Vault account tags follow the same label rules and operational limits whether they are standard or protected. Labels must be 2 to 30 characters and unique within your workspace, and vault accounts can have up to 20 tags combined.
Label rules
All tag labels must follow these requirements:
| Rule | Requirement |
| Minimum length | 2 characters |
| Maximum length | 30 characters |
| Allowed characters | Alphanumeric characters, spaces, hyphens (-), and underscores (_) |
| Uniqueness | Must be unique within your workspace |
Labels that do not meet these requirements return a 400 Bad Request error. A duplicate label within the same workspace returns a 409 Conflict error.
Optional fields
When creating or editing a tag, two optional fields are available in addition to the label:
| Field | Max length | Format |
| Description | 250 characters | Plain text |
| Color | N/A | Valid hex color (for example, #FF5733) |
An invalid hex color value returns a 400 Bad Request error.
Operational limits
| Limit | Value |
| Max tags per vault account | 20 (standard and protected combined) |
| Max vault accounts per attach/detach request | 100 |
| Max tags to attach per request | 20 |
| Max tags to detach per request | 20 |
| Max tag IDs in a list/filter request | 100 |
Exceeding 20 tags per vault account returns a 409 Conflict error. Exceeding request size limits returns a 400 Bad Request error.
Additional constraints
- A tag cannot be deleted while it has active vault account attachments. Detach the tag from all vaults first.
- The same tag cannot appear in both the attach and detach arrays in a single request.
- A tag with a pending approval request cannot be edited or deleted until the pending request is resolved.
- Protection status is immutable after creation. A standard tag cannot be converted to a protected tag, and a protected tag cannot be converted to a standard tag.