Get configurations for various clients. This API can only be called by apps

Published on Jul 22, 2025

3 minute(s) read

Get

/sys/v1/apps/client_configs

Client configurations can be set at account level, group level or app level. Client config set on the app itself overrides config set at group level and similarly group level config overrides account level config. This API returns the combined client config according to the above explanation.

Security

HTTP

Type bearer

API Key: apiKeyAuth

Header parameter nameAuthorization

Responses

2XX

Success result

Expand All

object

common

object

retry_timeout_millis

integer | null

cache_ttl

integer | null

log

object

system

boolean | null

file

OneOf

object

mode

string

Valid values[ "enabled" ]

path

string | null

file_size_kb

integer | null

max_files

integer | null

Minimum0

Maximum4294967295

object

mode

string

Valid values[ "disabled" ]

level

string | null

h2_num_connections

integer | null

quorum_approval

object

wait_for_quorum_approval

object

enabled

boolean

Indicates whether waiting for quorum approval is activated or disabled

poll_interval_secs

integer | null

Time interval in seconds for client lib to check quorum status.

max_wait_for_secs

integer | null

Maximum time in seconds for client lib to wait for quorum reply.

pkcs11

object

fake_rsa_x9_31_keygen_support

boolean | null

signing_aes_key_as_hmac

boolean | null

exact_key_ops

boolean | null

prevent_duplicate_opaque_objects

boolean | null

opaque_objects_are_not_certificates

boolean | null

max_concurrent_requests_per_slot

integer | null

kmip

object

ignore_unknown_key_ops_for_secrets

boolean | null

Use ignore_unknown_key_ops_for with [SECRET] instead of `ignore_unknown_key_ops_for_secrets``

ignore_unknown_key_ops_for

OneOf

object

$type

string

Valid values[ "All" ]

object

$type

string

Valid values[ "Selection" ]

selection

Array of string (ObjectType)

string

Type of security object.

Valid values[ "AES", "ARIA", "DES", "DES3", "SEED", "RSA", "DSA", "EC", "KCDSA", "ECKCDSA", "BIP32", "BLS", "OPAQUE", "HMAC", "LEDABETA", "ROUND5BETA", "SECRET", "LMS", "XMSS", "MLDSA", "MLDSABETA", "MLKEM", "MLKEMBETA", "CERTIFICATE", "PBE" ]

key_ops_override

object

add_key_ops

Array of string (KeyOperations) | null

The operations to add to any key creation request (only supported in KMIP).

The following operations can be specified:

EXPORT
APPMANAGEABLE
HIGHVOLUME

The operations specified cannot conflict with what's specified in the key_ops field of account and/or group policies (where applicable).

Note: This is only enforced on (KMIP) creation requests since we assume updates removing key operations are intentional.

string

Operations allowed to be performed on a given key.

SIGN: If this is set, the key can be used to for signing.

VERIFY: If this is set, the key can used for verifying a signature.

ENCRYPT: If this is set, the key can be used for encryption.

DECRYPT: If this is set, the key can be used for decryption.

WRAPKEY: If this is set, the key can be used wrapping other keys. The key being wrapped must have the EXPORT operation enabled.

UNWRAPKEY: If this is set, the key can be used to unwrap a wrapped key.

DERIVEKEY: If this is set, the key can be used to derive another key.

TRANSFORM: If this is set, the key can be transformed.

MACGENERATE: If this is set, the key can be used to compute a cryptographic Message Authentication Code (MAC) on a message.

MACVERIFY: If they is set, the key can be used to verify a MAC.

EXPORT: If this is set, the value of the key can be retrieved with an authenticated request. This shouldn't be set unless required. It is more secure to keep the key's value inside DSM only.

APPMANAGEABLE: Without this operation, management operations like delete, destroy, rotate, activate, restore, revoke, revert, update, remove_private, etc. cannot be performed by a crypto App. A user with access or admin app can still perform these operations. This option is only relevant for crypto apps.

HIGHVOLUME: If this is set, audit logs will not be recorded for the key. High volume here tries to signify a key that is being used a lot and will produce lots of logs. Setting this operation disables audit logs for the key.

AGREEKEY: If this is set, the key can be used for key agreement. Both the private and public key should have this option enabled to perform an agree operation.

ENCAPSULATE: If this is set, the key can be used for key encapsulation. The result is a new symmetric key and a ciphertext.

DECAPSULATE: If this is set, the key can be used for key decapsulation. If decapsulation succeeds, the result is a new symmetric key.

Valid values[ "SIGN", "VERIFY", "ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "DERIVEKEY", "TRANSFORM", "MACGENERATE", "MACVERIFY", "EXPORT", "APPMANAGEABLE", "HIGHVOLUME", "AGREEKEY", "ENCAPSULATE", "DECAPSULATE" ]

tep

object

schema

OneOf

object

$type

string

Valid values[ "OpenAPI" ]

openapi

string

key_map

Array of object

object

path

object

api_path

string

method

string

context

string

Valid values[ "request", "response" ]

key_path

string

kid

string (uuid)

mode

string

Cipher mode used for symmetric key algorithms.

Valid values[ "ECB", "CBC", "CBCNOPAD", "CFB", "OFB", "CTR", "GCM", "CCM", "KW", "KWP", "FF1" ]

Was this article helpful?