Get an application's credential.

Published on Jul 22, 2025

4 minute(s) read

Prev Next

Get

/sys/v1/apps/{app_id}/credential

In FIPS mode this secret will be reset after 100 failed API key authentication attempts in a 24 hour period.

Security

HTTP

Type bearer

API Key: apiKeyAuth

Header parameter nameAuthorization

Path parameters

app_id

string (uuid) Required

Responses

2XX

Success result

Expand All

object

app_id

string (uuid)

Unique identifier of the App.

credential

OneOf

AppCredentialVariantAll

object (AppCredentialVariantAll)

all

Array of object (OneAppCredential)

App authentication mechanisms.

OneOf

OneAppCredentialVariantSecret

object (OneAppCredentialVariantSecret)

secret

string

Authenticating credentials of an App.

OneAppCredentialVariantCertificate

object (OneAppCredentialVariantCertificate)

certificate

string (byte)

PKI Certificate based authentication.

OneAppCredentialVariantTrustedCa

object (OneAppCredentialVariantTrustedCa)

trustedca

ca_certificate

string (byte)

check_revocation

boolean | null

When true, revocation status of certificates is checked, and revoked certificates are rejected

OneOf

TrustAnchorSubjectVariantSubject

object (TrustAnchorSubjectVariantSubject)

subject

Array of array

Array of string

Min items2

Max items2

string

TrustAnchorSubjectVariantSubjectGeneral

object (TrustAnchorSubjectVariantSubjectGeneral)

subject_general

OneOf

SubjectGeneralVariantDirectoryName

object (SubjectGeneralVariantDirectoryName)

directory_name

Array of array

Array of string

Min items2

Max items2

string

SubjectGeneralVariantDnsName

object (SubjectGeneralVariantDnsName)

dns_name

string

SubjectGeneralVariantIpAddress

object (SubjectGeneralVariantIpAddress)

ip_address

OneOf

string (ipv4)

string

string (ipv6)

string

OneAppCredentialVariantGoogleServiceAccount

object (OneAppCredentialVariantGoogleServiceAccount)

googleserviceaccount

object

access_reason_policy

object

allow

Array of string (GoogleAccessReason)

Set of allowed Google Access reasons.

string

An access reason provided by Google when making EKMS API calls.

Valid values[ "REASON_UNSPECIFIED", "CUSTOMER_INITIATED_SUPPORT", "GOOGLE_INITIATED_SERVICE", "THIRD_PARTY_DATA_REQUEST", "GOOGLE_INITIATED_REVIEW", "CUSTOMER_INITIATED_ACCESS", "GOOGLE_INITIATED_SYSTEM_OPERATION", "REASON_NOT_EXPECTED", "MODIFIED_CUSTOMER_INITIATED_ACCESS", "MODIFIED_GOOGLE_INITIATED_SYSTEM_OPERATION", "GOOGLE_RESPONSE_TO_PRODUCTION_ALERT", "CUSTOMER_AUTHORIZED_WORKFLOW_SERVICING" ]

allow_missing_reason

boolean

Accept incoming requests which do not specify any access reasons.

groups

object | null

Mapping for all groups an application is part of and the Gcp specific permissions it has within each of those groups.

property*

Array of string (GcpAppPermissions) additionalProperties

string

CRYPTO_SPACE_GET_INFO:

CRYPTO_SPACE_GET_PUBLIC_KEY:

Valid values[ "CRYPTO_SPACE_GET_INFO", "CRYPTO_SPACE_GET_PUBLIC_KEY" ]

OneAppCredentialVariantSignedJwt

object (OneAppCredentialVariantSignedJwt)

signedjwt

object

valid_issuers

Array of string

string

signing_keys

Signing keys used to validate JSON Web Signature objects including signed JSON Web Tokens.

OneOf

object

kind

string

Valid values[ "stored" ]

keys

object

Mapping key ids to DER-encoded public key.

property*

string (byte) additionalProperties

object

kind

string

Valid values[ "fetched" ]

url

string

cache_duration

integer

Number of seconds that the service is allowed to cache the fetched keys.

OneAppCredentialVariantLdap

object (OneAppCredentialVariantLdap)

ldap

string (uuid)

LDAP credentials of an App used for authentication.

OneAppCredentialVariantAwsIam

object (OneAppCredentialVariantAwsIam)

awsiam

object

OneAppCredentialVariantAwsXks

object (OneAppCredentialVariantAwsXks)

awsxks

object

access_key_id

string

secret_key

string

OneAppCredentialVariantGoogleWorkspaceCse

object (OneAppCredentialVariantGoogleWorkspaceCse)

googleworkspacecse

object

OneOf

OneAppCredentialVariantSecret

object (OneAppCredentialVariantSecret)

secret

string

Authenticating credentials of an App.

OneAppCredentialVariantCertificate

object (OneAppCredentialVariantCertificate)

certificate

string (byte)

PKI Certificate based authentication.

OneAppCredentialVariantTrustedCa

object (OneAppCredentialVariantTrustedCa)

trustedca

ca_certificate

string (byte)

check_revocation

boolean | null

When true, revocation status of certificates is checked, and revoked certificates are rejected

OneOf

TrustAnchorSubjectVariantSubject

object (TrustAnchorSubjectVariantSubject)

subject

Array of array

Array of string

Min items2

Max items2

string

TrustAnchorSubjectVariantSubjectGeneral

object (TrustAnchorSubjectVariantSubjectGeneral)

subject_general

OneOf

SubjectGeneralVariantDirectoryName

object (SubjectGeneralVariantDirectoryName)

directory_name

Array of array

Array of string

Min items2

Max items2

string

SubjectGeneralVariantDnsName

object (SubjectGeneralVariantDnsName)

dns_name

string

SubjectGeneralVariantIpAddress

object (SubjectGeneralVariantIpAddress)

ip_address

OneOf

string (ipv4)

string

string (ipv6)

string

OneAppCredentialVariantGoogleServiceAccount

object (OneAppCredentialVariantGoogleServiceAccount)

googleserviceaccount

object

access_reason_policy

object

allow

Array of string (GoogleAccessReason)

Set of allowed Google Access reasons.

string

An access reason provided by Google when making EKMS API calls.

allow_missing_reason

boolean

Accept incoming requests which do not specify any access reasons.

groups

object | null

Mapping for all groups an application is part of and the Gcp specific permissions it has within each of those groups.

property*

Array of string (GcpAppPermissions) additionalProperties

string

CRYPTO_SPACE_GET_INFO:

CRYPTO_SPACE_GET_PUBLIC_KEY:

Valid values[ "CRYPTO_SPACE_GET_INFO", "CRYPTO_SPACE_GET_PUBLIC_KEY" ]

OneAppCredentialVariantSignedJwt

object (OneAppCredentialVariantSignedJwt)

signedjwt

object

valid_issuers

Array of string

string

signing_keys

Signing keys used to validate JSON Web Signature objects including signed JSON Web Tokens.

OneOf

object

kind

string

Valid values[ "stored" ]

keys

object

Mapping key ids to DER-encoded public key.

property*

string (byte) additionalProperties

object

kind

string

Valid values[ "fetched" ]

url

string

cache_duration

integer

Number of seconds that the service is allowed to cache the fetched keys.

OneAppCredentialVariantLdap

object (OneAppCredentialVariantLdap)

ldap

string (uuid)

LDAP credentials of an App used for authentication.

OneAppCredentialVariantAwsIam

object (OneAppCredentialVariantAwsIam)

awsiam

object

OneAppCredentialVariantAwsXks

object (OneAppCredentialVariantAwsXks)

awsxks

object

access_key_id

string

secret_key

string

OneAppCredentialVariantGoogleWorkspaceCse

object (OneAppCredentialVariantGoogleWorkspaceCse)

googleworkspacecse

object

previous_credential

object

credential

OneOf

AppCredentialVariantAll

object (AppCredentialVariantAll)

all

Array of object (OneAppCredential)

App authentication mechanisms.

OneOf

OneAppCredentialVariantSecret

object (OneAppCredentialVariantSecret)

secret

string

Authenticating credentials of an App.

OneAppCredentialVariantCertificate

object (OneAppCredentialVariantCertificate)

certificate

string (byte)

PKI Certificate based authentication.

OneAppCredentialVariantTrustedCa

object (OneAppCredentialVariantTrustedCa)

trustedca

ca_certificate

string (byte)

check_revocation

boolean | null

When true, revocation status of certificates is checked, and revoked certificates are rejected

OneOf

TrustAnchorSubjectVariantSubject

object (TrustAnchorSubjectVariantSubject)

subject

Array of array

Array of string

Min items2

Max items2

string

TrustAnchorSubjectVariantSubjectGeneral

object (TrustAnchorSubjectVariantSubjectGeneral)

subject_general

OneOf

SubjectGeneralVariantDirectoryName

object (SubjectGeneralVariantDirectoryName)

directory_name

Array of array

Array of string

Min items2

Max items2

string

SubjectGeneralVariantDnsName

object (SubjectGeneralVariantDnsName)

dns_name

string

SubjectGeneralVariantIpAddress

object (SubjectGeneralVariantIpAddress)

ip_address

OneOf

string (ipv4)

string

string (ipv6)

string

OneAppCredentialVariantGoogleServiceAccount

object (OneAppCredentialVariantGoogleServiceAccount)

googleserviceaccount

object

access_reason_policy

object

allow

Array of string (GoogleAccessReason)

Set of allowed Google Access reasons.

string

An access reason provided by Google when making EKMS API calls.

allow_missing_reason

boolean

Accept incoming requests which do not specify any access reasons.

groups

object | null

Mapping for all groups an application is part of and the Gcp specific permissions it has within each of those groups.

property*

Array of string (GcpAppPermissions) additionalProperties

string

CRYPTO_SPACE_GET_INFO:

CRYPTO_SPACE_GET_PUBLIC_KEY:

Valid values[ "CRYPTO_SPACE_GET_INFO", "CRYPTO_SPACE_GET_PUBLIC_KEY" ]

OneAppCredentialVariantSignedJwt

object (OneAppCredentialVariantSignedJwt)

signedjwt

object

valid_issuers

Array of string

string

signing_keys

Signing keys used to validate JSON Web Signature objects including signed JSON Web Tokens.

OneOf

object

kind

string

Valid values[ "stored" ]

keys

object

Mapping key ids to DER-encoded public key.

property*

string (byte) additionalProperties

object

kind

string

Valid values[ "fetched" ]

url

string

cache_duration

integer

Number of seconds that the service is allowed to cache the fetched keys.

OneAppCredentialVariantLdap

object (OneAppCredentialVariantLdap)

ldap

string (uuid)

LDAP credentials of an App used for authentication.

OneAppCredentialVariantAwsIam

object (OneAppCredentialVariantAwsIam)

awsiam

object

OneAppCredentialVariantAwsXks

object (OneAppCredentialVariantAwsXks)

awsxks

object

access_key_id

string

secret_key

string

OneAppCredentialVariantGoogleWorkspaceCse

object (OneAppCredentialVariantGoogleWorkspaceCse)

googleworkspacecse

object

OneOf

OneAppCredentialVariantSecret

object (OneAppCredentialVariantSecret)

secret

string

Authenticating credentials of an App.

OneAppCredentialVariantCertificate

object (OneAppCredentialVariantCertificate)

certificate

string (byte)

PKI Certificate based authentication.

OneAppCredentialVariantTrustedCa

object (OneAppCredentialVariantTrustedCa)

trustedca

ca_certificate

string (byte)

check_revocation

boolean | null

When true, revocation status of certificates is checked, and revoked certificates are rejected

OneOf

TrustAnchorSubjectVariantSubject

object (TrustAnchorSubjectVariantSubject)

subject

Array of array

Array of string

Min items2

Max items2

string

TrustAnchorSubjectVariantSubjectGeneral

object (TrustAnchorSubjectVariantSubjectGeneral)

subject_general

OneOf

SubjectGeneralVariantDirectoryName

object (SubjectGeneralVariantDirectoryName)

directory_name

Array of array

Array of string

Min items2

Max items2

string

SubjectGeneralVariantDnsName

object (SubjectGeneralVariantDnsName)

dns_name

string

SubjectGeneralVariantIpAddress

object (SubjectGeneralVariantIpAddress)

ip_address

OneOf

string (ipv4)

string

string (ipv6)

string

OneAppCredentialVariantGoogleServiceAccount

object (OneAppCredentialVariantGoogleServiceAccount)

googleserviceaccount

object

access_reason_policy

object

allow

Array of string (GoogleAccessReason)

Set of allowed Google Access reasons.

string

An access reason provided by Google when making EKMS API calls.

allow_missing_reason

boolean

Accept incoming requests which do not specify any access reasons.

groups

object | null

Mapping for all groups an application is part of and the Gcp specific permissions it has within each of those groups.

property*

Array of string (GcpAppPermissions) additionalProperties

string

CRYPTO_SPACE_GET_INFO:

CRYPTO_SPACE_GET_PUBLIC_KEY:

Valid values[ "CRYPTO_SPACE_GET_INFO", "CRYPTO_SPACE_GET_PUBLIC_KEY" ]

OneAppCredentialVariantSignedJwt

object (OneAppCredentialVariantSignedJwt)

signedjwt

object

valid_issuers

Array of string

string

signing_keys

Signing keys used to validate JSON Web Signature objects including signed JSON Web Tokens.

OneOf

object

kind

string

Valid values[ "stored" ]

keys

object

Mapping key ids to DER-encoded public key.

property*

string (byte) additionalProperties

object

kind

string

Valid values[ "fetched" ]

url

string

cache_duration

integer

Number of seconds that the service is allowed to cache the fetched keys.

OneAppCredentialVariantLdap

object (OneAppCredentialVariantLdap)

ldap

string (uuid)

LDAP credentials of an App used for authentication.

OneAppCredentialVariantAwsIam

object (OneAppCredentialVariantAwsIam)

awsiam

object

OneAppCredentialVariantAwsXks

object (OneAppCredentialVariantAwsXks)

awsxks

object

access_key_id

string

secret_key

string

OneAppCredentialVariantGoogleWorkspaceCse

object (OneAppCredentialVariantGoogleWorkspaceCse)

googleworkspacecse

object

valid_until

string

Validity period of the App credentials.

Pattern^\d{4}\d{2}\d{2}T\d{2}\d{2}\d{2}Z$

Example20170509T070912Z

Was this article helpful?