest {
     * @param e the exception
     */
    private void assertCauseConstructor(VaultConnectorException e) {
-        assertThat(e.getMessage(), is(CAUSE.toString()));
-        assertThat(e.getCause(), is(CAUSE));
+        assertEquals(CAUSE.toString(), e.getMessage());
+        assertEquals(CAUSE, e.getCause());
    }

    /**
@ -154,7 +146,7 @@ class VaultConnectorExceptionTest {
     * @param e the exception
     */
    private void assertMsgCauseConstructor(VaultConnectorException e) {
-        assertThat(e.getMessage(), is(MSG));
-        assertThat(e.getCause(), is(CAUSE));
+        assertEquals(MSG, e.getMessage());
+        assertEquals(CAUSE, e.getCause());
    }
 }
--- a/src/test/java/de/stklcode/jvault/connector/factory/HTTPVaultConnectorFactoryTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/factory/HTTPVaultConnectorFactoryTest.java
@ -1,131 +0,0 @@
-/*
- * Copyright 2016-2021 Stefan Kalscheuer
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package de.stklcode.jvault.connector.factory;
-
-import com.github.stefanbirkner.systemlambda.SystemLambda;
-import de.stklcode.jvault.connector.HTTPVaultConnector;
-import de.stklcode.jvault.connector.exception.TlsException;
-import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.io.TempDir;
-
-import java.io.File;
-import java.lang.reflect.Field;
-import java.nio.file.NoSuchFileException;
-
-import static com.github.stefanbirkner.systemlambda.SystemLambda.withEnvironmentVariable;
-import static org.hamcrest.CoreMatchers.*;
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
-import static org.junit.jupiter.api.Assertions.assertThrows;
-
-/**
- * JUnit test for HTTP Vault connector factory
- *
- * @author Stefan Kalscheuer
- * @since 0.6.0
- */
-class HTTPVaultConnectorFactoryTest {
-    private static String VAULT_ADDR = "https://localhost:8201";
-    private static Integer VAULT_MAX_RETRIES = 13;
-    private static String VAULT_TOKEN = "00001111-2222-3333-4444-555566667777";
-
-    @TempDir
-    File tempDir;
-
-    /**
-     * Test building from environment variables
-     */
-    @Test
-    void testFromEnv() throws Exception {
-        /* Provide address only should be enough */
-        withVaultEnv(VAULT_ADDR, null, null, null).execute(() -> {
-            HTTPVaultConnectorFactory factory = assertDoesNotThrow(
-                    () -> VaultConnectorFactory.httpFactory().fromEnv(),
-                    "Factory creation from minimal environment failed"
-            );
-            HTTPVaultConnector connector = factory.build();
-
-            assertThat("URL nor set correctly", getRequestHelperPrivate(connector, "baseURL"), is(equalTo(VAULT_ADDR + "/v1/")));
-            assertThat("Trusted CA cert set when no cert provided", getRequestHelperPrivate(connector, "trustedCaCert"), is(nullValue()));
-            assertThat("Non-default number of retries, when none set", getRequestHelperPrivate(connector, "retries"), is(0));
-
-            return null;
-        });
-
-        /* Provide address and number of retries */
-        withVaultEnv(VAULT_ADDR, null, VAULT_MAX_RETRIES.toString(), null).execute(() -> {
-            HTTPVaultConnectorFactory factory = assertDoesNotThrow(
-                    () -> VaultConnectorFactory.httpFactory().fromEnv(),
-                    "Factory creation from environment failed"
-            );
-            HTTPVaultConnector connector = factory.build();
-
-            assertThat("URL nor set correctly", getRequestHelperPrivate(connector, "baseURL"), is(equalTo(VAULT_ADDR + "/v1/")));
-            assertThat("Trusted CA cert set when no cert provided", getRequestHelperPrivate(connector, "trustedCaCert"), is(nullValue()));
-            assertThat("Number of retries not set correctly", getRequestHelperPrivate(connector, "retries"), is(VAULT_MAX_RETRIES));
-
-            return null;
-        });
-
-        /* Provide CA certificate */
-        String VAULT_CACERT = tempDir.toString() + "/doesnotexist";
-        withVaultEnv(VAULT_ADDR, VAULT_CACERT, VAULT_MAX_RETRIES.toString(), null).execute(() -> {
-            TlsException e = assertThrows(
-                    TlsException.class,
-                    () -> VaultConnectorFactory.httpFactory().fromEnv(),
-                    "Creation with unknown cert path failed."
-            );
-            assertThat(e.getCause(), is(instanceOf(NoSuchFileException.class)));
-            assertThat(((NoSuchFileException) e.getCause()).getFile(), is(VAULT_CACERT));
-
-            return null;
-        });
-
-        /* Automatic authentication */
-        withVaultEnv(VAULT_ADDR, null, VAULT_MAX_RETRIES.toString(), VAULT_TOKEN).execute(() -> {
-            HTTPVaultConnectorFactory factory = assertDoesNotThrow(
-                    () -> VaultConnectorFactory.httpFactory().fromEnv(),
-                    "Factory creation from minimal environment failed"
-            );
-            assertThat("Token nor set correctly", getPrivate(getPrivate(factory, "delegate"), "token"), is(equalTo(VAULT_TOKEN)));
-
-            return null;
-        });
-    }
-
-    private SystemLambda.WithEnvironmentVariables withVaultEnv(String vault_addr, String vault_cacert, String vault_max_retries, String vault_token) {
-        return withEnvironmentVariable("VAULT_ADDR", vault_addr)
-                .and("VAULT_CACERT", vault_cacert)
-                .and("VAULT_MAX_RETRIES", vault_max_retries)
-                .and("VAULT_TOKEN", vault_token);
-    }
-
-    private Object getRequestHelperPrivate(HTTPVaultConnector connector, String fieldName) throws NoSuchFieldException, IllegalAccessException {
-        return getPrivate(getPrivate(connector, "request"), fieldName);
-    }
-
-    private Object getPrivate(Object target, String fieldName) throws NoSuchFieldException, IllegalAccessException {
-        Field field = target.getClass().getDeclaredField(fieldName);
-        if (field.isAccessible()) {
-            return field.get(target);
-        }
-        field.setAccessible(true);
-        Object value = field.get(target);
-        field.setAccessible(false);
-        return value;
-    }
-}
--- a/src/test/java/de/stklcode/jvault/connector/model/AbstractModelTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/AbstractModelTest.java
@ -0,0 +1,81 @@
+package de.stklcode.jvault.connector.model;
+
+import com.fasterxml.jackson.databind.DeserializationFeature;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.SerializationFeature;
+import com.fasterxml.jackson.databind.json.JsonMapper;
+import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
+import nl.jqno.equalsverifier.EqualsVerifier;
+import org.junit.jupiter.api.Test;
+
+import java.io.*;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.fail;
+
+/**
+ * Abstract testcase for model classes.
+ *
+ * @author Stefan Kalscheuer
+ * @since 1.1
+ */
+public abstract class AbstractModelTest<T> {
+    protected final Class<?> modelClass;
+    protected final ObjectMapper objectMapper;
+
+    /**
+     * Test case constructor.
+     *
+     * @param modelClass Target class to test.
+     */
+    protected AbstractModelTest(Class<T> modelClass) {
+        this.modelClass = modelClass;
+        this.objectMapper = JsonMapper.builder()
+            .addModule(new JavaTimeModule())
+            .enable(SerializationFeature.WRITE_DATES_AS_TIMESTAMPS)
+            .disable(DeserializationFeature.ADJUST_DATES_TO_CONTEXT_TIME_ZONE)
+            .build();
+    }
+
+    /**
+     * Create a "full" model instance.
+     *
+     * @return Model instance.
+     */
+    protected abstract T createFull();
+
+    /**
+     * Test if {@link Object#equals(Object)} and {@link Object#hashCode()} are implemented, s.t. all fields are covered.
+     */
+    @Test
+    void testEqualsHashcode() {
+        EqualsVerifier.simple().forClass(modelClass).verify();
+    }
+
+    /**
+     * Test Java serialization of a full model instance.
+     * Serialization and deserialization must not fail and the resulting object should equal the original object.
+     */
+    @Test
+    void serializationTest() {
+        T original = createFull();
+        byte[] bytes;
+        try (var bos = new ByteArrayOutputStream();
+             var oos = new ObjectOutputStream(bos)) {
+            oos.writeObject(original);
+            bytes = bos.toByteArray();
+        } catch (IOException e) {
+            fail("Serialization failed", e);
+            return;
+        }
+
+        try (var bis = new ByteArrayInputStream(bytes);
+             var ois = new ObjectInputStream(bis)) {
+            Object copy = ois.readObject();
+            assertEquals(modelClass, copy.getClass(), "Invalid class after deserialization");
+            assertEquals(original, copy, "Deserialized object should be equal to the original");
+        } catch (IOException | ClassNotFoundException e) {
+            fail("Deserialization failed", e);
+        }
+    }
+}
--- a/src/test/java/de/stklcode/jvault/connector/model/AppRoleBuilderTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/AppRoleBuilderTest.java
@ -1,299 +0,0 @@
-/*
- * Copyright 2016-2021 Stefan Kalscheuer
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package de.stklcode.jvault.connector.model;
-
-import com.fasterxml.jackson.core.JsonProcessingException;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import org.junit.jupiter.api.BeforeAll;
-import org.junit.jupiter.api.Test;
-
-import java.util.ArrayList;
-import java.util.List;
-
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.*;
-
-/**
- * JUnit Test for AppRole Builder.
- *
- * @author Stefan Kalscheuer
- * @since 0.4.0
- */
-class AppRoleBuilderTest {
-    private static final String NAME = "TestRole";
-    private static final String ID = "test-id";
-    private static final Boolean BIND_SECRET_ID = true;
-    private static final List<String> BOUND_CIDR_LIST = new ArrayList<>();
-    private static final String CIDR_1 = "192.168.1.0/24";
-    private static final String CIDR_2 = "172.16.0.0/16";
-    private static final List<String> POLICIES = new ArrayList<>();
-    private static final String POLICY = "policy";
-    private static final String POLICY_2 = "policy2";
-    private static final Integer SECRET_ID_NUM_USES = 10;
-    private static final Integer SECRET_ID_TTL = 7200;
-    private static final Boolean ENABLE_LOCAL_SECRET_IDS = false;
-    private static final Integer TOKEN_TTL = 4800;
-    private static final Integer TOKEN_MAX_TTL = 9600;
-    private static final Integer TOKEN_EXPLICIT_MAX_TTL = 14400;
-    private static final Boolean TOKEN_NO_DEFAULT_POLICY = false;
-    private static final Integer TOKEN_NUM_USES = 42;
-    private static final Integer TOKEN_PERIOD = 1234;
-    private static final Token.Type TOKEN_TYPE = Token.Type.DEFAULT_SERVICE;
-    private static final String JSON_MIN = "{\"role_name\":\"" + NAME + "\"}";
-    private static final String JSON_FULL = String.format("{\"role_name\":\"%s\",\"role_id\":\"%s\",\"bind_secret_id\":%s,\"secret_id_bound_cidrs\":\"%s\",\"secret_id_num_uses\":%d,\"secret_id_ttl\":%d,\"enable_local_secret_ids\":%s,\"token_ttl\":%d,\"token_max_ttl\":%d,\"token_policies\":\"%s\",\"token_bound_cidrs\":\"%s\",\"token_explicit_max_ttl\":%d,\"token_no_default_policy\":%s,\"token_num_uses\":%d,\"token_period\":%d,\"token_type\":\"%s\"}",
-            NAME, ID, BIND_SECRET_ID, CIDR_1, SECRET_ID_NUM_USES, SECRET_ID_TTL, ENABLE_LOCAL_SECRET_IDS, TOKEN_TTL, TOKEN_MAX_TTL, POLICY, CIDR_1, TOKEN_EXPLICIT_MAX_TTL, TOKEN_NO_DEFAULT_POLICY, TOKEN_NUM_USES, TOKEN_PERIOD, TOKEN_TYPE.value());
-
-    @BeforeAll
-    static void init() {
-        BOUND_CIDR_LIST.add(CIDR_1);
-        POLICIES.add(POLICY);
-    }
-
-    /**
-     * Build role with only a name.
-     */
-    @Test
-    void buildDefaultTest() throws JsonProcessingException {
-        AppRole role = AppRole.builder(NAME).build();
-        assertThat(role.getId(), is(nullValue()));
-        assertThat(role.getBindSecretId(), is(nullValue()));
-        assertThat(role.getSecretIdBoundCidrs(), is(nullValue()));
-        assertThat(role.getTokenPolicies(), is(nullValue()));
-        assertThat(role.getPolicies(), is(nullValue()));
-        assertThat(role.getSecretIdNumUses(), is(nullValue()));
-        assertThat(role.getSecretIdTtl(), is(nullValue()));
-        assertThat(role.getEnableLocalSecretIds(), is(nullValue()));
-        assertThat(role.getTokenTtl(), is(nullValue()));
-        assertThat(role.getTokenMaxTtl(), is(nullValue()));
-        assertThat(role.getTokenBoundCidrs(), is(nullValue()));
-        assertThat(role.getTokenExplicitMaxTtl(), is(nullValue()));
-        assertThat(role.getTokenNoDefaultPolicy(), is(nullValue()));
-        assertThat(role.getTokenNumUses(), is(nullValue()));
-        assertThat(role.getTokenPeriod(), is(nullValue()));
-        assertThat(role.getPeriod(), is(nullValue()));
-        assertThat(role.getTokenType(), is(nullValue()));
-
-        /* optional fields should be ignored, so JSON string should only contain role_name */
-        assertThat(new ObjectMapper().writeValueAsString(role), is(JSON_MIN));
-    }
-
-    /**
-     * Build role with only a name.
-     */
-    @Test
-    void legacyBuildDefaultTest() throws JsonProcessingException {
-        AppRole role = new AppRoleBuilder(NAME).build();
-        assertThat(role.getId(), is(nullValue()));
-        assertThat(role.getBindSecretId(), is(nullValue()));
-        assertThat(role.getSecretIdBoundCidrs(), is(nullValue()));
-        assertThat(role.getTokenPolicies(), is(nullValue()));
-        assertThat(role.getPolicies(), is(nullValue()));
-        assertThat(role.getSecretIdNumUses(), is(nullValue()));
-        assertThat(role.getSecretIdTtl(), is(nullValue()));
-        assertThat(role.getEnableLocalSecretIds(), is(nullValue()));
-        assertThat(role.getTokenTtl(), is(nullValue()));
-        assertThat(role.getTokenMaxTtl(), is(nullValue()));
-        assertThat(role.getTokenBoundCidrs(), is(nullValue()));
-        assertThat(role.getTokenExplicitMaxTtl(), is(nullValue()));
-        assertThat(role.getTokenNoDefaultPolicy(), is(nullValue()));
-        assertThat(role.getTokenNumUses(), is(nullValue()));
-        assertThat(role.getTokenPeriod(), is(nullValue()));
-        assertThat(role.getPeriod(), is(nullValue()));
-        assertThat(role.getTokenType(), is(nullValue()));
-
-        /* optional fields should be ignored, so JSON string should only contain role_name */
-        assertThat(new ObjectMapper().writeValueAsString(role), is(JSON_MIN));
-    }
-
-    /**
-     * Build token without all parameters set.
-     */
-    @Test
-    void buildFullTest() throws JsonProcessingException {
-        AppRole role = AppRole.builder(NAME)
-                .withId(ID)
-                .withBindSecretID(BIND_SECRET_ID)
-                .withSecretIdBoundCidrs(BOUND_CIDR_LIST)
-                .withTokenPolicies(POLICIES)
-                .withSecretIdNumUses(SECRET_ID_NUM_USES)
-                .withSecretIdTtl(SECRET_ID_TTL)
-                .withEnableLocalSecretIds(ENABLE_LOCAL_SECRET_IDS)
-                .withTokenTtl(TOKEN_TTL)
-                .withTokenMaxTtl(TOKEN_MAX_TTL)
-                .withTokenBoundCidrs(BOUND_CIDR_LIST)
-                .withTokenExplicitMaxTtl(TOKEN_EXPLICIT_MAX_TTL)
-                .withTokenNoDefaultPolicy(TOKEN_NO_DEFAULT_POLICY)
-                .withTokenNumUses(TOKEN_NUM_USES)
-                .wit0hTokenPeriod(TOKEN_PERIOD)
-                .withTokenType(TOKEN_TYPE)
-                .build();
-        assertThat(role.getName(), is(NAME));
-        assertThat(role.getId(), is(ID));
-        assertThat(role.getBindSecretId(), is(BIND_SECRET_ID));
-        assertThat(role.getSecretIdBoundCidrs(), is(BOUND_CIDR_LIST));
-        assertThat(role.getTokenPolicies(), is(POLICIES));
-        assertThat(role.getPolicies(), is(role.getTokenPolicies()));
-        assertThat(role.getSecretIdNumUses(), is(SECRET_ID_NUM_USES));
-        assertThat(role.getSecretIdTtl(), is(SECRET_ID_TTL));
-        assertThat(role.getEnableLocalSecretIds(), is(ENABLE_LOCAL_SECRET_IDS));
-        assertThat(role.getTokenTtl(), is(TOKEN_TTL));
-        assertThat(role.getTokenMaxTtl(), is(TOKEN_MAX_TTL));
-        assertThat(role.getTokenBoundCidrs(), is(BOUND_CIDR_LIST));
-        assertThat(role.getTokenExplicitMaxTtl(), is(TOKEN_EXPLICIT_MAX_TTL));
-        assertThat(role.getTokenNoDefaultPolicy(), is(TOKEN_NO_DEFAULT_POLICY));
-        assertThat(role.getTokenNumUses(), is(TOKEN_NUM_USES));
-        assertThat(role.getTokenPeriod(), is(TOKEN_PERIOD));
-        assertThat(role.getPeriod(), is(TOKEN_PERIOD));
-        assertThat(role.getTokenType(), is(TOKEN_TYPE.value()));
-
-        /* Verify that all parameters are included in JSON string */
-        assertThat(new ObjectMapper().writeValueAsString(role), is(JSON_FULL));
-    }
-
-    /**
-     * Build token without all parameters set.
-     */
-    @Test
-    void legacyBuildFullTest() throws JsonProcessingException {
-        AppRole role = new AppRoleBuilder(NAME)
-                .withId(ID)
-                .withBindSecretID(BIND_SECRET_ID)
-                .withSecretIdBoundCidrs(BOUND_CIDR_LIST)
-                .withTokenPolicies(POLICIES)
-                .withSecretIdNumUses(SECRET_ID_NUM_USES)
-                .withSecretIdTtl(SECRET_ID_TTL)
-                .withEnableLocalSecretIds(ENABLE_LOCAL_SECRET_IDS)
-                .withTokenTtl(TOKEN_TTL)
-                .withTokenMaxTtl(TOKEN_MAX_TTL)
-                .withTokenBoundCidrs(BOUND_CIDR_LIST)
-                .withTokenExplicitMaxTtl(TOKEN_EXPLICIT_MAX_TTL)
-                .withTokenNoDefaultPolicy(TOKEN_NO_DEFAULT_POLICY)
-                .withTokenNumUses(TOKEN_NUM_USES)
-                .wit0hTokenPeriod(TOKEN_PERIOD)
-                .withTokenType(TOKEN_TYPE)
-                .build();
-        assertThat(role.getName(), is(NAME));
-        assertThat(role.getId(), is(ID));
-        assertThat(role.getBindSecretId(), is(BIND_SECRET_ID));
-        assertThat(role.getSecretIdBoundCidrs(), is(BOUND_CIDR_LIST));
-        assertThat(role.getTokenPolicies(), is(POLICIES));
-        assertThat(role.getPolicies(), is(role.getTokenPolicies()));
-        assertThat(role.getSecretIdNumUses(), is(SECRET_ID_NUM_USES));
-        assertThat(role.getSecretIdTtl(), is(SECRET_ID_TTL));
-        assertThat(role.getEnableLocalSecretIds(), is(ENABLE_LOCAL_SECRET_IDS));
-        assertThat(role.getTokenTtl(), is(TOKEN_TTL));
-        assertThat(role.getTokenMaxTtl(), is(TOKEN_MAX_TTL));
-        assertThat(role.getTokenBoundCidrs(), is(BOUND_CIDR_LIST));
-        assertThat(role.getTokenExplicitMaxTtl(), is(TOKEN_EXPLICIT_MAX_TTL));
-        assertThat(role.getTokenNoDefaultPolicy(), is(TOKEN_NO_DEFAULT_POLICY));
-        assertThat(role.getTokenNumUses(), is(TOKEN_NUM_USES));
-        assertThat(role.getTokenPeriod(), is(TOKEN_PERIOD));
-        assertThat(role.getPeriod(), is(TOKEN_PERIOD));
-        assertThat(role.getTokenType(), is(TOKEN_TYPE.value()));
-
-        /* Verify that all parameters are included in JSON string */
-        assertThat(new ObjectMapper().writeValueAsString(role), is(JSON_FULL));
-    }
-
-    /**
-     * Test convenience methods
-     */
-    @Test
-    void convenienceMethodsTest() {
-        /* bind_secret_id */
-        AppRole role = AppRole.builder(NAME).build();
-        assertThat(role.getBindSecretId(), is(nullValue()));
-        role = AppRole.builder(NAME).withBindSecretID().build();
-        assertThat(role.getBindSecretId(), is(true));
-        role = AppRole.builder(NAME).withoutBindSecretID().build();
-        assertThat(role.getBindSecretId(), is(false));
-
-        /* Add single CIDR subnet */
-        role = AppRole.builder(NAME).withSecretBoundCidr(CIDR_2).withTokenBoundCidr(CIDR_2).build();
-        assertThat(role.getSecretIdBoundCidrs(), hasSize(1));
-        assertThat(role.getSecretIdBoundCidrs(), contains(CIDR_2));
-        assertThat(role.getTokenBoundCidrs(), hasSize(1));
-        assertThat(role.getTokenBoundCidrs(), contains(CIDR_2));
-        role = AppRole.builder(NAME)
-                .withSecretIdBoundCidrs(BOUND_CIDR_LIST)
-                .withSecretBoundCidr(CIDR_2)
-                .withTokenBoundCidrs(BOUND_CIDR_LIST)
-                .withTokenBoundCidr(CIDR_2)
-                .build();
-        assertThat(role.getSecretIdBoundCidrs(), hasSize(2));
-        assertThat(role.getSecretIdBoundCidrs(), contains(CIDR_1, CIDR_2));
-        assertThat(role.getTokenBoundCidrs(), hasSize(2));
-        assertThat(role.getSecretIdBoundCidrs(), contains(CIDR_1, CIDR_2));
-
-        /* Add single policy */
-        role = AppRole.builder(NAME).withTokenPolicy(POLICY_2).build();
-        assertThat(role.getTokenPolicies(), hasSize(1));
-        assertThat(role.getTokenPolicies(), contains(POLICY_2));
-        assertThat(role.getPolicies(), is(role.getTokenPolicies()));
-        role = AppRole.builder(NAME)
-                .withTokenPolicies(POLICIES)
-                .withTokenPolicy(POLICY_2)
-                .build();
-        assertThat(role.getTokenPolicies(), hasSize(2));
-        assertThat(role.getTokenPolicies(), contains(POLICY, POLICY_2));
-        assertThat(role.getPolicies(), is(role.getTokenPolicies()));
-    }
-
-    /**
-     * Test convenience methods
-     */
-    @Test
-    void legacyConvenienceMethodsTest() {
-        /* bind_secret_id */
-        AppRole role = new AppRoleBuilder(NAME).build();
-        assertThat(role.getBindSecretId(), is(nullValue()));
-        role = new AppRoleBuilder(NAME).withBindSecretID().build();
-        assertThat(role.getBindSecretId(), is(true));
-        role = new AppRoleBuilder(NAME).withoutBindSecretID().build();
-        assertThat(role.getBindSecretId(), is(false));
-
-        /* Add single CIDR subnet */
-        role = new AppRoleBuilder(NAME).withSecretBoundCidr(CIDR_2).withTokenBoundCidr(CIDR_2).build();
-        assertThat(role.getSecretIdBoundCidrs(), hasSize(1));
-        assertThat(role.getSecretIdBoundCidrs(), contains(CIDR_2));
-        assertThat(role.getTokenBoundCidrs(), hasSize(1));
-        assertThat(role.getTokenBoundCidrs(), contains(CIDR_2));
-        role = new AppRoleBuilder(NAME)
-                .withSecretIdBoundCidrs(BOUND_CIDR_LIST)
-                .withSecretBoundCidr(CIDR_2)
-                .withTokenBoundCidrs(BOUND_CIDR_LIST)
-                .withTokenBoundCidr(CIDR_2)
-                .build();
-        assertThat(role.getSecretIdBoundCidrs(), hasSize(2));
-        assertThat(role.getSecretIdBoundCidrs(), contains(CIDR_1, CIDR_2));
-        assertThat(role.getTokenBoundCidrs(), hasSize(2));
-        assertThat(role.getSecretIdBoundCidrs(), contains(CIDR_1, CIDR_2));
-
-        /* Add single policy */
-        role = new AppRoleBuilder(NAME).withTokenPolicy(POLICY_2).build();
-        assertThat(role.getTokenPolicies(), hasSize(1));
-        assertThat(role.getTokenPolicies(), contains(POLICY_2));
-        assertThat(role.getPolicies(), is(role.getTokenPolicies()));
-        role = new AppRoleBuilder(NAME)
-                .withTokenPolicies(POLICIES)
-                .withTokenPolicy(POLICY_2)
-                .build();
-        assertThat(role.getTokenPolicies(), hasSize(2));
-        assertThat(role.getTokenPolicies(), contains(POLICY, POLICY_2));
-        assertThat(role.getPolicies(), is(role.getTokenPolicies()));
-    }
-}
--- a/src/test/java/de/stklcode/jvault/connector/model/AppRoleSecretTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/AppRoleSecretTest.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -16,18 +16,13 @@

 package de.stklcode.jvault.connector.model;

-import com.fasterxml.jackson.databind.ObjectMapper;
 import org.junit.jupiter.api.Test;

 import java.lang.reflect.Field;
-import java.util.Arrays;
-import java.util.HashMap;
 import java.util.List;
 import java.util.Map;

-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.*;
-import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
+import static org.junit.jupiter.api.Assertions.*;
 import static org.junit.jupiter.api.Assumptions.assumeTrue;


@ -37,15 +32,21 @@ import static org.junit.jupiter.api.Assumptions.assumeTrue;
 * @author Stefan Kalscheuer
 * @since 0.5.0
 */
-class AppRoleSecretTest {
-
+class AppRoleSecretTest extends AbstractModelTest<AppRoleSecret> {
    private static final String TEST_ID = "abc123";
-    private static final Map<String, Object> TEST_META = new HashMap<>();
-    private static final List<String> TEST_CIDR = Arrays.asList("203.0.113.0/24", "198.51.100.0/24");
+    private static final Map<String, Object> TEST_META = Map.of(
+            "foo", "bar",
+            "number", 1337
+    );
+    private static final List<String> TEST_CIDR = List.of("203.0.113.0/24", "198.51.100.0/24");

-    static {
-        TEST_META.put("foo", "bar");
-        TEST_META.put("number", 1337);
+    AppRoleSecretTest() {
+        super(AppRoleSecret.class);
+    }
+
+    @Override
+    protected AppRoleSecret createFull() {
+        return new AppRoleSecret(TEST_ID, TEST_META, TEST_CIDR);
    }

    /**
@ -53,44 +54,44 @@ class AppRoleSecretTest {
     */
    @Test
    void constructorTest() {
-        /* Empty constructor */
+        // Empty constructor.
        AppRoleSecret secret = new AppRoleSecret();
-        assertThat(secret.getId(), is(nullValue()));
-        assertThat(secret.getAccessor(), is(nullValue()));
-        assertThat(secret.getMetadata(), is(nullValue()));
-        assertThat(secret.getCidrList(), is(nullValue()));
-        assertThat(secret.getCidrListString(), is(emptyString()));
-        assertThat(secret.getCreationTime(), is(nullValue()));
-        assertThat(secret.getExpirationTime(), is(nullValue()));
-        assertThat(secret.getLastUpdatedTime(), is(nullValue()));
-        assertThat(secret.getNumUses(), is(nullValue()));
-        assertThat(secret.getTtl(), is(nullValue()));
+        assertNull(secret.getId());
+        assertNull(secret.getAccessor());
+        assertNull(secret.getMetadata());
+        assertNull(secret.getCidrList());
+        assertEquals("", secret.getCidrListString());
+        assertNull(secret.getCreationTime());
+        assertNull(secret.getExpirationTime());
+        assertNull(secret.getLastUpdatedTime());
+        assertNull(secret.getNumUses());
+        assertNull(secret.getTtl());

-        /* Constructor with ID */
+        // Constructor with ID.
        secret = new AppRoleSecret(TEST_ID);
-        assertThat(secret.getId(), is(TEST_ID));
-        assertThat(secret.getAccessor(), is(nullValue()));
-        assertThat(secret.getMetadata(), is(nullValue()));
-        assertThat(secret.getCidrList(), is(nullValue()));
-        assertThat(secret.getCidrListString(), is(emptyString()));
-        assertThat(secret.getCreationTime(), is(nullValue()));
-        assertThat(secret.getExpirationTime(), is(nullValue()));
-        assertThat(secret.getLastUpdatedTime(), is(nullValue()));
-        assertThat(secret.getNumUses(), is(nullValue()));
-        assertThat(secret.getTtl(), is(nullValue()));
+        assertEquals(TEST_ID, secret.getId());
+        assertNull(secret.getAccessor());
+        assertNull(secret.getMetadata());
+        assertNull(secret.getCidrList());
+        assertEquals("", secret.getCidrListString());
+        assertNull(secret.getCreationTime());
+        assertNull(secret.getExpirationTime());
+        assertNull(secret.getLastUpdatedTime());
+        assertNull(secret.getNumUses());
+        assertNull(secret.getTtl());

-        /* Constructor with Metadata and CIDR bindings */
+        // Constructor with Metadata and CIDR bindings.
        secret = new AppRoleSecret(TEST_ID, TEST_META, TEST_CIDR);
-        assertThat(secret.getId(), is(TEST_ID));
-        assertThat(secret.getAccessor(), is(nullValue()));
-        assertThat(secret.getMetadata(), is(TEST_META));
-        assertThat(secret.getCidrList(), is(TEST_CIDR));
-        assertThat(secret.getCidrListString(), is(String.join(",", TEST_CIDR)));
-        assertThat(secret.getCreationTime(), is(nullValue()));
-        assertThat(secret.getExpirationTime(), is(nullValue()));
-        assertThat(secret.getLastUpdatedTime(), is(nullValue()));
-        assertThat(secret.getNumUses(), is(nullValue()));
-        assertThat(secret.getTtl(), is(nullValue()));
+        assertEquals(TEST_ID, secret.getId());
+        assertNull(secret.getAccessor());
+        assertEquals(TEST_META, secret.getMetadata());
+        assertEquals(TEST_CIDR, secret.getCidrList());
+        assertEquals(String.join(",", TEST_CIDR), secret.getCidrListString());
+        assertNull(secret.getCreationTime());
+        assertNull(secret.getExpirationTime());
+        assertNull(secret.getLastUpdatedTime());
+        assertNull(secret.getNumUses());
+        assertNull(secret.getTtl());
    }

    /**
@ -99,14 +100,14 @@ class AppRoleSecretTest {
    @Test
    void setterTest() {
        AppRoleSecret secret = new AppRoleSecret(TEST_ID);
-        assertThat(secret.getCidrList(), is(nullValue()));
-        assertThat(secret.getCidrListString(), is(emptyString()));
+        assertNull(secret.getCidrList());
+        assertEquals("", secret.getCidrListString());
        secret.setCidrList(TEST_CIDR);
-        assertThat(secret.getCidrList(), is(TEST_CIDR));
-        assertThat(secret.getCidrListString(), is(String.join(",", TEST_CIDR)));
+        assertEquals(TEST_CIDR, secret.getCidrList());
+        assertEquals(String.join(",", TEST_CIDR), secret.getCidrListString());
        secret.setCidrList(null);
-        assertThat(secret.getCidrList(), is(nullValue()));
-        assertThat(secret.getCidrListString(), is(emptyString()));
+        assertNull(secret.getCidrList());
+        assertEquals("", secret.getCidrListString());
    }

    /**
@ -114,23 +115,21 @@ class AppRoleSecretTest {
     */
    @Test
    void jsonTest() throws NoSuchFieldException, IllegalAccessException {
-        ObjectMapper mapper = new ObjectMapper();
-
-        /* A simple roundtrip first. All set fields should be present afterwards. */
+        // A simple roundtrip first. All set fields should be present afterward.
        AppRoleSecret secret = new AppRoleSecret(TEST_ID, TEST_META, TEST_CIDR);
-        String secretJson = assertDoesNotThrow(() -> mapper.writeValueAsString(secret), "Serialization failed");
-        /* CIDR list is comma-separated when used as input, but List otherwise, hence convert string to list */
+        String secretJson = assertDoesNotThrow(() -> objectMapper.writeValueAsString(secret), "Serialization failed");
+        // CIDR list is comma-separated when used as input, but List otherwise, hence convert string to list.
        String secretJson2 = commaSeparatedToList(secretJson);

        AppRoleSecret secret2 = assertDoesNotThrow(
-                () -> mapper.readValue(secretJson2, AppRoleSecret.class),
+                () -> objectMapper.readValue(secretJson2, AppRoleSecret.class),
                "Deserialization failed"
        );
-        assertThat(secret.getId(), is(secret2.getId()));
-        assertThat(secret.getMetadata(), is(secret2.getMetadata()));
-        assertThat(secret.getCidrList(), is(secret2.getCidrList()));
+        assertEquals(secret2.getId(), secret.getId());
+        assertEquals(secret2.getMetadata(), secret.getMetadata());
+        assertEquals(secret2.getCidrList(), secret.getCidrList());

-        /* Test fields, that should not be written to JSON */
+        // Test fields, that should not be written to JSON.
        setPrivateField(secret, "accessor", "TEST_ACCESSOR");
        assumeTrue("TEST_ACCESSOR".equals(secret.getAccessor()));
        setPrivateField(secret, "creationTime", "TEST_CREATION");
@ -143,47 +142,45 @@ class AppRoleSecretTest {
        assumeTrue(secret.getNumUses() == 678);
        setPrivateField(secret, "ttl", 12345);
        assumeTrue(secret.getTtl() == 12345);
-        String secretJson3 = assertDoesNotThrow(() -> mapper.writeValueAsString(secret), "Serialization failed");
+        String secretJson3 = assertDoesNotThrow(() -> objectMapper.writeValueAsString(secret), "Serialization failed");
        secret2 = assertDoesNotThrow(
-                () -> mapper.readValue(commaSeparatedToList(secretJson3), AppRoleSecret.class),
+                () -> objectMapper.readValue(commaSeparatedToList(secretJson3), AppRoleSecret.class),
                "Deserialization failed"
        );
-        assertThat(secret.getId(), is(secret2.getId()));
-        assertThat(secret.getMetadata(), is(secret2.getMetadata()));
-        assertThat(secret.getCidrList(), is(secret2.getCidrList()));
-        assertThat(secret2.getAccessor(), is(nullValue()));
-        assertThat(secret2.getCreationTime(), is(nullValue()));
-        assertThat(secret2.getExpirationTime(), is(nullValue()));
-        assertThat(secret2.getLastUpdatedTime(), is(nullValue()));
-        assertThat(secret2.getNumUses(), is(nullValue()));
-        assertThat(secret2.getTtl(), is(nullValue()));
+        assertEquals(secret2.getId(), secret.getId());
+        assertEquals(secret2.getMetadata(), secret.getMetadata());
+        assertEquals(secret2.getCidrList(), secret.getCidrList());
+        assertNull(secret2.getAccessor());
+        assertNull(secret2.getCreationTime());
+        assertNull(secret2.getExpirationTime());
+        assertNull(secret2.getLastUpdatedTime());
+        assertNull(secret2.getNumUses());
+        assertNull(secret2.getTtl());

-        /* Those fields should be deserialized from JSON though */
+        // Those fields should be deserialized from JSON though.
        String secretJson4 = "{\"secret_id\":\"abc123\",\"metadata\":{\"number\":1337,\"foo\":\"bar\"}," +
                "\"cidr_list\":[\"203.0.113.0/24\",\"198.51.100.0/24\"],\"secret_id_accessor\":\"TEST_ACCESSOR\"," +
                "\"creation_time\":\"TEST_CREATION\",\"expiration_time\":\"TEST_EXPIRATION\"," +
                "\"last_updated_time\":\"TEST_LASTUPDATE\",\"secret_id_num_uses\":678,\"secret_id_ttl\":12345}";
-        secret2 = assertDoesNotThrow(() -> mapper.readValue(secretJson4, AppRoleSecret.class), "Deserialization failed");
-        assertThat(secret2.getAccessor(), is("TEST_ACCESSOR"));
-        assertThat(secret2.getCreationTime(), is("TEST_CREATION"));
-        assertThat(secret2.getExpirationTime(), is("TEST_EXPIRATION"));
-        assertThat(secret2.getLastUpdatedTime(), is("TEST_LASTUPDATE"));
-        assertThat(secret2.getNumUses(), is(678));
-        assertThat(secret2.getTtl(), is(12345));
-
+        secret2 = assertDoesNotThrow(() -> objectMapper.readValue(secretJson4, AppRoleSecret.class), "Deserialization failed");
+        assertEquals("TEST_ACCESSOR", secret2.getAccessor());
+        assertEquals("TEST_CREATION", secret2.getCreationTime());
+        assertEquals("TEST_EXPIRATION", secret2.getExpirationTime());
+        assertEquals("TEST_LASTUPDATE", secret2.getLastUpdatedTime());
+        assertEquals(678, secret2.getNumUses());
+        assertEquals(12345, secret2.getTtl());
    }

    private static void setPrivateField(Object object, String fieldName, Object value) throws NoSuchFieldException, IllegalAccessException {
        Field field = object.getClass().getDeclaredField(fieldName);
-        boolean accessible = field.isAccessible();
+        boolean accessible = field.canAccess(object);
        field.setAccessible(true);
        field.set(object, value);
        field.setAccessible(accessible);
    }

    private static String commaSeparatedToList(String json) {
-        return json.replaceAll("\"cidr_list\":\"([^\"]*)\"", "\"cidr_list\":\\[$1\\]")
+        return json.replaceAll("\"cidr_list\":\"([^\"]*)\"", "\"cidr_list\":[$1]")
                .replaceAll("(\\d+\\.\\d+\\.\\d+\\.\\d+/\\d+)", "\"$1\"");
    }
-
 }
--- a/src/test/java/de/stklcode/jvault/connector/model/AppRoleTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/AppRoleTest.java
@ -0,0 +1,183 @@
+/*
+ * Copyright 2016-2025 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+/**
+ * JUnit Test for {@link AppRole} and {@link AppRole.Builder}.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.4.0
+ */
+class AppRoleTest extends AbstractModelTest<AppRole> {
+    private static final String NAME = "TestRole";
+    private static final String ID = "test-id";
+    private static final Boolean BIND_SECRET_ID = true;
+    private static final List<String> BOUND_CIDR_LIST = new ArrayList<>();
+    private static final String CIDR_1 = "192.168.1.0/24";
+    private static final String CIDR_2 = "172.16.0.0/16";
+    private static final List<String> POLICIES = new ArrayList<>();
+    private static final String POLICY = "policy";
+    private static final String POLICY_2 = "policy2";
+    private static final Integer SECRET_ID_NUM_USES = 10;
+    private static final Integer SECRET_ID_TTL = 7200;
+    private static final Boolean LOCAL_SECRET_IDS = false;
+    private static final Integer TOKEN_TTL = 4800;
+    private static final Integer TOKEN_MAX_TTL = 9600;
+    private static final Integer TOKEN_EXPLICIT_MAX_TTL = 14400;
+    private static final Boolean TOKEN_NO_DEFAULT_POLICY = false;
+    private static final Integer TOKEN_NUM_USES = 42;
+    private static final Integer TOKEN_PERIOD = 1234;
+    private static final Token.Type TOKEN_TYPE = Token.Type.DEFAULT_SERVICE;
+    private static final String JSON_MIN = "{\"role_name\":\"" + NAME + "\"}";
+    private static final String JSON_FULL = String.format("{\"role_name\":\"%s\",\"role_id\":\"%s\",\"bind_secret_id\":%s,\"secret_id_bound_cidrs\":\"%s\",\"secret_id_num_uses\":%d,\"secret_id_ttl\":%d,\"local_secret_ids\":%s,\"token_ttl\":%d,\"token_max_ttl\":%d,\"token_policies\":\"%s\",\"token_bound_cidrs\":\"%s\",\"token_explicit_max_ttl\":%d,\"token_no_default_policy\":%s,\"token_num_uses\":%d,\"token_period\":%d,\"token_type\":\"%s\"}",
+            NAME, ID, BIND_SECRET_ID, CIDR_1, SECRET_ID_NUM_USES, SECRET_ID_TTL, LOCAL_SECRET_IDS, TOKEN_TTL, TOKEN_MAX_TTL, POLICY, CIDR_1, TOKEN_EXPLICIT_MAX_TTL, TOKEN_NO_DEFAULT_POLICY, TOKEN_NUM_USES, TOKEN_PERIOD, TOKEN_TYPE.value());
+
+    AppRoleTest() {
+        super(AppRole.class);
+    }
+
+    @Override
+    protected AppRole createFull() {
+        return AppRole.builder(NAME)
+                .withId(ID)
+                .withBindSecretID(BIND_SECRET_ID)
+                .withSecretIdBoundCidrs(BOUND_CIDR_LIST)
+                .withTokenPolicies(POLICIES)
+                .withSecretIdNumUses(SECRET_ID_NUM_USES)
+                .withSecretIdTtl(SECRET_ID_TTL)
+                .withLocalSecretIds(LOCAL_SECRET_IDS)
+                .withTokenTtl(TOKEN_TTL)
+                .withTokenMaxTtl(TOKEN_MAX_TTL)
+                .withTokenBoundCidrs(BOUND_CIDR_LIST)
+                .withTokenExplicitMaxTtl(TOKEN_EXPLICIT_MAX_TTL)
+                .withTokenNoDefaultPolicy(TOKEN_NO_DEFAULT_POLICY)
+                .withTokenNumUses(TOKEN_NUM_USES)
+                .withTokenPeriod(TOKEN_PERIOD)
+                .withTokenType(TOKEN_TYPE)
+                .build();
+    }
+
+    @BeforeAll
+    static void init() {
+        BOUND_CIDR_LIST.add(CIDR_1);
+        POLICIES.add(POLICY);
+    }
+
+    /**
+     * Build role with only a name.
+     */
+    @Test
+    void buildDefaultTest() throws JsonProcessingException {
+        AppRole role = AppRole.builder(NAME).build();
+        assertNull(role.getId());
+        assertNull(role.getBindSecretId());
+        assertNull(role.getSecretIdBoundCidrs());
+        assertNull(role.getTokenPolicies());
+        assertNull(role.getSecretIdNumUses());
+        assertNull(role.getSecretIdTtl());
+        assertNull(role.getLocalSecretIds());
+        assertNull(role.getTokenTtl());
+        assertNull(role.getTokenMaxTtl());
+        assertNull(role.getTokenBoundCidrs());
+        assertNull(role.getTokenExplicitMaxTtl());
+        assertNull(role.getTokenNoDefaultPolicy());
+        assertNull(role.getTokenNumUses());
+        assertNull(role.getTokenPeriod());
+        assertNull(role.getTokenType());
+
+        // Optional fields should be ignored, so JSON string should only contain role_name.
+        assertEquals(JSON_MIN, objectMapper.writeValueAsString(role));
+    }
+
+    /**
+     * Build token without all parameters set.
+     */
+    @Test
+    void buildFullTest() throws JsonProcessingException {
+        AppRole role = createFull();
+        assertEquals(NAME, role.getName());
+        assertEquals(ID, role.getId());
+        assertEquals(BIND_SECRET_ID, role.getBindSecretId());
+        assertEquals(BOUND_CIDR_LIST, role.getSecretIdBoundCidrs());
+        assertEquals(POLICIES, role.getTokenPolicies());
+        assertEquals(SECRET_ID_NUM_USES, role.getSecretIdNumUses());
+        assertEquals(SECRET_ID_TTL, role.getSecretIdTtl());
+        assertEquals(LOCAL_SECRET_IDS, role.getLocalSecretIds());
+        assertEquals(TOKEN_TTL, role.getTokenTtl());
+        assertEquals(TOKEN_MAX_TTL, role.getTokenMaxTtl());
+        assertEquals(BOUND_CIDR_LIST, role.getTokenBoundCidrs());
+        assertEquals(TOKEN_EXPLICIT_MAX_TTL, role.getTokenExplicitMaxTtl());
+        assertEquals(TOKEN_NO_DEFAULT_POLICY, role.getTokenNoDefaultPolicy());
+        assertEquals(TOKEN_NUM_USES, role.getTokenNumUses());
+        assertEquals(TOKEN_PERIOD, role.getTokenPeriod());
+        assertEquals(TOKEN_TYPE.value(), role.getTokenType());
+
+        // Verify that all parameters are included in JSON string.
+        assertEquals(JSON_FULL, objectMapper.writeValueAsString(role));
+    }
+
+    /**
+     * Test convenience methods
+     */
+    @Test
+    void convenienceMethodsTest() {
+        // bind_secret_id.
+        AppRole role = AppRole.builder(NAME).build();
+        assertNull(role.getBindSecretId());
+        role = AppRole.builder(NAME).withBindSecretID().build();
+        assertEquals(true, role.getBindSecretId());
+        role = AppRole.builder(NAME).withoutBindSecretID().build();
+        assertEquals(false, role.getBindSecretId());
+
+        // Add single CIDR subnet.
+        role = AppRole.builder(NAME).withSecretBoundCidr(CIDR_2).withTokenBoundCidr(CIDR_2).build();
+        assertEquals(1, role.getSecretIdBoundCidrs().size());
+        assertEquals(CIDR_2, role.getSecretIdBoundCidrs().get(0));
+        assertEquals(1, role.getTokenBoundCidrs().size());
+        assertEquals(CIDR_2, role.getTokenBoundCidrs().get(0));
+        role = AppRole.builder(NAME)
+                .withSecretIdBoundCidrs(BOUND_CIDR_LIST)
+                .withSecretBoundCidr(CIDR_2)
+                .withTokenBoundCidrs(BOUND_CIDR_LIST)
+                .withTokenBoundCidr(CIDR_2)
+                .build();
+        assertEquals(2, role.getSecretIdBoundCidrs().size());
+        assertTrue(role.getSecretIdBoundCidrs().containsAll(List.of(CIDR_1, CIDR_2)));
+        assertEquals(2, role.getTokenBoundCidrs().size());
+        assertTrue(role.getSecretIdBoundCidrs().containsAll(List.of(CIDR_1, CIDR_2)));
+
+        // Add single policy.
+        role = AppRole.builder(NAME).withTokenPolicy(POLICY_2).build();
+        assertEquals(1, role.getTokenPolicies().size());
+        assertEquals(POLICY_2, role.getTokenPolicies().get(0));
+        role = AppRole.builder(NAME)
+                .withTokenPolicies(POLICIES)
+                .withTokenPolicy(POLICY_2)
+                .build();
+        assertEquals(2, role.getTokenPolicies().size());
+        assertTrue(role.getTokenPolicies().containsAll(List.of(POLICY, POLICY_2)));
+    }
+}
--- a/src/test/java/de/stklcode/jvault/connector/model/AuthBackendTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/AuthBackendTest.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -18,8 +18,8 @@ package de.stklcode.jvault.connector.model;

 import org.junit.jupiter.api.Test;

-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.is;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+

 /**
 * JUnit Test for AuthBackend model.
@ -34,12 +34,10 @@ class AuthBackendTest {
     */
    @Test
    void forTypeTest() {
-        assertThat(AuthBackend.forType("token"), is(AuthBackend.TOKEN));
-        assertThat(AuthBackend.forType("app-id"), is(AuthBackend.APPID));
-        assertThat(AuthBackend.forType("userpass"), is(AuthBackend.USERPASS));
-        assertThat(AuthBackend.forType("github"), is(AuthBackend.GITHUB));
-        assertThat(AuthBackend.forType(""), is(AuthBackend.UNKNOWN));
-        assertThat(AuthBackend.forType("foobar"), is(AuthBackend.UNKNOWN));
+        assertEquals(AuthBackend.TOKEN, AuthBackend.forType("token"));
+        assertEquals(AuthBackend.USERPASS, AuthBackend.forType("userpass"));
+        assertEquals(AuthBackend.GITHUB, AuthBackend.forType("github"));
+        assertEquals(AuthBackend.UNKNOWN, AuthBackend.forType(""));
+        assertEquals(AuthBackend.UNKNOWN, AuthBackend.forType("foobar"));
    }
-
 }
--- a/src/test/java/de/stklcode/jvault/connector/model/TokenBuilderTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/TokenBuilderTest.java
@ -1,276 +0,0 @@
-/*
- * Copyright 2016-2021 Stefan Kalscheuer
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package de.stklcode.jvault.connector.model;
-
-import com.fasterxml.jackson.core.JsonProcessingException;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import org.junit.jupiter.api.BeforeAll;
-import org.junit.jupiter.api.Test;
-
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.*;
-
-/**
- * JUnit Test for Token Builder.
- *
- * @author Stefan Kalscheuer
- * @since 0.4.0
- */
-class TokenBuilderTest {
-    private static final String ID = "test-id";
-    private static final String DISPLAY_NAME = "display-name";
-    private static final Boolean NO_PARENT = false;
-    private static final Boolean NO_DEFAULT_POLICY = false;
-    private static final Integer TTL = 123;
-    private static final Integer EXPLICIT_MAX_TTL = 456;
-    private static final Integer NUM_USES = 4;
-    private static final List<String> POLICIES = new ArrayList<>();
-    private static final String POLICY = "policy";
-    private static final String POLICY_2 = "policy2";
-    private static final String POLICY_3 = "policy3";
-    private static final Map<String, String> META = new HashMap<>();
-    private static final String META_KEY = "key";
-    private static final String META_VALUE = "value";
-    private static final String META_KEY_2 = "key2";
-    private static final String META_VALUE_2 = "value2";
-    private static final Boolean RENEWABLE = true;
-    private static final Integer PERIOD = 3600;
-    private static final String ENTITY_ALIAS = "alias-value";
-    private static final String LEGACY_JSON_FULL = "{\"id\":\"test-id\",\"type\":\"service\",\"display_name\":\"display-name\",\"no_parent\":false,\"no_default_policy\":false,\"ttl\":123,\"num_uses\":4,\"policies\":[\"policy\"],\"meta\":{\"key\":\"value\"},\"renewable\":true}";
-    private static final String JSON_FULL = "{\"id\":\"test-id\",\"type\":\"service\",\"display_name\":\"display-name\",\"no_parent\":false,\"no_default_policy\":false,\"ttl\":123,\"explicit_max_ttl\":456,\"num_uses\":4,\"policies\":[\"policy\"],\"meta\":{\"key\":\"value\"},\"renewable\":true,\"period\":3600,\"entity_alias\":\"alias-value\"}";
-
-    @BeforeAll
-    static void init() {
-        POLICIES.add(POLICY);
-        META.put(META_KEY, META_VALUE);
-    }
-
-    /**
-     * Build token without any parameters.
-     */
-    @Test
-    void buildDefaultTest() throws JsonProcessingException {
-        Token token = Token.builder().build();
-        assertThat(token.getId(), is(nullValue()));
-        assertThat(token.getType(), is(nullValue()));
-        assertThat(token.getDisplayName(), is(nullValue()));
-        assertThat(token.getNoParent(), is(nullValue()));
-        assertThat(token.getNoDefaultPolicy(), is(nullValue()));
-        assertThat(token.getTtl(), is(nullValue()));
-        assertThat(token.getExplicitMaxTtl(), is(nullValue()));
-        assertThat(token.getNumUses(), is(nullValue()));
-        assertThat(token.getPolicies(), is(nullValue()));
-        assertThat(token.getMeta(), is(nullValue()));
-        assertThat(token.isRenewable(), is(nullValue()));
-        assertThat(token.getPeriod(), is(nullValue()));
-        assertThat(token.getEntityAlias(), is(nullValue()));
-
-        /* optional fields should be ignored, so JSON string should be empty */
-        assertThat(new ObjectMapper().writeValueAsString(token), is("{}"));
-    }
-
-    /**
-     * Build token without any parameters.
-     */
-    @Test
-    void legacyBuildDefaultTest() throws JsonProcessingException {
-        Token token = new TokenBuilder().build();
-        assertThat(token.getId(), is(nullValue()));
-        assertThat(token.getType(), is(nullValue()));
-        assertThat(token.getDisplayName(), is(nullValue()));
-        assertThat(token.getNoParent(), is(nullValue()));
-        assertThat(token.getNoDefaultPolicy(), is(nullValue()));
-        assertThat(token.getTtl(), is(nullValue()));
-        assertThat(token.getNumUses(), is(nullValue()));
-        assertThat(token.getPolicies(), is(nullValue()));
-        assertThat(token.getMeta(), is(nullValue()));
-        assertThat(token.isRenewable(), is(nullValue()));
-
-        /* optional fields should be ignored, so JSON string should be empty */
-        assertThat(new ObjectMapper().writeValueAsString(token), is("{}"));
-    }
-
-    /**
-     * Build token without all parameters set.
-     */
-    @Test
-    void buildFullTest() throws JsonProcessingException {
-        Token token = Token.builder()
-                .withId(ID)
-                .withType(Token.Type.SERVICE)
-                .withDisplayName(DISPLAY_NAME)
-                .withNoParent(NO_PARENT)
-                .withNoDefaultPolicy(NO_DEFAULT_POLICY)
-                .withTtl(TTL)
-                .withExplicitMaxTtl(EXPLICIT_MAX_TTL)
-                .withNumUses(NUM_USES)
-                .withPolicies(POLICIES)
-                .withMeta(META)
-                .withRenewable(RENEWABLE)
-                .withPeriod(PERIOD)
-                .withEntityAlias(ENTITY_ALIAS)
-                .build();
-        assertThat(token.getId(), is(ID));
-        assertThat(token.getType(), is(Token.Type.SERVICE.value()));
-        assertThat(token.getDisplayName(), is(DISPLAY_NAME));
-        assertThat(token.getNoParent(), is(NO_PARENT));
-        assertThat(token.getNoDefaultPolicy(), is(NO_DEFAULT_POLICY));
-        assertThat(token.getTtl(), is(TTL));
-        assertThat(token.getExplicitMaxTtl(), is(EXPLICIT_MAX_TTL));
-        assertThat(token.getNumUses(), is(NUM_USES));
-        assertThat(token.getPolicies(), is(POLICIES));
-        assertThat(token.getMeta(), is(META));
-        assertThat(token.isRenewable(), is(RENEWABLE));
-        assertThat(token.getPeriod(), is(PERIOD));
-
-        /* Verify that all parameters are included in JSON string */
-        assertThat(new ObjectMapper().writeValueAsString(token), is(JSON_FULL));
-    }
-
-    /**
-     * Build token without all parameters set.
-     */
-    @Test
-    void legacyBuildFullTest() throws JsonProcessingException {
-        Token token = new TokenBuilder()
-                .withId(ID)
-                .withType(Token.Type.SERVICE)
-                .withDisplayName(DISPLAY_NAME)
-                .withNoParent(NO_PARENT)
-                .withNoDefaultPolicy(NO_DEFAULT_POLICY)
-                .withTtl(TTL)
-                .withNumUses(NUM_USES)
-                .withPolicies(POLICIES)
-                .withMeta(META)
-                .withRenewable(RENEWABLE)
-                .build();
-        assertThat(token.getId(), is(ID));
-        assertThat(token.getType(), is(Token.Type.SERVICE.value()));
-        assertThat(token.getDisplayName(), is(DISPLAY_NAME));
-        assertThat(token.getNoParent(), is(NO_PARENT));
-        assertThat(token.getNoDefaultPolicy(), is(NO_DEFAULT_POLICY));
-        assertThat(token.getTtl(), is(TTL));
-        assertThat(token.getNumUses(), is(NUM_USES));
-        assertThat(token.getPolicies(), is(POLICIES));
-        assertThat(token.getMeta(), is(META));
-        assertThat(token.isRenewable(), is(RENEWABLE));
-
-        /* Verify that all parameters are included in JSON string */
-        assertThat(new ObjectMapper().writeValueAsString(token), is(LEGACY_JSON_FULL));
-    }
-
-    /**
-     * Test convenience methods
-     */
-    @Test
-    void convenienceMethodsTest() {
-        /* Parent */
-        Token token = Token.builder().asOrphan().build();
-        assertThat(token.getNoParent(), is(true));
-        token = Token.builder().withParent().build();
-        assertThat(token.getNoParent(), is(false));
-
-        /* Default policy */
-        token = Token.builder().withDefaultPolicy().build();
-        assertThat(token.getNoDefaultPolicy(), is(false));
-        token = Token.builder().withoutDefaultPolicy().build();
-        assertThat(token.getNoDefaultPolicy(), is(true));
-
-        /* Renewability */
-        token = Token.builder().renewable().build();
-        assertThat(token.isRenewable(), is(true));
-        token = Token.builder().notRenewable().build();
-        assertThat(token.isRenewable(), is(false));
-
-        /* Add single policy */
-        token = Token.builder().withPolicy(POLICY_2).build();
-        assertThat(token.getPolicies(), hasSize(1));
-        assertThat(token.getPolicies(), contains(POLICY_2));
-        token = Token.builder()
-                .withPolicies(POLICY, POLICY_2)
-                .withPolicy(POLICY_3)
-                .build();
-        assertThat(token.getPolicies(), hasSize(3));
-        assertThat(token.getPolicies(), contains(POLICY, POLICY_2, POLICY_3));
-
-        /* Add single metadata */
-        token = Token.builder().withMeta(META_KEY_2, META_VALUE_2).build();
-        assertThat(token.getMeta().size(), is(1));
-        assertThat(token.getMeta().keySet(), contains(META_KEY_2));
-        assertThat(token.getMeta().get(META_KEY_2), is(META_VALUE_2));
-        token = Token.builder()
-                .withMeta(META)
-                .withMeta(META_KEY_2, META_VALUE_2)
-                .build();
-        assertThat(token.getMeta().size(), is(2));
-        assertThat(token.getMeta().get(META_KEY), is(META_VALUE));
-        assertThat(token.getMeta().get(META_KEY_2), is(META_VALUE_2));
-    }
-
-    /**
-     * Test convenience methods
-     */
-    @Test
-    void legacyConvenienceMethodsTest() {
-        /* Parent */
-        Token token = new TokenBuilder().asOrphan().build();
-        assertThat(token.getNoParent(), is(true));
-        token = new TokenBuilder().withParent().build();
-        assertThat(token.getNoParent(), is(false));
-
-        /* Default policy */
-        token = new TokenBuilder().withDefaultPolicy().build();
-        assertThat(token.getNoDefaultPolicy(), is(false));
-        token = new TokenBuilder().withoutDefaultPolicy().build();
-        assertThat(token.getNoDefaultPolicy(), is(true));
-
-        /* Renewability */
-        token = new TokenBuilder().renewable().build();
-        assertThat(token.isRenewable(), is(true));
-        token = new TokenBuilder().notRenewable().build();
-        assertThat(token.isRenewable(), is(false));
-
-        /* Add single policy */
-        token = new TokenBuilder().withPolicy(POLICY_2).build();
-        assertThat(token.getPolicies(), hasSize(1));
-        assertThat(token.getPolicies(), contains(POLICY_2));
-        token = new TokenBuilder()
-                .withPolicies(POLICY, POLICY_2)
-                .withPolicy(POLICY_3)
-                .build();
-        assertThat(token.getPolicies(), hasSize(3));
-        assertThat(token.getPolicies(), contains(POLICY, POLICY_2, POLICY_3));
-
-        /* Add single metadata */
-        token = new TokenBuilder().withMeta(META_KEY_2, META_VALUE_2).build();
-        assertThat(token.getMeta().size(), is(1));
-        assertThat(token.getMeta().keySet(), contains(META_KEY_2));
-        assertThat(token.getMeta().get(META_KEY_2), is(META_VALUE_2));
-        token = new TokenBuilder()
-                .withMeta(META)
-                .withMeta(META_KEY_2, META_VALUE_2)
-                .build();
-        assertThat(token.getMeta().size(), is(2));
-        assertThat(token.getMeta().get(META_KEY), is(META_VALUE));
-        assertThat(token.getMeta().get(META_KEY_2), is(META_VALUE_2));
-    }
-}
--- a/src/test/java/de/stklcode/jvault/connector/model/TokenRoleBuilderTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/TokenRoleBuilderTest.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -17,31 +17,37 @@
 package de.stklcode.jvault.connector.model;

 import com.fasterxml.jackson.core.JsonProcessingException;
-import com.fasterxml.jackson.databind.ObjectMapper;
 import org.junit.jupiter.api.Test;

 import java.util.Arrays;
 import java.util.List;

-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.*;
+import static org.junit.jupiter.api.Assertions.*;

 /**
- * Unit Test for {@link Token.Builder}
+ * Unit Test for {@link TokenRole} and {@link TokenRole.Builder}.
 *
 * @author Stefan Kalscheuer
 * @since 0.9
 */
-class TokenRoleBuilderTest {
+class TokenRoleTest extends AbstractModelTest<TokenRole> {
    private static final String NAME = "test-role";
    private static final String ALLOWED_POLICY_1 = "apol-1";
    private static final String ALLOWED_POLICY_2 = "apol-2";
    private static final String ALLOWED_POLICY_3 = "apol-3";
    private static final List<String> ALLOWED_POLICIES = Arrays.asList(ALLOWED_POLICY_1, ALLOWED_POLICY_2);
+    private static final String ALLOWED_POLICY_GLOB_1 = "apol-g1*";
+    private static final String ALLOWED_POLICY_GLOB_2 = "apol-g2*";
+    private static final String ALLOWED_POLICY_GLOB_3 = "apol-g3*";
+    private static final List<String> ALLOWED_POLICIES_GLOB = Arrays.asList(ALLOWED_POLICY_GLOB_2, ALLOWED_POLICY_GLOB_3);
    private static final String DISALLOWED_POLICY_1 = "dpol-1";
    private static final String DISALLOWED_POLICY_2 = "dpol-2";
    private static final String DISALLOWED_POLICY_3 = "dpol-3";
    private static final List<String> DISALLOWED_POLICIES = Arrays.asList(DISALLOWED_POLICY_2, DISALLOWED_POLICY_3);
+    private static final String DISALLOWED_POLICY_GLOB_1 = "dpol-g1*";
+    private static final String DISALLOWED_POLICY_GLOB_2 = "dpol-g2*";
+    private static final String DISALLOWED_POLICY_GLOB_3 = "dpol-g3*";
+    private static final List<String> DISALLOWED_POLICIES_GLOB = Arrays.asList(DISALLOWED_POLICY_GLOB_1, DISALLOWED_POLICY_GLOB_2);
    private static final Boolean ORPHAN = false;
    private static final Boolean RENEWABLE = true;
    private static final String PATH_SUFFIX = "ps";
@ -62,7 +68,9 @@ class TokenRoleBuilderTest {
    private static final String JSON_FULL = "{" +
            "\"name\":\"" + NAME + "\"," +
            "\"allowed_policies\":[\"" + ALLOWED_POLICY_1 + "\",\"" + ALLOWED_POLICY_2 + "\",\"" + ALLOWED_POLICY_3 + "\"]," +
+            "\"allowed_policies_glob\":[\"" + ALLOWED_POLICY_GLOB_1 + "\",\"" + ALLOWED_POLICY_GLOB_2 + "\",\"" + ALLOWED_POLICY_GLOB_3 + "\"]," +
            "\"disallowed_policies\":[\"" + DISALLOWED_POLICY_1 + "\",\"" + DISALLOWED_POLICY_2 + "\",\"" + DISALLOWED_POLICY_3 + "\"]," +
+            "\"disallowed_policies_glob\":[\"" + DISALLOWED_POLICY_GLOB_1 + "\",\"" + DISALLOWED_POLICY_GLOB_2 + "\",\"" + DISALLOWED_POLICY_GLOB_3 + "\"]," +
            "\"orphan\":" + ORPHAN + "," +
            "\"renewable\":" + RENEWABLE + "," +
            "\"path_suffix\":\"" + PATH_SUFFIX + "\"," +
@ -74,26 +82,57 @@ class TokenRoleBuilderTest {
            "\"token_period\":" + TOKEN_PERIOD + "," +
            "\"token_type\":\"" + TOKEN_TYPE.value() + "\"}";

+    TokenRoleTest() {
+        super(TokenRole.class);
+    }
+
+    @Override
+    protected TokenRole createFull() {
+        return TokenRole.builder()
+                .forName(NAME)
+                .withAllowedPolicies(ALLOWED_POLICIES)
+                .withAllowedPolicy(ALLOWED_POLICY_3)
+                .withAllowedPolicyGlob(ALLOWED_POLICY_GLOB_1)
+                .withAllowedPoliciesGlob(ALLOWED_POLICIES_GLOB)
+                .withDisallowedPolicy(DISALLOWED_POLICY_1)
+                .withDisallowedPolicies(DISALLOWED_POLICIES)
+                .withDisallowedPoliciesGlob(DISALLOWED_POLICIES_GLOB)
+                .withDisallowedPolicyGlob(DISALLOWED_POLICY_GLOB_3)
+                .orphan(ORPHAN)
+                .renewable(RENEWABLE)
+                .withPathSuffix(PATH_SUFFIX)
+                .withAllowedEntityAliases(ALLOWED_ENTITY_ALIASES)
+                .withAllowedEntityAlias(ALLOWED_ENTITY_ALIAS_2)
+                .withTokenBoundCidr(TOKEN_BOUND_CIDR_3)
+                .withTokenBoundCidrs(TOKEN_BOUND_CIDRS)
+                .withTokenExplicitMaxTtl(TOKEN_EXPLICIT_MAX_TTL)
+                .withTokenNoDefaultPolicy(TOKEN_NO_DEFAULT_POLICY)
+                .withTokenNumUses(TOKEN_NUM_USES)
+                .withTokenPeriod(TOKEN_PERIOD)
+                .withTokenType(TOKEN_TYPE)
+                .build();
+    }
+
    /**
     * Build token without any parameters.
     */
    @Test
    void buildDefaultTest() throws JsonProcessingException {
        TokenRole role = TokenRole.builder().build();
-        assertThat(role.getAllowedPolicies(), is(nullValue()));
-        assertThat(role.getDisallowedPolicies(), is(nullValue()));
-        assertThat(role.getOrphan(), is(nullValue()));
-        assertThat(role.getRenewable(), is(nullValue()));
-        assertThat(role.getAllowedEntityAliases(), is(nullValue()));
-        assertThat(role.getTokenBoundCidrs(), is(nullValue()));
-        assertThat(role.getTokenExplicitMaxTtl(), is(nullValue()));
-        assertThat(role.getTokenNoDefaultPolicy(), is(nullValue()));
-        assertThat(role.getTokenNumUses(), is(nullValue()));
-        assertThat(role.getTokenPeriod(), is(nullValue()));
-        assertThat(role.getTokenType(), is(nullValue()));
+        assertNull(role.getAllowedPolicies());
+        assertNull(role.getDisallowedPolicies());
+        assertNull(role.getOrphan());
+        assertNull(role.getRenewable());
+        assertNull(role.getAllowedEntityAliases());
+        assertNull(role.getTokenBoundCidrs());
+        assertNull(role.getTokenExplicitMaxTtl());
+        assertNull(role.getTokenNoDefaultPolicy());
+        assertNull(role.getTokenNumUses());
+        assertNull(role.getTokenPeriod());
+        assertNull(role.getTokenType());

-        /* optional fields should be ignored, so JSON string should be empty */
-        assertThat(new ObjectMapper().writeValueAsString(role), is("{}"));
+        // Optional fields should be ignored, so JSON string should be empty.
+        assertEquals("{}", objectMapper.writeValueAsString(role));
    }

    /**
@ -121,20 +160,23 @@ class TokenRoleBuilderTest {
                .withTokenType(null)
                .build();

-        assertThat(role.getAllowedPolicies(), is(nullValue()));
-        assertThat(role.getDisallowedPolicies(), is(nullValue()));
-        assertThat(role.getOrphan(), is(nullValue()));
-        assertThat(role.getRenewable(), is(nullValue()));
-        assertThat(role.getAllowedEntityAliases(), is(nullValue()));
-        assertThat(role.getTokenBoundCidrs(), is(nullValue()));
-        assertThat(role.getTokenExplicitMaxTtl(), is(nullValue()));
-        assertThat(role.getTokenNoDefaultPolicy(), is(nullValue()));
-        assertThat(role.getTokenNumUses(), is(nullValue()));
-        assertThat(role.getTokenPeriod(), is(nullValue()));
-        assertThat(role.getTokenType(), is(nullValue()));
+        assertNull(role.getAllowedPolicies());
+        assertNull(role.getDisallowedPolicies());
+        assertNull(role.getOrphan());
+        assertNull(role.getRenewable());
+        assertNull(role.getAllowedEntityAliases());
+        assertNull(role.getTokenBoundCidrs());
+        assertNull(role.getTokenExplicitMaxTtl());
+        assertNull(role.getTokenNoDefaultPolicy());
+        assertNull(role.getTokenNumUses());
+        assertNull(role.getTokenPeriod());
+        assertNull(role.getTokenType());

-        /* optional fields should be ignored, so JSON string should be empty */
-        assertThat(new ObjectMapper().writeValueAsString(role), is("{}"));
+        // Empty builder should be equal to no-arg construction.
+        assertEquals(new TokenRole(), role);
+
+        // Optional fields should be ignored, so JSON string should be empty.
+        assertEquals("{}", objectMapper.writeValueAsString(role));
    }

    /**
@ -142,43 +184,29 @@ class TokenRoleBuilderTest {
     */
    @Test
    void buildFullTest() throws JsonProcessingException {
-        TokenRole role = TokenRole.builder()
-                .forName(NAME)
-                .withAllowedPolicies(ALLOWED_POLICIES)
-                .withAllowedPolicy(ALLOWED_POLICY_3)
-                .withDisallowedPolicy(DISALLOWED_POLICY_1)
-                .withDisallowedPolicies(DISALLOWED_POLICIES)
-                .orphan(ORPHAN)
-                .renewable(RENEWABLE)
-                .withPathSuffix(PATH_SUFFIX)
-                .withAllowedEntityAliases(ALLOWED_ENTITY_ALIASES)
-                .withAllowedEntityAlias(ALLOWED_ENTITY_ALIAS_2)
-                .withTokenBoundCidr(TOKEN_BOUND_CIDR_3)
-                .withTokenBoundCidrs(TOKEN_BOUND_CIDRS)
-                .withTokenExplicitMaxTtl(TOKEN_EXPLICIT_MAX_TTL)
-                .withTokenNoDefaultPolicy(TOKEN_NO_DEFAULT_POLICY)
-                .withTokenNumUses(TOKEN_NUM_USES)
-                .withTokenPeriod(TOKEN_PERIOD)
-                .withTokenType(TOKEN_TYPE)
-                .build();
-        assertThat(role.getName(), is(NAME));
-        assertThat(role.getAllowedPolicies(), hasSize(ALLOWED_POLICIES.size() + 1));
-        assertThat(role.getAllowedPolicies(), containsInAnyOrder(ALLOWED_POLICY_1, ALLOWED_POLICY_2, ALLOWED_POLICY_3));
-        assertThat(role.getDisallowedPolicies(), hasSize(DISALLOWED_POLICIES.size() + 1));
-        assertThat(role.getDisallowedPolicies(), containsInAnyOrder(DISALLOWED_POLICY_1, DISALLOWED_POLICY_2, DISALLOWED_POLICY_3));
-        assertThat(role.getOrphan(), is(ORPHAN));
-        assertThat(role.getRenewable(), is(RENEWABLE));
-        assertThat(role.getPathSuffix(), is(PATH_SUFFIX));
-        assertThat(role.getAllowedEntityAliases(), hasSize(ALLOWED_ENTITY_ALIASES.size() + 1));
-        assertThat(role.getAllowedEntityAliases(), containsInAnyOrder(ALLOWED_ENTITY_ALIAS_1, ALLOWED_ENTITY_ALIAS_2, ALLOWED_ENTITY_ALIAS_3));
-        assertThat(role.getTokenBoundCidrs(), hasSize(TOKEN_BOUND_CIDRS.size() + 1));
-        assertThat(role.getTokenBoundCidrs(), containsInAnyOrder(TOKEN_BOUND_CIDR_1, TOKEN_BOUND_CIDR_2, TOKEN_BOUND_CIDR_3));
-        assertThat(role.getTokenNoDefaultPolicy(), is(TOKEN_NO_DEFAULT_POLICY));
-        assertThat(role.getTokenNumUses(), is(TOKEN_NUM_USES));
-        assertThat(role.getTokenPeriod(), is(TOKEN_PERIOD));
-        assertThat(role.getTokenType(), is(TOKEN_TYPE.value()));
+        TokenRole role = createFull();
+        assertEquals(NAME, role.getName());
+        assertEquals(ALLOWED_POLICIES.size() + 1, role.getAllowedPolicies().size());
+        assertTrue(role.getAllowedPolicies().containsAll(List.of(ALLOWED_POLICY_1, ALLOWED_POLICY_2, ALLOWED_POLICY_3)));
+        assertEquals(ALLOWED_POLICIES_GLOB.size() + 1, role.getAllowedPoliciesGlob().size());
+        assertTrue(role.getAllowedPoliciesGlob().containsAll(List.of(ALLOWED_POLICY_GLOB_1, ALLOWED_POLICY_GLOB_2, ALLOWED_POLICY_GLOB_3)));
+        assertEquals(DISALLOWED_POLICIES.size() + 1, role.getDisallowedPolicies().size());
+        assertTrue(role.getDisallowedPolicies().containsAll(List.of(DISALLOWED_POLICY_1, DISALLOWED_POLICY_2, DISALLOWED_POLICY_3)));
+        assertEquals(DISALLOWED_POLICIES_GLOB.size() + 1, role.getDisallowedPoliciesGlob().size());
+        assertTrue(role.getDisallowedPoliciesGlob().containsAll(List.of(DISALLOWED_POLICY_GLOB_1, DISALLOWED_POLICY_GLOB_2, DISALLOWED_POLICY_GLOB_3)));
+        assertEquals(ORPHAN, role.getOrphan());
+        assertEquals(RENEWABLE, role.getRenewable());
+        assertEquals(PATH_SUFFIX, role.getPathSuffix());
+        assertEquals(ALLOWED_ENTITY_ALIASES.size() + 1, role.getAllowedEntityAliases().size());
+        assertTrue(role.getAllowedEntityAliases().containsAll(List.of(ALLOWED_ENTITY_ALIAS_1, ALLOWED_ENTITY_ALIAS_2, ALLOWED_ENTITY_ALIAS_3)));
+        assertEquals(TOKEN_BOUND_CIDRS.size() + 1, role.getTokenBoundCidrs().size());
+        assertTrue(role.getTokenBoundCidrs().containsAll(List.of(TOKEN_BOUND_CIDR_1, TOKEN_BOUND_CIDR_2, TOKEN_BOUND_CIDR_3)));
+        assertEquals(TOKEN_NO_DEFAULT_POLICY, role.getTokenNoDefaultPolicy());
+        assertEquals(TOKEN_NUM_USES, role.getTokenNumUses());
+        assertEquals(TOKEN_PERIOD, role.getTokenPeriod());
+        assertEquals(TOKEN_TYPE.value(), role.getTokenType());

-        /* Verify that all parameters are included in JSON string */
-        assertThat(new ObjectMapper().writeValueAsString(role), is(JSON_FULL));
+        // Verify that all parameters are included in JSON string.
+        assertEquals(JSON_FULL, objectMapper.writeValueAsString(role));
    }
 }
--- a/src/test/java/de/stklcode/jvault/connector/model/TokenTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/TokenTest.java
@ -0,0 +1,181 @@
+/*
+ * Copyright 2016-2025 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+
+import java.util.*;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+/**
+ * JUnit Test for {@link Token} and {@link Token.Builder}.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.4.0
+ */
+class TokenTest extends AbstractModelTest<Token> {
+    private static final String ID = "test-id";
+    private static final String DISPLAY_NAME = "display-name";
+    private static final Boolean NO_PARENT = false;
+    private static final Boolean NO_DEFAULT_POLICY = false;
+    private static final Integer TTL = 123;
+    private static final Integer EXPLICIT_MAX_TTL = 456;
+    private static final Integer NUM_USES = 4;
+    private static final List<String> POLICIES = new ArrayList<>();
+    private static final String POLICY = "policy";
+    private static final String POLICY_2 = "policy2";
+    private static final String POLICY_3 = "policy3";
+    private static final Map<String, String> META = new HashMap<>();
+    private static final String META_KEY = "key";
+    private static final String META_VALUE = "value";
+    private static final String META_KEY_2 = "key2";
+    private static final String META_VALUE_2 = "value2";
+    private static final Boolean RENEWABLE = true;
+    private static final Integer PERIOD = 3600;
+    private static final String ENTITY_ALIAS = "alias-value";
+    private static final String JSON_FULL = "{\"id\":\"test-id\",\"type\":\"service\",\"display_name\":\"display-name\",\"no_parent\":false,\"no_default_policy\":false,\"ttl\":123,\"explicit_max_ttl\":456,\"num_uses\":4,\"policies\":[\"policy\"],\"meta\":{\"key\":\"value\"},\"renewable\":true,\"period\":3600,\"entity_alias\":\"alias-value\"}";
+
+    TokenTest() {
+        super(Token.class);
+    }
+
+    @Override
+    protected Token createFull() {
+        return Token.builder()
+                .withId(ID)
+                .withType(Token.Type.SERVICE)
+                .withDisplayName(DISPLAY_NAME)
+                .withNoParent(NO_PARENT)
+                .withNoDefaultPolicy(NO_DEFAULT_POLICY)
+                .withTtl(TTL)
+                .withExplicitMaxTtl(EXPLICIT_MAX_TTL)
+                .withNumUses(NUM_USES)
+                .withPolicies(POLICIES)
+                .withMeta(META)
+                .withRenewable(RENEWABLE)
+                .withPeriod(PERIOD)
+                .withEntityAlias(ENTITY_ALIAS)
+                .build();
+    }
+
+    @BeforeAll
+    static void init() {
+        POLICIES.add(POLICY);
+        META.put(META_KEY, META_VALUE);
+    }
+
+    /**
+     * Build token without any parameters.
+     */
+    @Test
+    void buildDefaultTest() throws JsonProcessingException {
+        Token token = Token.builder().build();
+        assertNull(token.getId());
+        assertNull(token.getType());
+        assertNull(token.getDisplayName());
+        assertNull(token.getNoParent());
+        assertNull(token.getNoDefaultPolicy());
+        assertNull(token.getTtl());
+        assertNull(token.getExplicitMaxTtl());
+        assertNull(token.getNumUses());
+        assertNull(token.getPolicies());
+        assertNull(token.getMeta());
+        assertNull(token.isRenewable());
+        assertNull(token.getPeriod());
+        assertNull(token.getEntityAlias());
+
+        // Optional fields should be ignored, so JSON string should be empty.
+        assertEquals("{}", objectMapper.writeValueAsString(token));
+
+        // Empty builder should be equal to no-arg construction.
+        assertEquals(new Token(), token);
+    }
+
+    /**
+     * Build token without all parameters set.
+     */
+    @Test
+    void buildFullTest() throws JsonProcessingException {
+        Token token = createFull();
+        assertEquals(ID, token.getId());
+        assertEquals(Token.Type.SERVICE.value(), token.getType());
+        assertEquals(DISPLAY_NAME, token.getDisplayName());
+        assertEquals(NO_PARENT, token.getNoParent());
+        assertEquals(NO_DEFAULT_POLICY, token.getNoDefaultPolicy());
+        assertEquals(TTL, token.getTtl());
+        assertEquals(EXPLICIT_MAX_TTL, token.getExplicitMaxTtl());
+        assertEquals(NUM_USES, token.getNumUses());
+        assertEquals(POLICIES, token.getPolicies());
+        assertEquals(META, token.getMeta());
+        assertEquals(RENEWABLE, token.isRenewable());
+        assertEquals(PERIOD, token.getPeriod());
+
+        // Verify that all parameters are included in JSON string.
+        assertEquals(JSON_FULL, objectMapper.writeValueAsString(token));
+    }
+
+    /**
+     * Test convenience methods
+     */
+    @Test
+    void convenienceMethodsTest() {
+        // Parent.
+        Token token = Token.builder().asOrphan().build();
+        assertEquals(true, token.getNoParent());
+        token = Token.builder().withParent().build();
+        assertEquals(false, token.getNoParent());
+
+        // Default policy.
+        token = Token.builder().withDefaultPolicy().build();
+        assertEquals(false, token.getNoDefaultPolicy());
+        token = Token.builder().withoutDefaultPolicy().build();
+        assertEquals(true, token.getNoDefaultPolicy());
+
+        // Renewability.
+        token = Token.builder().renewable().build();
+        assertEquals(true, token.isRenewable());
+        token = Token.builder().notRenewable().build();
+        assertEquals(false, token.isRenewable());
+
+        // Add single policy.
+        token = Token.builder().withPolicy(POLICY_2).build();
+        assertEquals(1, token.getPolicies().size());
+        assertEquals(List.of(POLICY_2), token.getPolicies());
+        token = Token.builder()
+                .withPolicies(POLICY, POLICY_2)
+                .withPolicy(POLICY_3)
+                .build();
+        assertEquals(3, token.getPolicies().size());
+        assertTrue(token.getPolicies().containsAll(List.of(POLICY, POLICY_2, POLICY_3)));
+
+        // Add single metadata.
+        token = Token.builder().withMeta(META_KEY_2, META_VALUE_2).build();
+        assertEquals(1, token.getMeta().size());
+        assertEquals(Set.of(META_KEY_2), token.getMeta().keySet());
+        assertEquals(META_VALUE_2, token.getMeta().get(META_KEY_2));
+        token = Token.builder()
+                .withMeta(META)
+                .withMeta(META_KEY_2, META_VALUE_2)
+                .build();
+        assertEquals(2, token.getMeta().size());
+        assertEquals(META_VALUE, token.getMeta().get(META_KEY));
+        assertEquals(META_VALUE_2, token.getMeta().get(META_KEY_2));
+    }
+}
--- a/src/test/java/de/stklcode/jvault/connector/model/response/AppRoleResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/AppRoleResponseTest.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -16,18 +16,14 @@

 package de.stklcode.jvault.connector.model.response;

-import com.fasterxml.jackson.databind.ObjectMapper;
-import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import com.fasterxml.jackson.core.JsonProcessingException;
+import de.stklcode.jvault.connector.model.AbstractModelTest;
 import de.stklcode.jvault.connector.model.AppRole;
 import org.junit.jupiter.api.Test;

-import java.util.HashMap;
-import java.util.Map;
+import java.util.List;

-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.*;
-import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
-import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.*;

 /**
 * JUnit Test for {@link AppRoleResponse} model.
@ -35,7 +31,7 @@ import static org.junit.jupiter.api.Assertions.assertThrows;
 * @author Stefan Kalscheuer
 * @since 0.6.2
 */
-class AppRoleResponseTest {
+class AppRoleResponseTest extends AbstractModelTest<AppRoleResponse> {
    private static final Integer ROLE_TOKEN_TTL = 1200;
    private static final Integer ROLE_TOKEN_MAX_TTL = 1800;
    private static final Integer ROLE_SECRET_TTL = 600;
@ -65,10 +61,18 @@ class AppRoleResponseTest {
            "  \"lease_id\": \"\"\n" +
            "}";

-    private static final Map<String, Object> INVALID_DATA = new HashMap<>();
+    AppRoleResponseTest() {
+        super(AppRoleResponse.class);
+    }

-    static {
-        INVALID_DATA.put("token_policies", "fancy-policy");
+    @Override
+    protected AppRoleResponse createFull() {
+        try {
+            return objectMapper.readValue(RES_JSON, AppRoleResponse.class);
+        } catch (JsonProcessingException e) {
+            fail("Creation of full model instance failed", e);
+            return null;
+        }
    }

    /**
@ -78,14 +82,7 @@ class AppRoleResponseTest {
    void getDataRoundtrip() {
        // Create empty Object.
        AppRoleResponse res = new AppRoleResponse();
-        assertThat("Initial data should be empty", res.getRole(), is(nullValue()));
-
-        // Parsing invalid auth data map should fail.
-        assertThrows(
-                InvalidResponseException.class,
-                () -> res.setData(INVALID_DATA),
-                "Parsing invalid data succeeded"
-        );
+        assertNull(res.getRole(), "Initial data should be empty");
    }

    /**
@ -94,25 +91,21 @@ class AppRoleResponseTest {
    @Test
    void jsonRoundtrip() {
        AppRoleResponse res = assertDoesNotThrow(
-                () -> new ObjectMapper().readValue(RES_JSON, AppRoleResponse.class),
-                "AuthResponse deserialization failed."
+                () -> objectMapper.readValue(RES_JSON, AppRoleResponse.class),
+                "AuthResponse deserialization failed"
        );
-        assertThat("Parsed response is NULL", res, is(notNullValue()));
+        assertNotNull(res, "Parsed response is NULL");
        // Extract role data.
        AppRole role = res.getRole();
-        assertThat("Role data is NULL", role, is(notNullValue()));
-        assertThat("Incorrect token TTL", role.getTokenTtl(), is(ROLE_TOKEN_TTL));
-        assertThat("Incorrect token max TTL", role.getTokenMaxTtl(), is(ROLE_TOKEN_MAX_TTL));
-        assertThat("Incorrect secret ID TTL", role.getSecretIdTtl(), is(ROLE_SECRET_TTL));
-        assertThat("Incorrect secret ID umber of uses", role.getSecretIdNumUses(), is(ROLE_SECRET_NUM_USES));
-        assertThat("Incorrect number of policies", role.getTokenPolicies(), hasSize(1));
-        assertThat("Incorrect role policies", role.getTokenPolicies(), contains(ROLE_POLICY));
-        assertThat("Incorrect number of policies", role.getPolicies(), hasSize(1));
-        assertThat("Incorrect role policies", role.getPolicies(), contains(ROLE_POLICY));
-        assertThat("Incorrect role period", role.getTokenPeriod(), is(ROLE_PERIOD));
-        assertThat("Incorrect role period", role.getPeriod(), is(ROLE_PERIOD));
-        assertThat("Incorrect role bind secret ID flag", role.getBindSecretId(), is(ROLE_BIND_SECRET));
-        assertThat("Incorrect bound CIDR list", role.getTokenBoundCidrs(), is(nullValue()));
-        assertThat("Incorrect bound CIDR list string", role.getTokenBoundCidrsString(), is(emptyString()));
+        assertNotNull(role, "Role data is NULL");
+        assertEquals(ROLE_TOKEN_TTL, role.getTokenTtl(), "Incorrect token TTL");
+        assertEquals(ROLE_TOKEN_MAX_TTL, role.getTokenMaxTtl(), "Incorrect token max TTL");
+        assertEquals(ROLE_SECRET_TTL, role.getSecretIdTtl(), "Incorrect secret ID TTL");
+        assertEquals(ROLE_SECRET_NUM_USES, role.getSecretIdNumUses(), "Incorrect secret ID umber of uses");
+        assertEquals(List.of(ROLE_POLICY), role.getTokenPolicies(), "Incorrect policies");
+        assertEquals(ROLE_PERIOD, role.getTokenPeriod(), "Incorrect role period");
+        assertEquals(ROLE_BIND_SECRET, role.getBindSecretId(), "Incorrect role bind secret ID flag");
+        assertNull(role.getTokenBoundCidrs(), "Incorrect bound CIDR list");
+        assertEquals("", role.getTokenBoundCidrsString(), "Incorrect bound CIDR list string");
    }
 }
--- a/src/test/java/de/stklcode/jvault/connector/model/response/AuthMethodsResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/AuthMethodsResponseTest.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -16,19 +16,17 @@

 package de.stklcode.jvault.connector.model.response;

-import com.fasterxml.jackson.databind.ObjectMapper;
-import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import com.fasterxml.jackson.core.JsonProcessingException;
+import de.stklcode.jvault.connector.model.AbstractModelTest;
 import de.stklcode.jvault.connector.model.AuthBackend;
 import de.stklcode.jvault.connector.model.response.embedded.AuthMethod;
 import org.junit.jupiter.api.Test;

-import java.util.HashMap;
+import java.util.Collections;
 import java.util.Map;
+import java.util.Set;

-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.*;
-import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
-import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.*;

 /**
 * JUnit Test for {@link AuthMethodsResponse} model.
@ -36,37 +34,68 @@ import static org.junit.jupiter.api.Assertions.assertThrows;
 * @author Stefan Kalscheuer
 * @since 0.6.2
 */
-class AuthMethodsResponseTest {
+class AuthMethodsResponseTest extends AbstractModelTest<AuthMethodsResponse> {
    private static final String GH_PATH = "github/";
    private static final String GH_TYPE = "github";
+    private static final String GH_UUID = "4b42d1a4-0a0d-3c88-ae90-997e0c8b41be";
+    private static final String GH_ACCESSOR = "auth_github_badd7fd0";
    private static final String GH_DESCR = "GitHub auth";
    private static final String TK_PATH = "token/";
    private static final String TK_TYPE = "token";
+    private static final String TK_UUID = "32ea9681-6bd6-6cec-eec3-d11260ba9741";
+    private static final String TK_ACCESSOR = "auth_token_ac0dd95a";
    private static final String TK_DESCR = "token based credentials";
    private static final Integer TK_LEASE_TTL = 0;
+    private static final Boolean TK_FORCE_NO_CACHE = false;
    private static final Integer TK_MAX_LEASE_TTL = 0;
+    private static final String TK_TOKEN_TYPE = "default-service";
+    private static final String TK_RUNNING_PLUGIN_VERSION = "v1.15.3+builtin.vault";

    private static final String RES_JSON = "{\n" +
            "  \"data\": {" +
            "    \"" + GH_PATH + "\": {\n" +
+            "      \"uuid\": \"" + GH_UUID + "\",\n" +
            "      \"type\": \"" + GH_TYPE + "\",\n" +
-            "      \"description\": \"" + GH_DESCR + "\"\n" +
+            "      \"accessor\": \"" + GH_ACCESSOR + "\",\n" +
+            "      \"description\": \"" + GH_DESCR + "\",\n" +
+            "      \"external_entropy_access\": false,\n" +
+            "      \"local\": false,\n" +
+            "      \"seal_wrap\": false\n" +
            "    },\n" +
            "    \"" + TK_PATH + "\": {\n" +
            "      \"config\": {\n" +
            "        \"default_lease_ttl\": " + TK_LEASE_TTL + ",\n" +
-            "        \"max_lease_ttl\": " + TK_MAX_LEASE_TTL + "\n" +
+            "        \"force_no_cache\": " + TK_FORCE_NO_CACHE + ",\n" +
+            "        \"max_lease_ttl\": " + TK_MAX_LEASE_TTL + ",\n" +
+            "        \"token_type\": \"" + TK_TOKEN_TYPE + "\"\n" +
            "      },\n" +
            "      \"description\": \"" + TK_DESCR + "\",\n" +
-            "      \"type\": \"" + TK_TYPE + "\"\n" +
+            "      \"options\": null,\n" +
+            "      \"plugin_version\": \"\",\n" +
+            "      \"running_plugin_version\": \"" + TK_RUNNING_PLUGIN_VERSION + "\",\n" +
+            "      \"running_sha256\": \"\",\n" +
+            "      \"type\": \"" + TK_TYPE + "\",\n" +
+            "      \"uuid\": \"" + TK_UUID + "\",\n" +
+            "      \"accessor\": \"" + TK_ACCESSOR + "\",\n" +
+            "      \"external_entropy_access\": false,\n" +
+            "      \"local\": true,\n" +
+            "      \"seal_wrap\": false\n" +
            "    }\n" +
            "  }\n" +
            "}";

-    private static final Map<String, Object> INVALID_DATA = new HashMap<>();
+    AuthMethodsResponseTest() {
+        super(AuthMethodsResponse.class);
+    }

-    static {
-        INVALID_DATA.put("dummy/", new Dummy());
+    @Override
+    protected AuthMethodsResponse createFull() {
+        try {
+            return objectMapper.readValue(RES_JSON, AuthMethodsResponse.class);
+        } catch (JsonProcessingException e) {
+            fail("Creation of full model instance failed", e);
+            return null;
+        }
    }

    /**
@ -76,14 +105,7 @@ class AuthMethodsResponseTest {
    void getDataRoundtrip() {
        // Create empty Object.
        AuthMethodsResponse res = new AuthMethodsResponse();
-        assertThat("Initial method map should be empty", res.getSupportedMethods(), is(anEmptyMap()));
-
-        // Parsing invalid data map should fail.
-        assertThrows(
-                InvalidResponseException.class,
-                () -> res.setData(INVALID_DATA),
-                "Parsing invalid data succeeded"
-        );
+        assertEquals(Collections.emptyMap(), res.getSupportedMethods(), "Initial method map should be empty");
    }

    /**
@ -92,35 +114,48 @@ class AuthMethodsResponseTest {
    @Test
    void jsonRoundtrip() {
        AuthMethodsResponse res = assertDoesNotThrow(
-                () -> new ObjectMapper().readValue(RES_JSON, AuthMethodsResponse.class),
+                () -> objectMapper.readValue(RES_JSON, AuthMethodsResponse.class),
                "AuthResponse deserialization failed"
        );
-        assertThat("Parsed response is NULL", res, is(notNullValue()));
+        assertNotNull(res, "Parsed response is NULL");
        // Extract auth data.
        Map<String, AuthMethod> supported = res.getSupportedMethods();
-        assertThat("Auth data is NULL", supported, is(notNullValue()));
-        assertThat("Incorrect number of supported methods", supported.entrySet(), hasSize(2));
-        assertThat("Incorrect method paths", supported.keySet(), containsInAnyOrder(GH_PATH, TK_PATH));
+        assertNotNull(supported, "Auth data is NULL");
+        assertEquals(2, supported.size(), "Incorrect number of supported methods");
+        assertTrue(supported.keySet().containsAll(Set.of(GH_PATH, TK_PATH)), "Incorrect method paths");

        // Verify first method.
        AuthMethod method = supported.get(GH_PATH);
-        assertThat("Incorrect raw type for GitHub", method.getRawType(), is(GH_TYPE));
-        assertThat("Incorrect parsed type for GitHub", method.getType(), is(AuthBackend.GITHUB));
-        assertThat("Incorrect description for GitHub", method.getDescription(), is(GH_DESCR));
-        assertThat("Unexpected config for GitHub", method.getConfig(), is(nullValue()));
+        assertEquals(GH_TYPE, method.getRawType(), "Incorrect raw type for GitHub");
+        assertEquals(AuthBackend.GITHUB, method.getType(), "Incorrect parsed type for GitHub");
+        assertEquals(GH_DESCR, method.getDescription(), "Incorrect description for GitHub");
+        assertNull(method.getConfig(), "Unexpected config for GitHub");
+        assertEquals(GH_UUID, method.getUuid(), "Unexpected UUID for GitHub");
+        assertEquals(GH_ACCESSOR, method.getAccessor(), "Unexpected accessor for GitHub");
+        assertFalse(method.isLocal(), "Unexpected local flag for GitHub");
+        assertFalse(method.isExternalEntropyAccess(), "Unexpected external entropy flag for GitHub");
+        assertFalse(method.isSealWrap(), "Unexpected seal wrap flag for GitHub");

-        // Verify first method.
+        // Verify second method.
        method = supported.get(TK_PATH);
-        assertThat("Incorrect raw type for Token", method.getRawType(), is(TK_TYPE));
-        assertThat("Incorrect parsed type for Token", method.getType(), is(AuthBackend.TOKEN));
-        assertThat("Incorrect description for Token", method.getDescription(), is(TK_DESCR));
-        assertThat("Missing config for Token", method.getConfig(), is(notNullValue()));
-        assertThat("Unexpected config size for Token", method.getConfig().keySet(), hasSize(2));
-        assertThat("Incorrect lease TTL config", method.getConfig().get("default_lease_ttl"), is(TK_LEASE_TTL.toString()));
-        assertThat("Incorrect max lease TTL config", method.getConfig().get("max_lease_ttl"), is(TK_MAX_LEASE_TTL.toString()));
-    }
+        assertEquals(TK_TYPE, method.getRawType(), "Incorrect raw type for Token");
+        assertEquals(AuthBackend.TOKEN, method.getType(), "Incorrect parsed type for Token");
+        assertEquals(TK_DESCR, method.getDescription(), "Incorrect description for Token");
+        assertEquals(TK_UUID, method.getUuid(), "Unexpected UUID for Token");
+        assertEquals(TK_ACCESSOR, method.getAccessor(), "Unexpected accessor for Token");
+        assertTrue(method.isLocal(), "Unexpected local flag for Token");
+        assertFalse(method.isExternalEntropyAccess(), "Unexpected external entropy flag for Token");
+        assertFalse(method.isSealWrap(), "Unexpected seal wrap flag for GitHub");
+        assertEquals("", method.getPluginVersion(), "Unexpected plugin version");
+        assertEquals(TK_RUNNING_PLUGIN_VERSION, method.getRunningPluginVersion(), "Unexpected running plugin version");
+        assertEquals("", method.getRunningSha256(), "Unexpected running SHA256");

-    private static class Dummy {
+        assertNotNull(method.getConfig(), "Missing config for Token");
+        assertEquals(TK_LEASE_TTL, method.getConfig().getDefaultLeaseTtl(), "Unexpected default TTL");
+        assertEquals(TK_MAX_LEASE_TTL, method.getConfig().getMaxLeaseTtl(), "Unexpected max TTL");
+        assertEquals(TK_FORCE_NO_CACHE, method.getConfig().getForceNoCache(), "Unexpected force no cache flag");
+        assertEquals(TK_TOKEN_TYPE, method.getConfig().getTokenType(), "Unexpected token type");

+        assertNull(method.getOptions(), "Unexpected options");
    }
 }
--- a/src/test/java/de/stklcode/jvault/connector/model/response/AuthResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/AuthResponseTest.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -16,18 +16,19 @@

 package de.stklcode.jvault.connector.model.response;

-import com.fasterxml.jackson.databind.ObjectMapper;
-import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import com.fasterxml.jackson.core.JsonProcessingException;
+import de.stklcode.jvault.connector.model.AbstractModelTest;
 import de.stklcode.jvault.connector.model.response.embedded.AuthData;
+import de.stklcode.jvault.connector.model.response.embedded.MfaConstraintAny;
+import de.stklcode.jvault.connector.model.response.embedded.MfaMethodId;
+import de.stklcode.jvault.connector.model.response.embedded.MfaRequirement;
+import nl.jqno.equalsverifier.EqualsVerifier;
 import org.junit.jupiter.api.Test;

-import java.util.HashMap;
 import java.util.Map;
+import java.util.Set;

-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.*;
-import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
-import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.*;

 /**
 * JUnit Test for {@link AuthResponse} model.
@ -35,7 +36,7 @@ import static org.junit.jupiter.api.Assertions.assertThrows;
 * @author Stefan Kalscheuer
 * @since 0.6.2
 */
-class AuthResponseTest {
+class AuthResponseTest extends AbstractModelTest<AuthResponse> {
    private static final String AUTH_ACCESSOR = "2c84f488-2133-4ced-87b0-570f93a76830";
    private static final String AUTH_CLIENT_TOKEN = "ABCD";
    private static final String AUTH_POLICY_1 = "web";
@ -47,6 +48,13 @@ class AuthResponseTest {
    private static final String AUTH_ENTITY_ID = "";
    private static final String AUTH_TOKEN_TYPE = "service";
    private static final Boolean AUTH_ORPHAN = false;
+    private static final Integer AUTH_NUM_USES = 42;
+    private static final String MFA_REQUEST_ID = "d0c9eec7-6921-8cc0-be62-202b289ef163";
+    private static final String MFA_KEY = "enforcementConfigUserpass";
+    private static final String MFA_METHOD_TYPE = "totp";
+    private static final String MFA_METHOD_ID = "820997b3-110e-c251-7e8b-ff4aa428a6e1";
+    private static final Boolean MFA_METHOD_USES_PASSCODE = true;
+    private static final String MFA_METHOD_NAME = "sample_mfa_method_name";

    private static final String RES_JSON = "{\n" +
        "  \"auth\": {\n" +
@ -67,35 +75,45 @@ class AuthResponseTest {
        "    \"renewable\": " + AUTH_RENEWABLE + ",\n" +
        "    \"entity_id\": \"" + AUTH_ENTITY_ID + "\",\n" +
        "    \"token_type\": \"" + AUTH_TOKEN_TYPE + "\",\n" +
-            "    \"orphan\": " + AUTH_ORPHAN + "\n" +
+        "    \"orphan\": " + AUTH_ORPHAN + ",\n" +
+        "    \"num_uses\": " + AUTH_NUM_USES + ",\n" +
+        "    \"mfa_requirement\": {\n" +
+        "      \"mfa_request_id\": \"" + MFA_REQUEST_ID + "\",\n" +
+        "      \"mfa_constraints\": {\n" +
+        "        \"" + MFA_KEY + "\": {\n" +
+        "          \"any\": [\n" +
+        "            {\n" +
+        "              \"type\": \"" + MFA_METHOD_TYPE + "\",\n" +
+        "              \"id\": \"" + MFA_METHOD_ID + "\",\n" +
+        "              \"uses_passcode\": " + MFA_METHOD_USES_PASSCODE + ",\n" +
+        "              \"name\": \"" + MFA_METHOD_NAME + "\"\n" +
+        "            }\n" +
+        "          ]\n" +
+        "        }\n" +
+        "      }\n" +
+        "    }\n" +
        "  }\n" +
        "}";

-    private static final Map<String, Object> INVALID_AUTH_DATA = new HashMap<>();
-
-    static {
-        INVALID_AUTH_DATA.put("policies", "fancy-policy");
+    AuthResponseTest() {
+        super(AuthResponse.class);
+    }
+
+    @Override
+    protected AuthResponse createFull() {
+        try {
+            return objectMapper.readValue(RES_JSON, AuthResponse.class);
+        } catch (JsonProcessingException e) {
+            fail("Creation of full model instance failed", e);
+            return null;
+        }
    }

-    /**
-     * Test getter, setter and get-methods for response data.
-     */
    @Test
-    void getDataRoundtrip() {
-        // Create empty Object.
-        AuthResponse res = new AuthResponse();
-        assertThat("Initial data should be empty", res.getData(), is(nullValue()));
-
-        // Parsing invalid auth data map should fail.
-        assertThrows(
-                InvalidResponseException.class,
-                () -> res.setAuth(INVALID_AUTH_DATA),
-                "Parsing invalid auth data succeeded"
-        );
-
-        // Data method should be agnostic.
-        res.setData(INVALID_AUTH_DATA);
-        assertThat("Data not passed through", res.getData(), is(INVALID_AUTH_DATA));
+    void testEqualsHashcodeMfa() {
+        EqualsVerifier.simple().forClass(MfaRequirement.class).verify();
+        EqualsVerifier.simple().forClass(MfaConstraintAny.class).verify();
+        EqualsVerifier.simple().forClass(MfaMethodId.class).verify();
    }

    /**
@ -104,25 +122,34 @@ class AuthResponseTest {
    @Test
    void jsonRoundtrip() {
        AuthResponse res = assertDoesNotThrow(
-                    () -> new ObjectMapper().readValue(RES_JSON, AuthResponse.class),
-                    "AuthResponse deserialization failed."
+                () -> objectMapper.readValue(RES_JSON, AuthResponse.class),
+                "AuthResponse deserialization failed"
        );
-            assertThat("Parsed response is NULL", res, is(notNullValue()));
+        assertNotNull(res, "Parsed response is NULL");
        // Extract auth data.
        AuthData data = res.getAuth();
-            assertThat("Auth data is NULL", data, is(notNullValue()));
-            assertThat("Incorrect auth accessor", data.getAccessor(), is(AUTH_ACCESSOR));
-            assertThat("Incorrect auth client token", data.getClientToken(), is(AUTH_CLIENT_TOKEN));
-            assertThat("Incorrect auth lease duration", data.getLeaseDuration(), is(AUTH_LEASE_DURATION));
-            assertThat("Incorrect auth renewable flag", data.isRenewable(), is(AUTH_RENEWABLE));
-            assertThat("Incorrect auth orphan flag", data.isOrphan(), is(AUTH_ORPHAN));
-            assertThat("Incorrect auth token type", data.getTokenType(), is(AUTH_TOKEN_TYPE));
-            assertThat("Incorrect auth entity id", data.getEntityId(), is(AUTH_ENTITY_ID));
-            assertThat("Incorrect number of policies", data.getPolicies(), hasSize(2));
-            assertThat("Incorrect auth policies", data.getPolicies(), containsInRelativeOrder(AUTH_POLICY_1, AUTH_POLICY_2));
-            assertThat("Incorrect number of token policies", data.getTokenPolicies(), hasSize(2));
-            assertThat("Incorrect token policies", data.getTokenPolicies(), containsInRelativeOrder(AUTH_POLICY_2, AUTH_POLICY_1));
-            assertThat("Incorrect auth metadata size", data.getMetadata().entrySet(), hasSize(1));
-            assertThat("Incorrect auth metadata", data.getMetadata().get(AUTH_META_KEY), is(AUTH_META_VALUE));
+        assertNotNull(data, "Auth data is NULL");
+        assertEquals(AUTH_ACCESSOR, data.getAccessor(), "Incorrect auth accessor");
+        assertEquals(AUTH_CLIENT_TOKEN, data.getClientToken(), "Incorrect auth client token");
+        assertEquals(AUTH_LEASE_DURATION, data.getLeaseDuration(), "Incorrect auth lease duration");
+        assertEquals(AUTH_RENEWABLE, data.isRenewable(), "Incorrect auth renewable flag");
+        assertEquals(AUTH_ORPHAN, data.isOrphan(), "Incorrect auth orphan flag");
+        assertEquals(AUTH_TOKEN_TYPE, data.getTokenType(), "Incorrect auth token type");
+        assertEquals(AUTH_ENTITY_ID, data.getEntityId(), "Incorrect auth entity id");
+        assertEquals(AUTH_NUM_USES, data.getNumUses(), "Incorrect auth num uses");
+        assertEquals(2, data.getPolicies().size(), "Incorrect number of policies");
+        assertTrue(data.getPolicies().containsAll(Set.of(AUTH_POLICY_1, AUTH_POLICY_2)));
+        assertEquals(2, data.getTokenPolicies().size(), "Incorrect number of token policies");
+        assertTrue(data.getTokenPolicies().containsAll(Set.of(AUTH_POLICY_2, AUTH_POLICY_1)), "Incorrect token policies");
+        assertEquals(Map.of(AUTH_META_KEY, AUTH_META_VALUE), data.getMetadata(), "Incorrect auth metadata");
+
+        assertEquals(MFA_REQUEST_ID, data.getMfaRequirement().getMfaRequestId(), "Incorrect MFA request ID");
+        assertEquals(Set.of(MFA_KEY), data.getMfaRequirement().getMfaConstraints().keySet(), "Incorrect MFA constraint keys");
+        var mfaConstraint = data.getMfaRequirement().getMfaConstraints().get(MFA_KEY);
+        assertEquals(1, mfaConstraint.getAny().size(), "Incorrect number of any constraints");
+        assertEquals(MFA_METHOD_TYPE, mfaConstraint.getAny().get(0).getType(), "Incorrect MFA method type");
+        assertEquals(MFA_METHOD_ID, mfaConstraint.getAny().get(0).getId(), "Incorrect MFA method type");
+        assertEquals(MFA_METHOD_USES_PASSCODE, mfaConstraint.getAny().get(0).getUsesPasscode(), "Incorrect MFA method uses passcode");
+        assertEquals(MFA_METHOD_NAME, mfaConstraint.getAny().get(0).getName(), "Incorrect MFA method uses passcode");
    }
 }
--- a/src/test/java/de/stklcode/jvault/connector/model/response/CredentialsResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/CredentialsResponseTest.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -16,18 +16,11 @@

 package de.stklcode.jvault.connector.model.response;

-import com.fasterxml.jackson.databind.ObjectMapper;
-import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import com.fasterxml.jackson.core.JsonProcessingException;
+import de.stklcode.jvault.connector.model.AbstractModelTest;
 import org.junit.jupiter.api.Test;

-import java.io.IOException;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.*;
-import static org.junit.jupiter.api.Assertions.fail;
+import static org.junit.jupiter.api.Assertions.*;

 /**
 * JUnit Test for {@link CredentialsResponse} model.
@ -35,32 +28,50 @@ import static org.junit.jupiter.api.Assertions.fail;
 * @author Stefan Kalscheuer
 * @since 0.8
 */
-class CredentialsResponseTest {
-    private static final Map<String, Object> DATA = new HashMap<>();
+class CredentialsResponseTest extends AbstractModelTest<CredentialsResponse> {
    private static final String VAL_USER = "testUserName";
    private static final String VAL_PASS = "5up3r5ecr3tP455";
+    private static final String JSON = "{\n" +
+            "    \"request_id\": \"68315073-6658-e3ff-2da7-67939fb91bbd\",\n" +
+            "    \"lease_id\": \"\",\n" +
+            "    \"lease_duration\": 2764800,\n" +
+            "    \"renewable\": false,\n" +
+            "    \"data\": {\n" +
+            "        \"username\": \"" + VAL_USER + "\",\n" +
+            "        \"password\": \"" + VAL_PASS + "\"\n" +
+            "    },\n" +
+            "    \"warnings\": null\n" +
+            "}";

-    static {
-        DATA.put("username", VAL_USER);
-        DATA.put("password", VAL_PASS);
+    CredentialsResponseTest() {
+        super(CredentialsResponse.class);
+    }
+
+    @Override
+    protected CredentialsResponse createFull() {
+        try {
+            return objectMapper.readValue(JSON, CredentialsResponse.class);
+        } catch (JsonProcessingException e) {
+            fail("Creation of full model instance failed", e);
+            return null;
+        }
    }

    /**
     * Test getter, setter and get-methods for response data.
-     *
-     * @throws InvalidResponseException Should not occur
     */
    @Test
-    @SuppressWarnings("unchecked")
-    void getCredentialsTest() throws InvalidResponseException {
+    void getCredentialsTest() {
        // Create empty Object.
        CredentialsResponse res = new CredentialsResponse();
-        assertThat("Username not present in data map should not return anything", res.getUsername(), is(nullValue()));
-        assertThat("Password not present in data map should not return anything", res.getPassword(), is(nullValue()));
+        assertNull(res.getUsername(), "Username not present in data map should not return anything");
+        assertNull(res.getPassword(), "Password not present in data map should not return anything");

-        // Fill data map.
-        res.setData(DATA);
-        assertThat("Incorrect username", res.getUsername(), is(VAL_USER));
-        assertThat("Incorrect password", res.getPassword(), is(VAL_PASS));
+        res = assertDoesNotThrow(
+                () -> objectMapper.readValue(JSON, CredentialsResponse.class),
+                "Deserialization of CredentialsResponse failed"
+        );
+        assertEquals(VAL_USER, res.getUsername(), "Incorrect username");
+        assertEquals(VAL_PASS, res.getPassword(), "Incorrect password");
    }
 }
--- a/src/test/java/de/stklcode/jvault/connector/model/response/ErrorResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/ErrorResponseTest.java
@ -0,0 +1,88 @@
+/*
+ * Copyright 2016-2025 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import de.stklcode.jvault.connector.model.AbstractModelTest;
+import org.junit.jupiter.api.Test;
+
+import java.util.List;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+/**
+ * JUnit Test for {@link ErrorResponse} model.
+ *
+ * @author Stefan Kalscheuer
+ */
+class ErrorResponseTest extends AbstractModelTest<ErrorResponse> {
+    private static final String ERROR_1 = "Error #1";
+    private static final String ERROR_2 = "Error #2";
+
+    private static final String JSON = "{\"errors\":[\"" + ERROR_1 + "\",\"" + ERROR_2 + "\"]}";
+    private static final String JSON_EMPTY = "{\"errors\":[]}";
+
+    ErrorResponseTest() {
+        super(ErrorResponse.class);
+    }
+
+    @Override
+    protected ErrorResponse createFull() {
+        try {
+            return objectMapper.readValue(JSON, ErrorResponse.class);
+        } catch (JsonProcessingException e) {
+            fail("Creation of full model instance failed", e);
+            return null;
+        }
+    }
+
+    /**
+     * Test creation from JSON value as returned by Vault.
+     */
+    @Test
+    void jsonRoundtrip() {
+        ErrorResponse res = assertDoesNotThrow(
+                () -> objectMapper.readValue(JSON, ErrorResponse.class),
+                "ErrorResponse deserialization failed"
+        );
+        assertNotNull(res, "Parsed response is NULL");
+        assertEquals(List.of(ERROR_1, ERROR_2), res.getErrors(), "Unexpected error messages");
+        assertEquals(
+                JSON,
+                assertDoesNotThrow(() -> objectMapper.writeValueAsString(res), "ErrorResponse serialization failed"),
+                "Unexpected JSON string after serialization"
+        );
+    }
+
+
+    @Test
+    void testToString() {
+        ErrorResponse res = assertDoesNotThrow(
+                () -> objectMapper.readValue(JSON, ErrorResponse.class),
+                "ErrorResponse deserialization failed"
+        );
+        assertEquals(ERROR_1, res.toString());
+
+        res = assertDoesNotThrow(
+                () -> objectMapper.readValue(JSON_EMPTY, ErrorResponse.class),
+                "ErrorResponse deserialization failed with empty list"
+        );
+        assertEquals("error response", res.toString());
+
+        assertEquals("error response", new ErrorResponse().toString());
+    }
+}
--- a/src/test/java/de/stklcode/jvault/connector/model/response/HealthResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/HealthResponseTest.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -16,13 +16,11 @@

 package de.stklcode.jvault.connector.model.response;

-import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.core.JsonProcessingException;
+import de.stklcode.jvault.connector.model.AbstractModelTest;
 import org.junit.jupiter.api.Test;

-import static org.hamcrest.CoreMatchers.is;
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.notNullValue;
-import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
+import static org.junit.jupiter.api.Assertions.*;

 /**
 * JUnit Test for {@link AuthResponse} model.
@ -30,10 +28,10 @@ import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
 * @author Stefan Kalscheuer
 * @since 0.7.0
 */
-class HealthResponseTest {
+class HealthResponseTest extends AbstractModelTest<HealthResponse> {
    private static final String CLUSTER_ID = "c9abceea-4f46-4dab-a688-5ce55f89e228";
    private static final String CLUSTER_NAME = "vault-cluster-5515c810";
-    private static final String VERSION = "0.9.2";
+    private static final String VERSION = "0.17.0";
    private static final Long SERVER_TIME_UTC = 1469555798L;
    private static final Boolean STANDBY = false;
    private static final Boolean SEALED = false;
@ -41,6 +39,10 @@ class HealthResponseTest {
    private static final Boolean PERF_STANDBY = false;
    private static final String REPL_PERF_MODE = "disabled";
    private static final String REPL_DR_MODE = "disabled";
+    private static final Long ECHO_DURATION = 1L;
+    private static final Long CLOCK_SKEW = 0L;
+    private static final Long REPL_PRIM_CANARY_AGE = 2L;
+    private static final Boolean ENTERPRISE = false;

    private static final String RES_JSON = "{\n" +
            "  \"cluster_id\": \"" + CLUSTER_ID + "\",\n" +
@ -50,30 +52,52 @@ class HealthResponseTest {
            "  \"standby\": " + STANDBY + ",\n" +
            "  \"sealed\": " + SEALED + ",\n" +
            "  \"initialized\": " + INITIALIZED + ",\n" +
-            "  \"replication_perf_mode\": \"" + REPL_PERF_MODE + "\",\n" +
+            "  \"replication_performance_mode\": \"" + REPL_PERF_MODE + "\",\n" +
            "  \"replication_dr_mode\": \"" + REPL_DR_MODE + "\",\n" +
-            "  \"performance_standby\": " + PERF_STANDBY + "\n" +
+            "  \"performance_standby\": " + PERF_STANDBY + ",\n" +
+            "  \"echo_duration_ms\": " + ECHO_DURATION + ",\n" +
+            "  \"clock_skew_ms\": " + CLOCK_SKEW + ",\n" +
+            "  \"replication_primary_canary_age_ms\": " + REPL_PRIM_CANARY_AGE + ",\n" +
+            "  \"enterprise\": " + ENTERPRISE + "\n" +
            "}";

+    HealthResponseTest() {
+        super(HealthResponse.class);
+    }
+
+    @Override
+    protected HealthResponse createFull() {
+        try {
+            return objectMapper.readValue(RES_JSON, HealthResponse.class);
+        } catch (JsonProcessingException e) {
+            fail("Creation of full model instance failed", e);
+            return null;
+        }
+    }
+
    /**
     * Test creation from JSON value as returned by Vault (JSON example copied from Vault documentation).
     */
    @Test
    void jsonRoundtrip() {
        HealthResponse res = assertDoesNotThrow(
-                () -> new ObjectMapper().readValue(RES_JSON, HealthResponse.class),
-                "Health deserialization failed."
+                () -> objectMapper.readValue(RES_JSON, HealthResponse.class),
+                "Health deserialization failed"
        );
-        assertThat("Parsed response is NULL", res, is(notNullValue()));
-        assertThat("Incorrect cluster ID", res.getClusterID(), is(CLUSTER_ID));
-        assertThat("Incorrect cluster name", res.getClusterName(), is(CLUSTER_NAME));
-        assertThat("Incorrect version", res.getVersion(), is(VERSION));
-        assertThat("Incorrect server time", res.getServerTimeUTC(), is(SERVER_TIME_UTC));
-        assertThat("Incorrect standby state", res.isStandby(), is(STANDBY));
-        assertThat("Incorrect seal state", res.isSealed(), is(SEALED));
-        assertThat("Incorrect initialization state", res.isInitialized(), is(INITIALIZED));
-        assertThat("Incorrect performance standby state", res.isPerformanceStandby(), is(PERF_STANDBY));
-        assertThat("Incorrect replication perf mode", res.getReplicationPerfMode(), is(REPL_PERF_MODE));
-        assertThat("Incorrect replication DR mode", res.getReplicationDrMode(), is(REPL_DR_MODE));
+        assertNotNull(res, "Parsed response is NULL");
+        assertEquals(CLUSTER_ID, res.getClusterID(), "Incorrect cluster ID");
+        assertEquals(CLUSTER_NAME, res.getClusterName(), "Incorrect cluster name");
+        assertEquals(VERSION, res.getVersion(), "Incorrect version");
+        assertEquals(SERVER_TIME_UTC, res.getServerTimeUTC(), "Incorrect server time");
+        assertEquals(STANDBY, res.isStandby(), "Incorrect standby state");
+        assertEquals(SEALED, res.isSealed(), "Incorrect seal state");
+        assertEquals(INITIALIZED, res.isInitialized(), "Incorrect initialization state");
+        assertEquals(PERF_STANDBY, res.isPerformanceStandby(), "Incorrect performance standby state");
+        assertEquals(REPL_PERF_MODE, res.getReplicationPerfMode(), "Incorrect replication perf mode");
+        assertEquals(REPL_DR_MODE, res.getReplicationDrMode(), "Incorrect replication DR mode");
+        assertEquals(ECHO_DURATION, res.getEchoDurationMs(), "Incorrect echo duration");
+        assertEquals(CLOCK_SKEW, res.getClockSkewMs(), "Incorrect clock skew");
+        assertEquals(REPL_PRIM_CANARY_AGE, res.getReplicationPrimaryCanaryAgeMs(), "Incorrect canary age");
+        assertEquals(ENTERPRISE, res.isEnterprise(), "Incorrect enterprise flag");
    }
 }
--- a/src/test/java/de/stklcode/jvault/connector/model/response/HelpResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/HelpResponseTest.java
@ -0,0 +1,66 @@
+/*
+ * Copyright 2016-2025 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import de.stklcode.jvault.connector.model.AbstractModelTest;
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+/**
+ * JUnit Test for {@link HelpResponse} model.
+ *
+ * @author Stefan Kalscheuer
+ */
+class HelpResponseTest extends AbstractModelTest<HelpResponse> {
+    private static final String HELP = "Help Text.";
+
+    private static final String JSON = "{\"help\":\"" + HELP + "\"}";
+
+    HelpResponseTest() {
+        super(HelpResponse.class);
+    }
+
+    @Override
+    protected HelpResponse createFull() {
+        try {
+            return objectMapper.readValue(JSON, HelpResponse.class);
+        } catch (JsonProcessingException e) {
+            fail("Creation of full model instance failed", e);
+            return null;
+        }
+    }
+
+    /**
+     * Test creation from JSON value as returned by Vault.
+     */
+    @Test
+    void jsonRoundtrip() {
+        HelpResponse res = assertDoesNotThrow(
+                () -> objectMapper.readValue(JSON, HelpResponse.class),
+                "HelpResponse deserialization failed"
+        );
+        assertNotNull(res, "Parsed response is NULL");
+        assertEquals(HELP, res.getHelp(), "Unexpected help text");
+        assertEquals(
+                JSON,
+                assertDoesNotThrow(() -> objectMapper.writeValueAsString(res), "HelpResponse serialization failed"),
+                "Unexpected JSON string after serialization"
+        );
+    }
+}
--- a/src/test/java/de/stklcode/jvault/connector/model/response/MetaSecretResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/MetaSecretResponseTest.java
@ -0,0 +1,148 @@
+/*
+ * Copyright 2016-2025 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import de.stklcode.jvault.connector.model.AbstractModelTest;
+import org.junit.jupiter.api.Test;
+
+import java.util.List;
+import java.util.Map;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+/**
+ * JUnit Test for {@link MetaSecretResponse} model.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.6.2
+ */
+class MetaSecretResponseTest extends AbstractModelTest<MetaSecretResponse> {
+    private static final String SECRET_REQUEST_ID = "68315073-6658-e3ff-2da7-67939fb91bbd";
+    private static final String SECRET_LEASE_ID = "";
+    private static final Integer SECRET_LEASE_DURATION = 2764800;
+    private static final boolean SECRET_RENEWABLE = false;
+    private static final String SECRET_DATA_K1 = "excited";
+    private static final String SECRET_DATA_V1 = "yes";
+    private static final String SECRET_DATA_K2 = "value";
+    private static final String SECRET_DATA_V2 = "world";
+    private static final String SECRET_META_CREATED = "2018-03-22T02:24:06.945319214Z";
+    private static final String SECRET_META_DELETED = "2018-03-23T03:25:07.056420325Z";
+    private static final List<String> SECRET_WARNINGS = null;
+    private static final String CUSTOM_META_KEY = "foo";
+    private static final String CUSTOM_META_VAL = "bar";
+
+    private static final String SECRET_JSON_V2 = "{\n" +
+            "    \"request_id\": \"" + SECRET_REQUEST_ID + "\",\n" +
+            "    \"lease_id\": \"" + SECRET_LEASE_ID + "\",\n" +
+            "    \"lease_duration\": " + SECRET_LEASE_DURATION + ",\n" +
+            "    \"renewable\": " + SECRET_RENEWABLE + ",\n" +
+            "    \"data\": {\n" +
+            "      \"data\": {\n" +
+            "          \"" + SECRET_DATA_K1 + "\": \"" + SECRET_DATA_V1 + "\",\n" +
+            "          \"" + SECRET_DATA_K2 + "\": \"" + SECRET_DATA_V2 + "\"\n" +
+            "      },\n" +
+            "      \"metadata\": {\n" +
+            "          \"created_time\": \"" + SECRET_META_CREATED + "\",\n" +
+            "          \"custom_metadata\": null,\n" +
+            "          \"deletion_time\": \"\",\n" +
+            "          \"destroyed\": false,\n" +
+            "          \"version\": 1\n" +
+            "      }\n" +
+            "    },\n" +
+            "    \"warnings\": " + SECRET_WARNINGS + "\n" +
+            "}";
+    private static final String SECRET_JSON_V2_2 = "{\n" +
+            "    \"request_id\": \"" + SECRET_REQUEST_ID + "\",\n" +
+            "    \"lease_id\": \"" + SECRET_LEASE_ID + "\",\n" +
+            "    \"lease_duration\": " + SECRET_LEASE_DURATION + ",\n" +
+            "    \"renewable\": " + SECRET_RENEWABLE + ",\n" +
+            "    \"data\": {\n" +
+            "      \"data\": {\n" +
+            "          \"" + SECRET_DATA_K1 + "\": \"" + SECRET_DATA_V1 + "\",\n" +
+            "          \"" + SECRET_DATA_K2 + "\": \"" + SECRET_DATA_V2 + "\"\n" +
+            "      },\n" +
+            "      \"metadata\": {\n" +
+            "          \"created_time\": \"" + SECRET_META_CREATED + "\",\n" +
+            "          \"custom_metadata\": {" +
+            "            \"" + CUSTOM_META_KEY + "\": \"" + CUSTOM_META_VAL + "\"" +
+            "          },\n" +
+            "          \"deletion_time\": \"" + SECRET_META_DELETED + "\",\n" +
+            "          \"destroyed\": true,\n" +
+            "          \"version\": 2\n" +
+            "      }\n" +
+            "    },\n" +
+            "    \"warnings\": " + SECRET_WARNINGS + "\n" +
+            "}";
+
+    MetaSecretResponseTest() {
+        super(MetaSecretResponse.class);
+    }
+
+    @Override
+    protected MetaSecretResponse createFull() {
+        try {
+            return objectMapper.readValue(SECRET_JSON_V2, MetaSecretResponse.class);
+        } catch (JsonProcessingException e) {
+            fail("Creation of full model instance failed", e);
+            return null;
+        }
+    }
+
+    /**
+     * Test creation from JSON value as returned by Vault (JSON example copied from Vault documentation).
+     */
+    @Test
+    void jsonRoundtrip() {
+        // KV v2 secret.
+        MetaSecretResponse res = assertDoesNotThrow(
+                () -> objectMapper.readValue(SECRET_JSON_V2, MetaSecretResponse.class),
+                "SecretResponse deserialization failed"
+        );
+        assertSecretData(res);
+        assertNotNull(res.getMetadata(), "SecretResponse does not contain metadata");
+        assertNotNull(res.getMetadata().getCreatedTime(), "Creation date parsing failed");
+        assertNull(res.getMetadata().getDeletionTime(), "Incorrect deletion date");
+        assertFalse(res.getMetadata().isDestroyed(), "Secret destroyed when not expected");
+        assertEquals(1, res.getMetadata().getVersion(), "Incorrect secret version");
+        assertNull(res.getMetadata().getCustomMetadata(), "Incorrect custom metadata");
+
+        // Deleted KV v2 secret.
+        res = assertDoesNotThrow(
+                () -> objectMapper.readValue(SECRET_JSON_V2_2, MetaSecretResponse.class),
+                "SecretResponse deserialization failed"
+        );
+        assertSecretData(res);
+        assertNotNull(res.getMetadata(), "SecretResponse does not contain metadata");
+        assertNotNull(res.getMetadata().getCreatedTime(), "Creation date parsing failed");
+        assertNotNull(res.getMetadata().getDeletionTime(), "Incorrect deletion date");
+        assertTrue(res.getMetadata().isDestroyed(), "Secret destroyed when not expected");
+        assertEquals(2, res.getMetadata().getVersion(), "Incorrect secret version");
+        assertEquals(Map.of(CUSTOM_META_KEY, CUSTOM_META_VAL), res.getMetadata().getCustomMetadata(), "Incorrect custom metadata");
+    }
+
+    private void assertSecretData(SecretResponse res) {
+        assertNotNull(res, "Parsed response is NULL");
+        assertEquals(SECRET_REQUEST_ID, res.getRequestId(), "Incorrect request ID");
+        assertEquals(SECRET_LEASE_ID, res.getLeaseId(), "Incorrect lease ID");
+        assertEquals(SECRET_LEASE_DURATION, res.getLeaseDuration(), "Incorrect lease duration");
+        assertEquals(SECRET_RENEWABLE, res.isRenewable(), "Incorrect renewable status");
+        assertEquals(SECRET_WARNINGS, res.getWarnings(), "Incorrect warnings");
+        assertEquals(SECRET_DATA_V1, res.get(SECRET_DATA_K1), "Response does not contain correct data");
+        assertEquals(SECRET_DATA_V2, res.get(SECRET_DATA_K2), "Response does not contain correct data");
+    }
+}
--- a/Show More
+++ b/Show More