openapi-directory/api/conjur.local.json

Building & bundling https://github.com/APIs-guru/openapi-directory for easy use from JS

{"openapi":"3.0.0","servers":[{"url":"http://conjur.local"},{"url":"/"}],"info":{"contact":{"email":"conj_maintainers@cyberark.com"},"description":"This is an API definition for CyberArk Conjur Open Source. You can find out more at [Conjur.org](https://www.conjur.org/).","license":{"name":"Apache 2.0","url":"http://www.apache.org/licenses/LICENSE-2.0.html"},"title":"Conjur","version":"5.3.0","x-apisguru-categories":["security"],"x-origin":[{"format":"openapi","url":"https://raw.githubusercontent.com/cyberark/conjur-openapi-spec/main/spec/openapi.yml","version":"3.0"}],"x-providerName":"conjur.local"},"externalDocs":{"description":"Find out more about Conjur","url":"https://conjur.org"},"security":[{"basicAuth":[]},{"conjurAuth":[]},{"conjurKubernetesMutualTls":[]}],"tags":[{"description":"Authentication","name":"authentication"},{"description":"Secrets","name":"secrets"},{"description":"Policies","name":"policies"},{"description":"RBAC","name":"roles"},{"description":"Host factories","name":"host factory"},{"description":"SSH keys","name":"public keys"},{"description":"Resources","name":"resources"},{"description":"Server status","name":"status"},{"description":"Certificate authority","name":"certificate authority"}],"paths":{"/authenticators":{"get":{"description":"Response contains three members: installed, configured, and enabled.\n\ninstalled: The authenticator is implemented in Conjur and is available for configuration\nconfigured: The authenticator has a webservice in the DB that was loaded by policy\nenabled: The authenticator is enabled (in the DB or in the ENV) and is ready for authentication\n","operationId":"getAuthenticators","responses":{"200":{"content":{"application/json":{"schema":{"properties":{"configured":{"description":"The authenticators configured on the Conjur server","example":["authn"],"items":{"type":"string"},"type":"array"},"enabled":{"description":"The authenticators enabled on the Conjur server","example":["authn"],"items":{"type":"string"},"type":"array"},"installed":{"description":"The authenticators installed on the Conjur server","example":["authn"],"items":{"type":"string"},"type":"array"}},"type":"object"}}},"description":"Details about authenticators for this Conjur server"}},"summary":"Details about which authenticators are on the Conjur Server","tags":["status"]},"parameters":[{"$ref":"#/components/parameters/RequestID"}]},"/authn-azure/{service_id}/{account}/{login}/authenticate":{"parameters":[{"$ref":"#/components/parameters/RequestID"}],"post":{"description":"The access token is used to communicate to the REST API that\nthe bearer of the token has been authorized to access the API and perform\nspecific actions specified by the scope that was granted during authorization.\n\nFor API usage, the base64-encoded access token is ordinarily passed as an HTTP\nAuthorization header as `Authorization: Token token=<base64-encoded token>`.\n\nThe `login` must be URL encoded and the host ID must have the prefix\n`host/`. For example, the host webserver would login as `host/webserver`,\nand would be encoded as `host%2Fwebserver`.\n\nThe `service_id`, if given, must be URL encoded. For example,\n`prod/gke` must be encoded as `prod%2Fgke`.\n\nTo authenticate to Conjur using this endpoint, reference the detailed\ndocumentation: [Azure Authenticator](https://docs.conjur.org/Latest/en/Content/Operations/Services/azure_authn.htm) (`authn-azure`).\n","operationId":"getAccessTokenViaAzure","parameters":[{"$ref":"#/components/parameters/ServiceID"},{"description":"Organization account name","in":"path","name":"account","required":true,"schema":{"$ref":"#/components/schemas/AccountName"}},{"description":"URL-encoded login name. For users, it’s the user ID. For hosts, the login name is `host/<host-id>`","in":"path","name":"login","required":true,"schema":{"$ref":"#/paths/~1authn~1%7Baccount%7D~1%7Blogin%7D~1authenticate/post/parameters/1/schema"}},{"description":"Setting the Accept-Encoding header to base64 will return a pre-encoded access token","in":"header","name":"Accept-Encoding","schema":{"default":"application/json","enum":["application/json","base64"],"type":"string"}}],"requestBody":{"content":{"application/x-www-form-urlencoded":{"schema":{"description":"Azure instance identity token","example":{"jwt":"eyJhbGciOiJSUzI1NiIs......uTonCA"},"properties":{"jwt":{"type":"string"}},"type":"object"}}},"description":"Azure identity token","required":true},"responses":{"200":{"$ref":"#/paths/~1authn~1%7Baccount%7D~1%7Blogin%7D~1authenticate/post/responses/200"},"400":{"$ref":"#/components/responses/BadRequest"},"401":{"$ref":"#/components/responses/UnauthorizedError"},"404":{"$ref":"#/components/responses/ResourceNotFound"},"500":{"$ref":"#/components/responses/InternalServerError"}},"security":[],"summary":"Gets a short-lived access token for applications running in Azure.","tags":["authentication"]}},"/authn-gcp/{account}/authenticate":{"parameters":[{"$ref":"#/components/parameters/RequestID"}],"post":{"description":"Use the GCP Authenticator API to send an authentication\nrequest from a Google Cloud service to Conjur.\n\nFor more information, see [the documentation](https://docs.conjur.org/Latest/en/Content/Operations/Services/cjr-gcp-authn.htm).\n","operationId":"getAccessTokenViaGCP","parameters":[{"description":"Organization account name","example":"dev","in":"path","name":"account","required":true,"schema":{"type":"string"}},{"description":"Setting the Accept-Encoding header to base64 will return a pre-encoded access token","in":"header","name":"Accept-Encoding","schema":{"enum":["base64"],"type":"string"}}],"requestBody":{"content":{"application/x-www-form-urlencoded":{"schema":{"description":"Google Cloud instance identity token","example":{"jwt":"eyJhbGciOiJSUzI1NiIs......uTonCA"},"properties":{"jwt":{"type":"string"}},"type":"object"}}},"description":"Google JWT identity token for the Google Cloud service","required":true},"responses":{"200":{"$ref":"#/paths/~1authn~1%7Baccount%7D~1login/get/responses/200"},"400":{"$ref":"#/components/responses/BadRequest"},"401":{"$ref":"#/components/responses/UnauthorizedError"},"500":{"$ref":"#/components/responses/InternalServerError"}},"security":[],"summary":"Gets a short-lived access token for applications running in\nGoogle Cloud Platform.\n","tags":["authentication"]}},"/authn-gcp/{account}/status":{"get":{"description":"Once the status webservice has been properly configured and the relevant user\ngroups have been given permissions to access the status webservice, the\nusers in those groups can check the status of the authenticator.\n\nThis operation only supports the GCP authenticator\n\nSee [Conjur Documentation](https://docs.conjur.org/Latest/en/Content/Integrations/Authn-status.htm)\nfor details on setting up the authenticator status webservice.\n","operationId":"getGCPAuthenticatorStatus","parameters":[{"description":"The organization account name","example":"dev","in":"path","name":"account","required":true,"schema":{"type":"string"}}],"responses":{"200":{"$ref":"#/paths/~1%7Bauthenticator%7D~1%7Bservice_id%7D~1%7Baccount%7D~1status/get/responses/200"},"400":{"$ref":"#/components/responses/BadRequest"},"403":{"$ref":"#/components/responses/InadequatePrivileges"},"404":{"description":"The service was not found"},"500":{"$ref":"#/paths/~1%7Bauthenticator%7D~1%7Bservice_id%7D~1%7Baccount%7D~1status/get/responses/200"},"501":{"$ref":"#/paths/~1%7Bauthenticator%7D~1%7Bservice_id%7D~1%7Baccount%7D~1status/get/responses/200"}},"security":[{"conjurAuth":[]}],"summary":"Details whether an authentication service has been configured properly","tags":["status"]},"parameters":[{"$ref":"#/components/parameters/RequestID"}]},"/authn-iam/{service_id}/{account}/{login}/authenticate":{"parameters":[{"$ref":"#/components/parameters/RequestID"}],"post":{"description":"The access token is used to communicate to the REST API that\nthe bearer of the token has been authorized to access the API and perform\nspecific actions specified by the scope that was granted during authorization.\n\nFor API usage, the base64-encoded access token is ordinarily passed as an HTTP\nAuthorization header as `Authorization: Token token=<base64-encoded token>`.\n\nThe `login` must be URL encoded and the host ID must have the prefix\n`host/`. For example, the host webserver would login as `host/webserver`,\nand would be encoded as `host%2Fwebserver`.\n\nThe `service_id`, if given, must be URL encoded. For example,\n`prod/gke` must be encoded as `prod%2Fgke`.\n\nFor detailed instructions on authenticating to Conjur using this endpoint,\nreference the documentation:\n[AWS IAM Authenticator](https://docs.conjur.org/Latest/en/Content/Operations/Services/AWS_IAM_Authenticator.htm) (`authn-iam`).\n","operationId":"getAccessTokenViaAWS","parameters":[{"$ref":"#/components/parameters/ServiceID"},{"description":"Organization account name","in":"path","name":"account","required":true,"schema":{"$ref":"#/components/schemas/AccountName"}},{"description":"URL-encoded login name. For hosts, the login name is `host/<host-id>`","in":"path","name":"login","required":true,"schema":{"$ref":"#/paths/~1authn~1%7Baccount%7D~1%7Blogin%7D~1authenticate/post/parameters/1/schema"}},{"description":"Setting the Accept-Encoding header to base64 will return a pre-encoded access token","in":"header","name":"Accept-Encoding","schema":{"default":"application/json","enum":["application/json","base64"],"type":"string"}}],"requestBody":{"content":{"text/plain":{"schema":{"description":"AWS Signature Version 4 header","type":"string"}}},"description":"AWS Signature header","required":true},"responses":{"200":{"$ref":"#/paths/~1authn~1%7Baccount%7D~1%7Blogin%7D~1authenticate/post/responses/200"},"400":{"$ref":"#/components/responses/BadRequest"},"401":{"$ref":"#/components/responses/UnauthorizedError"},"404":{"$ref":"#/components/responses/ResourceNotFound"},"500":{"$ref":"#/components/responses/InternalServerError"}},"security":[],"summary":"Get a short-lived access token for applications running in AWS.","tags":["authentication"]}},"/authn-jwt/{service_id}/{account}/authenticate":{"parameters":[{"$ref":"#/components/parameters/RequestID"}],"post":{"description":"Use the JWT Authenticator to leverage the identity layer\nprovided by JWT to authenticate with Conjur.\n","operationId":"getAccessTokenViaJWT","parameters":[{"description":"Organization account name","in":"path","name":"account","required":true,"schema":{"$ref":"#/components/schemas/AccountName"}},{"$ref":"#/components/parameters/ServiceID"}],"requestBody":{"content":{"application/x-www-form-urlencoded":{"schema":{"example":{"jwt":"eyJhbGciOiJSUzI1NiIs......uTonCA"},"properties":{"jwt":{"type":"string"}},"type":"object"}}},"description":"ID token","required":true},"responses":{"200":{"$ref":"#/paths/~1authn~1%7Baccount%7D~1%7Blogin%7D~1authenticate/post/responses/200"},"400":{"$ref":"#/components/responses/BadRequest"},"401":{"$ref":"#/components/responses/UnauthorizedError"},"404":{"$ref":"#/components/responses/ResourceNotFound"},"500":{"$ref":"#/components/responses/InternalServerError"}},"security":[],"summary":"Gets a short-lived access token for applications using JSON Web Token (JWT)\nto access the Conjur API.\n","tags":["authentication"]}},"/authn-jwt/{service_id}/{account}/{id}/authenticate":{"parameters":[{"$ref":"#/components/parameters/RequestID"}],"post":{"description":"Use the JWT Authenticator to leverage the identity layer\nprovided by JWT to authenticate with Conjur.\n","operationId":"getAccessTokenViaJWTWithId","parameters":[{"description":"Organization account name","in":"path","name":"account","required":true,"schema":{"$ref":"#/components/schemas/AccountName"}},{"description":"Organization user id","in":"path","name":"id","required":true,"schema":{"description":"Represents the user/host identity","example":"SomeUserID","minLength":1,"type":"string"}},{"$ref":"#/components/parameters/ServiceID"}],"requestBody":{"content":{"application/x-www-form-urlencoded":{"schema":{"$ref":"#/paths/~1authn-jwt~1%7Bservice_id%7D~1%7Baccount%7D~1authenticate/post/requestBody/content/application~1x-www-form-urlencoded/schema"}}},"description":"ID token","required":true},"responses":{"200":{"$ref":"#/paths/~1authn~1%7Baccount%7D~1%7Blogin%7D~1authenticate/post/responses/200"},"400":{"$ref":"#/components/responses/BadRequest"},"401":{"$ref":"#/components/responses/UnauthorizedError"},"404":{"$ref":"#/components/responses/ResourceNotFound"},"500":{"$ref":"#/components/responses/InternalServerError"}},"security":[],"summary":"Gets a short-lived access token for applications using JSON Web Token (JWT)\nto access the Conjur API. Covers the case of use of optional URL parameter \"ID\"\n","tags":["authentication"]}},"/authn-k8s/{service_id}/inject_client_cert":{"parameters":[{"$ref":"#/components/parameters/RequestID"}],"post":{"description":"This request sends a Certificate Signing Request to Conjur,\nwhich uses the Kubernetes API to inject a client certificate into the\napplication pod.\n\nThis endpoint requires a properly configured Conjur Certificate Authority\nservice alongside a properly configured and enabled Kubernetes authenticator.\nFor detailed instructions,\nsee [the documentation](https://docs.conjur.org/Latest/en/Content/Integrations/kubernetes.htm).\n","operationId":"k8sInjectClientCert","parameters":[{"$ref":"#/components/parameters/ServiceID"},{"description":"Dot-separated policy tree, prefixed by `host.`, where the application identity is defined","example":"host/conjur/authn-k8s/my-authenticator-id/apps","in":"header","name":"Host-Id-Prefix","schema":{"type":"string"}}],"requestBody":{"content":{"text/plain":{"schema":{"type":"string"}}},"description":"Valid certificate signing request that includes the host\nidentity suffix as the CSR common name\n","required":true},"responses":{"202":{"description":"The injected certificate was accepted."},"400":{"$ref":"#/components/responses/BadRequest"},"401":{"$ref":"#/components/responses/UnauthorizedError"},"404":{"$ref":"#/components/responses/ResourceNotFound"}},"summary":"For applications running in Kubernetes; sends Conjur a certificate\nsigning request (CSR) and requests a client certificate injected into\nthe application's Kubernetes pod.\n","tags":["authentication"]}},"/authn-k8s/{service_id}/{account}/{login}/authenticate":{"parameters":[{"$ref":"#/components/parameters/RequestID"}],"post":{"description":"The access token is used to communicate to the REST API that\nthe bearer of the token has been authorized to access the API and perform\nspecific actions specified by the scope that was granted during authorization.\n\nFor API usage, the base64-encoded access token is ordinarily passed as an HTTP\nAuthorization header as `Authorization: Token token=<base64-encoded token>`.\n\nThe `login` must be URL encoded and the host ID must have the prefix\n`host/`. For example, the host webserver would login as `host/webserver`,\nand would be encoded as `host%2Fwebserver`.\n\nThe `service_id`, if given, must be URL encoded. For example,\n`prod/gke` must be encoded as `prod%2Fgke`.\n\nTo authenticate to Conjur using this endpoint, reference the detailed\ndocumentation: [Kubernetes Authenticator](https://docs.conjur.org/Latest/en/Content/Operations/Services/k8s_auth.htm) (`authn-k8s`).\n","operationId":"getAccessTokenViaKubernetes","parameters":[{"$ref":"#/components/parameters/ServiceID"},{"description":"Organization account name","in":"path","name":"account","required":true,"schema":{"$ref":"#/components/schemas/AccountName"}},{"description":"URL-encoded login name. For users, it’s the user ID. For hosts, the login name is `host/<host-id>`","in":"path","name":"login","required":true,"schema":{"$ref":"#/paths/~1authn~1%7Baccount%7D~1%7Blogin%7D~1authenticate/post/parameters/1/schema"}},{"description":"Setting the Accept-Encoding header to base64 will return a pre-encoded access token","in":"header","name":"Accept-Encoding","schema":{"default":"application/json","enum":["application/json","base64"],"type":"string"}}],"responses":{"200":{"$ref":"#/paths/~1authn~1%7Baccount%7D~1%7Blogin%7D~1authenticate/post/responses/200"},"400":{"$ref":"#/components/responses/BadRequest"},"401":{"$ref":"#/components/responses/UnauthorizedError"},"404":{"$ref":"#/components/responses/ResourceNotFound"},"500":{"$ref":"#/components/responses/InternalServerError"}},"security":[{"conjurKubernetesMutualTls":[]}],"summary":"Gets a short-lived access token for applications running in Kubernetes.","tags":["authentication"]}},"/authn-ldap/{service_id}/{account}/login":{"get":{"description":"Exchange your LDAP credentials for a Conjur API key. Once the\nAPI key is obtained, it may be used to inexpensively obtain access\ntokens by calling the Authenticate method. An access token\nis required to use most other parts of the Conjur API.\n\nThe Basic authentication-compliant header is formed by:\n1. Concatenating the LDAP username, a literal colon character ':',\n   and the password to create the authentication string.\n2. Base64-encoding the authentication string.\n3. Prefixing the authentication string with the scheme: `Basic `\n   (note the required space).\n4. Providing the result as the value of the `Authorization` HTTP header:\n   `Authorization: Basic <authentication string>`.\n\nYour HTTP/REST client probably provides HTTP basic authentication support.\n","operationId":"getAPIKeyViaLDAP","parameters":[{"$ref":"#/components/parameters/ServiceID"},{"description":"Organization account name","in":"path","name":"account","required":true,"schema":{"$ref":"#/components/schemas/AccountName"}}],"responses":{"200":{"$ref":"#/paths/~1authn~1%7Baccount%7D~1login/get/responses/200"},"400":{"$ref":"#/components/responses/BadRequest"},"401":{"$ref":"#/components/responses/UnauthorizedError"},"404":{"$ref":"#/components/responses/ResourceNotFound"},"422":{"$ref":"#/components/responses/UnprocessableEntity"},"500":{"$ref":"#/components/responses/InternalServerError"}},"security":[{"basicAuth":[]}],"summary":"Gets the Conjur API key of a user given the LDAP username and\npassword via HTTP Basic Authentication.\n","tags":["authentication"]},"parameters":[{"$ref":"#/components/parameters/RequestID"}]},"/authn-ldap/{service_id}/{account}/{login}/authenticate":{"parameters":[{"$ref":"#/components/parameters/RequestID"}],"post":{"description":"The access token is used to communicate to the REST API that\nthe bearer of the token has been authorized to access the API and perform\nspecific actions specified by the scope that was granted during authorization.\n\nFor API usage, the base64-encoded access token is ordinarily passed as an HTTP\nAuthorization header as `Authorization: Token token=<base64-encoded token>`.\n\nThe `login` must be URL encoded. For example, `alice@devops` must be\nencoded as `alice%40devops`.\n\nThe `service_id`, if given, must be URL encoded. For example,\n`prod/gke` must be encoded as `prod%2Fgke`.\n\nFor host authentication, the `login` is the host ID with the prefix\n`host/`. For example, the host webserver would login as `host/webserver`,\nand would be encoded as `host%2Fwebserver`.\n\nTo authenticate to Conjur using a LDAP, reference the detailed documentation:\n[LDAP Authenticator](https://docs.conjur.org/Latest/en/Content/Integrations/ldap/ldap_authenticator.html) (`authn-ldap`).\n","operationId":"getAccessTokenViaLDAP","parameters":[{"$ref":"#/components/parameters/ServiceID"},{"description":"Organization account name","in":"path","name":"account","required":true,"schema":{"$ref":"#/components/schemas/AccountName"}},{"description":"URL-encoded login name. For users, it’s the user ID. For hosts, the login name is `host/<host-id>`","in":"path","name":"login","required":true,"schema":{"$ref":"#/paths/~1authn~1%7Baccount%7D~1%7Blogin%7D~1authenticate/post/parameters/1/schema"}},{"description":"Setting the Accept-Encoding header to base64 will return a pre-encoded access token","in":"header","name":"Accept-Encoding","schema":{"default":"application/json","enum":["application/json","base64"],"type":"string"}}],"requestBody":{"content":{"text/plain":{"schema":{"$ref":"#/paths/~1authn~1%7Baccount%7D~1login/get/responses/200/content/text~1plain/schema"}}},"description":"API key","required":false},"responses":{"200":{"$ref":"#/paths/~1authn~1%7Baccount%7D~1%7Blogin%7D~1authenticate/post/responses/200"},"400":{"$ref":"#/components/responses/BadRequest"},"401":{"$ref":"#/components/responses/UnauthorizedError"},"404":{"$ref":"#/components/responses/ResourceNotFound"},"500":{"$ref":"#/components/responses/InternalServerError"}},"security":[],"summary":"Gets a short-lived access token for users and hosts using their\nLDAP identity to access the Conjur API.\n","tags":["authentication"]}},"/authn-oidc/{service_id}/{account}/authenticate":{"parameters":[{"$ref":"#/components/parameters/RequestID"}],"post":{"description":"Use the OIDC Authenticator to leverage the identity layer\nprovided by OIDC to authenticate with Conjur.\n\nFor more information see [the documentation](https://docs.conjur.org/Latest/en/Content/OIDC/OIDC.htm).\n","operationId":"getAccessTokenViaOIDC","parameters":[{"$ref":"#/components/parameters/ServiceID"},{"description":"Organization account name","in":"path","name":"account","required":true,"schema":{"$ref":"#/components/schemas/AccountName"}}],"requestBody":{"content":{"application/x-www-form-urlencoded":{"schema":{"description":"OpenID Connect ID token","example":{"id_token":"eyJhbGciOiJSUzI1NiIs......uTonCA"},"properties":{"id_token":{"type":"string"}},"type":"object"}}},"description":"ID token","required":true},"responses":{"200":{"$ref":"#/paths/~1authn~1%7Baccount%7D~1%7Blogin%7D~1authenticate/post/responses/200"},"400":{"$ref":"#/components/responses/BadRequest"},"401":{"$ref":"#/components/responses/UnauthorizedError"},"404":{"$ref":"#/components/responses/ResourceNotFound"}},"security":[],"summary":"Gets a short-lived access token for applications using OpenID\nConnect (OIDC) to access the Conjur API.\n","tags":["authentication"]}},"/authn/{account}/api_key":{"parameters":[{"$ref":"#/components/parameters/RequestID"}],"put":{"description":"Any role can rotate its own API key. The name and password\n(for users) or current API key (for hosts and users) of the role must\nbe provided via HTTP Basic Authorization.\n\nTo rotate another role's API key, you may provide your name and password\n(for users) or current API key (for hosts and users) via HTTP Basic\nAuthorization with the request. Alternatively, you may provide your\nConjur access token via the standard Conjur `Authorization` header.\n\nThe Basic authentication-compliant header is formed by:\n1. Concatenating the role's name, a literal colon character ':',\n   and the password or API key to create the authentication string.\n2. Base64-encoding the authentication string.\n3. Prefixing the authentication string with the scheme: `Basic `\n   (note the required space).\n4. Providing the result as the value of the `Authorization` HTTP header:\n   `Authorization: Basic <authentication string>`.\n\nYour HTTP/REST client probably provides HTTP basic authentication support.\nFor example, `curl` and all of the Conjur client libraries provide this.\n\nIf using the Conjur `Authorization` header, its value should be set to\n`Token token=<base64-encoded access token>`.\n\nNote that the body of the request must be the empty string.\n","operationId":"rotateApiKey","parameters":[{"description":"Organization account name","in":"path","name":"account","required":true,"schema":{"$ref":"#/components/schemas/AccountName"}},{"description":"(**Optional**) role specifier in `{kind}:{identifier}` format\n\n##### Permissions required\n\n`update` privilege on the role whose API key is being rotated.\n","in":"query","name":"role","schema":{"$ref":"#/components/schemas/RoleType"}}],"responses":{"200":{"$ref":"#/paths/~1authn~1%7Baccount%7D~1login/get/responses/200"},"400":{"$ref":"#/components/responses/BadRequest"},"401":{"$ref":"#/components/responses/UnauthorizedError"},"422":{"$ref":"#/components/responses/UnprocessableEntity"},"500":{"$ref":"#/components/responses/InternalServerError"}},"security":[{"basicAuth":[],"conjurAuth":[]}],"summary":"Rotates a role's API key.","tags":["authentication"]}},"/authn/{account}/login":{"get":{"description":"Passwords are stored in the Conjur database using `bcrypt`\nwith a work factor of 12. Therefore, login is a fairly expensive operation.\nHowever, once the API key is obtained, it may be used to inexpensively\nobtain access tokens by calling the Authenticate method. An access token\nis required to use most other parts of the Conjur API.\n\nThe Basic authentication-compliant header is formed by:\n1. Concatenating the role's name, a literal colon character ':',\n   and the password or API key to create the authentication string.\n2. Base64-encoding the authentication string.\n3. Prefixing the authentication string with the scheme: `Basic `\n   (note the required space).\n4. Providing the result as the value of the `Authorization` HTTP header:\n   `Authorization: Basic <authentication string>`.\n\nYour HTTP/REST client probably provides HTTP basic authentication support.\nFor example, `curl` and all of the Conjur client libraries provide this.\n\nNote that machine roles (Hosts) do not have passwords and do not need to\nuse this endpoint.\n","operationId":"getAPIKey","parameters":[{"description":"Organization account name","in":"path","name":"account","required":true,"schema":{"$ref":"#/components/schemas/AccountName"}}],"responses":{"200":{"content":{"text/plain":{"schema":{"description":"Example of a Conjur API key","example":"14m9cf91wfsesv1kkhevg12cdywm2wvqy6s8sk53z1ngtazp1t9tykc","minLength":55,"type":"string"}}},"description":"The response body is the API key"},"400":{"$ref":"#/components/responses/BadRequest"},"401":{"$ref":"#/components/responses/UnauthorizedError"},"404":{"$ref":"#/components/responses/ResourceNotFound"},"422":{"$ref":"#/components/responses/UnprocessableEntity"},"500":{"$ref":"#/components/responses/InternalServerError"}},"security":[{"basicAuth":[]}],"summary":"Gets the API key of a user given the username and password\nvia HTTP Basic Authentication.\n","tags":["authentication"]},"parameters":[{"$ref":"#/components/parameters/RequestID"}]},"/authn/{account}/password":{"parameters":[{"$ref":"#/components/parameters/RequestID"}],"put":{"description":"You must provide the login name and current password or\nAPI key of the user whose password is to be updated in an HTTP Basic\nAuthentication header. Also replaces the user’s API key with a new\nsecurely generated random value. You can fetch the new API key using\nthe Login method.\n\nThe Basic authentication-compliant header is formed by:\n1. Concatenating the role's name, a literal colon character ':',\n   and the password or API key to create the authentication string.\n2. Base64-encoding the authentication string.\n3. Prefixing the authentication string with the scheme: `Basic `\n   (note the required space).\n4. Providing the result as the value of the `Authorization` HTTP header:\n   `Authorization: Basic <authentication string>`.\n\nYour HTTP/REST client probably provides HTTP basic authentication\nsupport. For example, `curl` and all of the Conjur client libraries\nprovide this.\n\nNote that machine roles (Hosts) do not have passwords. They authenticate\nusing their API keys, while passwords are only used by human users.\n","operationId":"changePassword","parameters":[{"description":"Organization account name","in":"path","name":"account","required":true,"schema":{"$ref":"#/components/schemas/AccountName"}}],"requestBody":{"content":{"text/plain":{"schema":{"format":"password","minLength":1,"type":"string"}}},"description":"New password","required":true},"responses":{"204":{"description":"The password has been changed"},"400":{"$ref":"#/components/responses/BadRequest"},"401":{"$ref":"#/components/responses/UnauthorizedError"},"422":{"$ref":"#/components/responses/UnprocessableEntity"},"500":{"$ref":"#/components/responses/InternalServerError"}},"security":[{"basicAuth":[]}],"summary":"Changes a user’s password.","tags":["authentication"]}},"/authn/{account}/{login}/authenticate":{"parameters":[{"$ref":"#/components/parameters/RequestID"}],"post":{"description":"A client can obtain an access token by presenting a valid\nlogin name and API key.\n\nThe access token is used to communicate to the REST API that the bearer\nof the token has been authorized to access the API and perform specific\nactions specified by the scope that was granted during authorization.\n\nThe `login` must be URL encoded. For example, `alice@devops` must be\nencoded as `alice%40devops`.\n\nThe `service_id`, if given, must be URL encoded. For example,\n`prod/gke` must be encoded as `prod%2Fgke`.\n\nFor host authentication, the `login` is the host ID with the prefix\n`host/`. For example, the host webserver would login as `host/webserver`,\nand would be encoded as `host%2Fwebserver`.\n\nFor API usage, the base64-encoded access token is ordinarily passed as an HTTP\nAuthorization header as `Authorization: Token token=<base64-encoded token>`.\n\nThis is the default authentication endpoint only. See other endpoints for\ndetails on authenticating to Conjur using another method, e.g. for\napplications running in Azure or Kubernetes.\n","operationId":"getAccessToken","parameters":[{"description":"Organization account name","in":"path","name":"account","required":true,"schema":{"$ref":"#/components/schemas/AccountName"}},{"description":"URL-encoded login name. For users, it’s the user ID. For hosts, the login name is `host/<host-id>`","in":"path","name":"login","required":true,"schema":{"example":"admin","minLength":1,"type":"string"}},{"description":"Setting the Accept-Encoding header to base64 will return a pre-encoded access token","in":"header","name":"Accept-Encoding","schema":{"default":"application/json","enum":["application/json","base64"],"type":"string"}}],"requestBody":{"content":{"text/plain":{"schema":{"$ref":"#/paths/~1authn~1%7Baccount%7D~1login/get/responses/200/content/text~1plain/schema"}}},"description":"API Key","required":true},"responses":{"200":{"content":{"text/plain":{"schema":{"type":"string"}}},"description":"The response is an access token for conjur"},"400":{"$ref":"#/components/responses/BadRequest"},"401":{"$ref":"#/components/responses/UnauthorizedError"},"404":{"$ref":"#/components/responses/ResourceNotFound"},"500":{"$ref":"#/components/responses/InternalServerError"}},"security":[],"summary":"Gets a short-lived access token, which is required in the header\nof most subsequent API requests.\n","tags":["authentication"]}},"/ca/{account}/{service_id}/sign":{"parameters":[{"$ref":"#/components/parameters/RequestID"}],"post":{"description":"Gets a signed certificate from the configured Certificate Authority service.\n\nThe request must include a valid Certificate Signing Request, and a desired TTL in ISO 8601 format.\n\n*** IMPORTANT ***\nThis endpoint is part of an early implementation of support for using Conjur as a certificate\nauthority, and is currently available at the Community (or early alpha) level.\nThis endpoint is still subject to breaking changes in the future.\n","operationId":"sign","parameters":[{"description":"Organization account name","in":"path","name":"account","required":true,"schema":{"$ref":"#/components/schemas/AccountName"}},{"description":"Name of the Certificate Authority service","in":"path","name":"service_id","required":true,"schema":{"example":"ca-service","minLength":1,"type":"string"}},{"description":"Setting the Accept header to `application/x-pem-file` allows Conjur to respond with a formatted certificate","in":"header","name":"Accept","schema":{"example":"application/x-pem-file","minLength":1,"type":"string"}}],"requestBody":{"content":{"application/x-www-form-urlencoded":{"schema":{"properties":{"csr":{"type":"string"},"ttl":{"type":"string"}},"required":["csr","ttl"],"type":"object"}}},"description":"Client Certificate Signing Request","required":true},"responses":{"201":{"content":{"application/json":{"schema":{"properties":{"certificate":{"type":"string"}},"type":"object"}},"application/x-pem-file":{"schema":{"format":"base64","type":"string"}}},"description":"The response body is the newly signed certificate"},"400":{"$ref":"#/components/responses/BadRequest"},"401":{"$ref":"#/components/responses/UnauthorizedError"},"403":{"description":"Either          \n- The authenticated role is not a Host role,\n- The authenticated Host does not have `sign` privilege for the CA service, or\n- The authenticated Host ID does not match the of the CSR Common Name (CN).\n"},"404":{"description":"CA Service with the given ID does not exist"}},"security":[{"conjurAuth":[]}],"summary":"Gets a signed certificate from the configured Certificate Authority service.","tags":["certificate authority"]}},"/health":{"get":{"description":"You can request health checks against any cluster node using the Conjur API.\nThese routes do not require authentication.\n\nThe health check attempts an internal HTTP or TCP connection to\neach Conjur Enterprise service. It also attempts a simple transaction against all internal databases.\n","operationId":"health","responses":{"200":{"content":{"application/json":{"schema":{"type":"object"}}},"description":"The tests were successful"},"502":{"description":"The tests failed"}},"summary":"Health info about conjur","tags":["status"],"x-conjur-settings":{"enterprise-only":true}},"x-conjur-settings":{"enterprise-only":true}},"/host_factories/hosts":{"parameters":[{"$ref":"#/components/parameters/RequestID"}],"post":{"description":"Creates a Host using the Host Factory and returns a JSON description of it.\n\nRequires a host factory token, which can be created using the create tokens API.\nIn practice, this token is usually provided automatically as part of Conjur integration with your\nhost provisioning infrastructure.\n\nNote: If the token was created with a CIDR restriction, you must make this API request from a whitelisted address.\n","operationId":"createHost","requestBody":{"content":{"application/x-www-form-urlencoded":{"schema":{"example":{"id":"new-host"},"properties":{"annotations":{"description":"Annotations to apply to the new host","example":{"description":"new db host","puppet":"true"},"type":"object"},"id":{"description":"Identifier of the host to be created. It will be created within the account of the host factory.","example":"my-new-host","type":"string"}},"required":["id"],"type":"object"}}},"description":"Parameters","required":true},"responses":{"201":{"content":{"application/json":{"schema":{"description":"Contains information about a created host","example":{"annotations":[],"api_key":"rq5bk73nwjnm52zdj87993ezmvx3m75k3whwxszekvmnwdqek0r","created_at":"2025-04-15T13:50:46.247Z","id":"myorg:host:brand-new-host","owner":"myorg:host_factory:hf-db","permissions":[]},"properties":{"annotations":{"items":{"type":"string"},"type":"array"},"api_key":{"type":"string"},"created_at":{"type":"string"},"id":{"type":"string"},"owner":{"type":"string"},"permissions":{"items":{"type":"string"},"type":"array"}},"required":["created_at","id","api_key","owner","permissions","annotations"],"type":"object"}}},"description":"The response body contains the newly-created host"},"401":{"$ref":"#/components/responses/UnauthorizedError"},"422":{"$ref":"#/components/responses/UnprocessableEntity"}},"security":[{"conjurAuth":[]}],"summary":"Creates a Host using the Host Factory.","tags":["host factory"]}},"/host_factory_tokens":{"parameters":[{"$ref":"#/components/parameters/RequestID"}],"post":{"description":"Creates one or more tokens which can be used to bootstrap host identity. Responds with a JSON document containing the tokens and their restrictions.\n\nIf the tokens are created with a CIDR restriction, Conjur will only accept them from the whitelisted IP ranges.\n\n##### Permissions required\n#\n`execute` privilege on the Host Factory.\"\n","operationId":"createToken","requestBody":{"content":{"application/x-www-form-urlencoded":{"schema":{"example":{"expiration":"2025-04-15T13:50:46.247Z","host_factory":"myorg:hosty_factory:hf-db"},"properties":{"cidr":{"description":"Number of host tokens to create","example":["127.0.0.1/32"],"items":{"type":"string"},"type":"array"},"count":{"description":"Number of host tokens to create","example":2,"type":"integer"},"expiration":{"description":"`ISO 8601 datetime` denoting a requested expiration time.","example":"2025-04-15T13:50:46.247Z","type":"string"},"host_factory":{"description":"Fully qualified host factory ID","example":"myorg:host_factory:hf-db","type":"string"}},"required":["expiration","host_factory"],"type":"object"}}},"description":"Parameters","required":true},"responses":{"200":{"content":{"application/json":{"schema":{"example":[{"cidr":["127.0.0.1/32","127.0.0.2/32"],"expiration":"2025-04-15T13:50:46.247Z","token":"281s2ag1g8s7gd2ezf6td3d619b52t9gaak3w8rj0p38124n384sq7x"},{"cidr":["127.0.0.1/32","127.0.0.2/32"],"expiration":"2025-04-15T13:50:46.247Z","token":"2c0vfj61pmah3efbgpcz2x9vzcy1ycskfkyqy0kgk1fv014880f4"}],"items":{"properties":{"cidr":{"items":{"type":"string"},"type":"array"},"expiration":{"type":"string"},"token":{"type":"string"}},"required":["expiration","cidr","token"],"type":"object"},"type":"array"}}},"description":"Zero or more tokens were created and delivered in the response body"},"401":{"$ref":"#/components/responses/UnauthorizedError"},"403":{"$ref":"#/components/responses/InadequatePrivileges"},"404":{"$ref":"#/components/responses/ResourceNotFound"},"422":{"$ref":"#/components/responses/UnprocessableEntity"}},"security":[{"conjurAuth":[]}],"summary":"Creates one or more host identity tokens.","tags":["host factory"]}},"/host_factory_tokens/{token}":{"delete":{"description":"Revokes a token, immediately disabling it.\n\n##### Permissions required\n\n`update` privilege on the host factory.\"\n","operationId":"revokeToken","parameters":[{"description":"The host factory token to revoke","in":"path","name":"token","required":true,"schema":{"example":"2c0vfj61pmah3efbgpcz2x9vzcy1ycskfkyqy0kgk1fv014880f4","type":"string"}}],"responses":{"204":{"description":"Token was successfully revoked"},"400":{"$ref":"#/components/responses/BadRequest"},"401":{"$ref":"#/components/responses/UnauthorizedError"},"404":{"$ref":"#/components/responses/ResourceNotFound"}},"security":[{"conjurAuth":[]}],"summary":"Revokes a token, immediately disabling it.","tags":["host factory"]},"parameters":[{"$ref":"#/components/parameters/RequestID"}]},"/info":{"get":{"description":"Information about the Conjur Enterprise node which was queried against.\n\nIncludes authenticator info, release/version info, configuration details,\ninternal services, and role information.\n","operationId":"info","responses":{"200":{"content":{"application/json":{"schema":{"properties":{"authenticators":{"properties":{"configured":{"items":{"type":"string"},"type":"array"},"enabled":{"items":{"type":"string"},"type":"array"},"installed":{"items":{"type":"string"},"type":"array"}},"type":"object"},"configuration":{"type":"object"},"container":{"type":"string"},"release":{"type":"string"},"role":{"type":"string"},"services":{"type":"object"},"version":{"type":"string"}},"type":"object"}}},"description":"info"}},"summary":"Basic information about the Conjur Enterprise server","tags":["status"],"x-conjur-settings":{"enterprise-only":true}},"x-conjur-settings":{"enterprise-only":true}},"/policies/{account}/policy/{identifier}":{"parameters":[{"$ref":"#/components/parameters/RequestID"}],"patch":{"description":"Modifies an existing Conjur policy. Data may be explicitly deleted using\nthe `!delete`, `!revoke`, and `!deny` statements. Unlike `replace` mode,\nno data is ever implicitly deleted.\n\n##### Permissions required\n","operationId":"updatePolicy","parameters":[{"description":"Organization account name","in":"path","name":"account","required":true,"schema":{"$ref":"#/components/schemas/AccountName"}},{"description":"ID of the policy to update","example":"root","in":"path","name":"identifier","required":true,"schema":{"$ref":"#/components/schemas/ResourceID"}}],"requestBody":{"content":{"application/x-yaml":{"schema":{"$ref":"#/paths/~1policies~1%7Baccount%7D~1policy~1%7Bidentifier%7D/put/requestBody/content/text~1yaml/schema"}},"text/plain":{"schema":{"$ref":"#/paths/~1policies~1%7Baccount%7D~1policy~1%7Bidentifier%7D/put/requestBody/content/text~1yaml/schema"}},"text/x-yaml":{"schema":{"$ref":"#/paths/~1policies~1%7Baccount%7D~1policy~1%7Bidentifier%7D/put/requestBody/content/text~1yaml/schema"}},"text/yaml":{"schema":{"$ref":"#/paths/~1policies~1%7Baccount%7D~1policy~1%7Bidentifier%7D/put/requestBody/content/text~1yaml/schema"}}},"description":"Policy","required":true},"responses":{"201":{"$ref":"#/paths/~1policies~1%7Baccount%7D~1policy~1%7Bidentifier%7D/put/responses/201"},"400":{"$ref":"#/components/responses/BadRequest"},"401":{"$ref":"#/components/responses/UnauthorizedError"},"403":{"$ref":"#/components/responses/InadequatePrivileges"},"404":{"$ref":"#/components/responses/ResourceNotFound"},"409":{"$ref":"#/components/responses/Busy"},"422":{"$ref":"#/components/responses/UnprocessableEntity"}},"security":[{"conjurAuth":[]}],"summary":"Modifies an existing Conjur policy.","tags":["policies"]},"post":{"description":"Adds data to the existing Conjur policy. Deletions are not allowed.\nAny policy objects that exist on the server but are omitted from the\npolicy file will not be deleted and any explicit deletions in the policy file will result in an error.\n\n##### Permissions required\n\n`create` privilege on the policy.\"\n","operationId":"loadPolicy","parameters":[{"description":"Organization account name","in":"path","name":"account","required":true,"schema":{"$ref":"#/components/schemas/AccountName"}},{"description":"ID of the policy to update","example":"root","in":"path","name":"identifier","required":true,"schema":{"$ref":"#/components/schemas/ResourceID"}}],"requestBody":{"content":{"application/x-yaml":{"schema":{"$ref":"#/paths/~1policies~1%7Baccount%7D~1policy~1%7Bidentifier%7D/put/requestBody/content/text~1yaml/schema"}},"text/plain":{"schema":{"$ref":"#/paths/~1policies~1%7Baccount%7D~1policy~1%7Bidentifier%7D/put/requestBody/content/text~1yaml/schema"}},"text/x-yaml":{"schema":{"$ref":"#/paths/~1policies~1%7Baccount%7D~1policy~1%7Bidentifier%7D/put/requestBody/content/text~1yaml/schema"}},"text/yaml":{"schema":{"$ref":"#/paths/~1policies~1%7Baccount%7D~1policy~1%7Bidentifier%7D/put/requestBody/content/text~1yaml/schema"}}},"description":"Policy","required":true},"responses":{"201":{"$ref":"#/paths/~1policies~1%7Baccount%7D~1policy~1%7Bidentifier%7D/put/responses/201"},"400":{"$ref":"#/components/responses/BadRequest"},"401":{"$ref":"#/components/responses/UnauthorizedError"},"403":{"$ref":"#/components/responses/InadequatePrivileges"},"404":{"$ref":"#/components/responses/ResourceNotFound"},"409":{"$ref":"#/components/responses/Busy"},"422":{"$ref":"#/components/responses/UnprocessableEntity"}},"security":[{"conjurAuth":[]}],"summary":"Adds data to the existing Conjur policy.","tags":["policies"]},"put":{"description":"Loads or replaces a Conjur policy document.\n\n**Any policy data which already exists on the server but is not\nexplicitly specified in the new policy file will be deleted!**.\n","operationId":"replacePolicy","parameters":[{"description":"Organization account name","in":"path","name":"account","required":true,"schema":{"$ref":"#/components/schemas/AccountName"}},{"description":"ID of the policy to load (root if no root policy has been loaded yet)","example":"root","in":"path","name":"identifier","required":true,"schema":{"$ref":"#/components/schemas/ResourceID"}}],"requestBody":{"content":{"application/x-yaml":{"schema":{"$ref":"#/paths/~1policies~1%7Baccount%7D~1policy~1%7Bidentifier%7D/put/requestBody/content/text~1yaml/schema"}},"text/plain":{"schema":{"$ref":"#/paths/~1policies~1%7Baccount%7D~1policy~1%7Bidentifier%7D/put/requestBody/content/text~1yaml/schema"}},"text/x-yaml":{"schema":{"$ref":"#/paths/~1policies~1%7Baccount%7D~1policy~1%7Bidentifier%7D/put/requestBody/content/text~1yaml/schema"}},"text/yaml":{"schema":{"example":"- !policy\n  id: database\n  body:\n  - !host\n    id: db-host\n  - !variable\n    id: db-password\n    owner: !host db-host\n","minLength":1,"type":"string"}}},"description":"Policy","required":true},"responses":{"201":{"content":{"application/json":{"schema":{"example":{"created_roles":{"myorg:host:database/db-host":{"api_key":"309yzpa1n5kp932waxw6d37x4hew2x8ve8w11m8xn92acfy672m929en","id":"myorg:host:database/db-host"}},"version":1},"properties":{"created_roles":{"type":"object"},"version":{"type":"number"}},"type":"object"}}},"description":"Decsribes new data created by a successful policy load"},"400":{"$ref":"#/components/responses/BadRequest"},"401":{"$ref":"#/components/responses/UnauthorizedError"},"403":{"$ref":"#/components/responses/InadequatePrivileges"},"404":{"$ref":"#/components/responses/ResourceNotFound"},"409":{"$ref":"#/components/responses/Busy"},"422":{"$ref":"#/components/responses/UnprocessableEntity"}},"security":[{"conjurAuth":[]}],"summary":"Loads or replaces a Conjur policy document.","tags":["policies"]}},"/public_keys/{account}/{kind}/{identifier}":{"get":{"description":"Shows all public keys for a resource as newline delimited string for compatibility with the authorized_keys SSH format.\nReturns an empty string if the resource does not exist, to prevent attackers from determining whether a resource exists.\n","operationId":"showPublicKeys","parameters":[{"description":"Organization account name","in":"path","name":"account","required":true,"schema":{"$ref":"#/components/schemas/AccountName"}},{"description":"Type of resource","example":"user","in":"path","name":"kind","required":true,"schema":{"$ref":"#/components/schemas/Kind"}},{"description":"ID of the resource for which to get the information about","example":"admin","in":"path","name":"identifier","required":true,"schema":{"$ref":"#/components/schemas/ResourceID"}}],"responses":{"200":{"content":{"text/plain":{"example":"ssh-rsa AAAAB3Nzabc2 admin@alice.com\n\nssh-rsa AAAAB3Nza3nx alice@example.com\n","schema":{"type":"string"}}},"description":"Public keys for a resource as newline delimited string for compatibility with the authorized_keys SSH format. Empty string if the resource does not exist"},"400":{"$ref":"#/components/responses/BadRequest"},"404":{"$ref":"#/components/responses/ResourceNotFound"},"422":{"$ref":"#/components/responses/UnprocessableEntity"},"500":{"$ref":"#/components/responses/InternalServerError"}},"summary":"Shows all public keys for a resource.","tags":["public keys"]},"parameters":[{"$ref":"#/components/parameters/RequestID"}]},"/remote_health/{remote}":{"get":{"description":"Use the remote_health route to check the health of any Conjur Enterprise Server from any other Conjur Enterprise Server.\nWith this route, you can check master health relative to a follower, or follower health relative\nto a standby, and so on.\n","operationId":"remoteHealth","parameters":[{"description":"The hostname of the remote to check","example":"conjur.myorg.com","in":"path","name":"remote","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"type":"object"}}},"description":"The tests were successful"},"502":{"description":"The tests failed"}},"summary":"Health info about a given Conjur Enterprise server","tags":["status"],"x-conjur-settings":{"enterprise-only":true}},"x-conjur-settings":{"enterprise-only":true}},"/resources":{"get":{"description":"Lists resources within an organization account.\n\nIn the absence of an `account` query parameter, shows results for the account of the authorization token user.\n\nIf an `account` query parameter is given, shows results for the specified account.\n\nIf a `kind` query parameter is given, narrows results to only resources of that kind.\n\nIf a `limit` is given, returns no more than that number of results. Providing an `offset`\nskips a number of resources before returning the rest. In addition, providing an `offset`\nwill give `limit` a default value of 10 if none other is provided. These two parameters can\nbe combined to page through results.\n\nIf the parameter `count` is `true`, returns only the number of items in the list.\n\n##### Text search\n\nIf the `search` parameter is provided, narrows results to those pertaining to the search query.\nSearch works across resource IDs and the values of annotations. It weighs results so that those\nwith matching id or a matching value of an annotation called `name` appear first, then those with\nanother matching annotation value, and finally those with a matching  `kind`.\"\n","operationId":"showResourcesForAllAccounts","parameters":[{"description":"Organization account name","example":"myorg","in":"query","name":"account","schema":{"$ref":"#/components/schemas/AccountName"}},{"description":"Type of resource","example":"user","in":"query","name":"kind","schema":{"$ref":"#/components/schemas/Kind"}},{"description":"Filter resources based on this value by name","example":"db","in":"query","name":"search","schema":{"description":"Only returns results that contain this string value","example":"password","minLength":1,"type":"string"}},{"description":"When listing resources, start at this item number.","in":"query","name":"offset","schema":{"$ref":"#/components/schemas/Offset"}},{"description":"When listing resources, return up to this many results.","in":"query","name":"limit","schema":{"$ref":"#/components/schemas/Limit"}},{"descrip