Get details of all apps accessible to requester.

  • Published on Jul 22, 2025
  • 12 minute(s) read
Prev Next
Get
/sys/v1/apps

Get details of all apps accessible to requester.

Security
HTTP
Type bearer
API Key: apiKeyAuth
Header parameter nameAuthorization
Query parameters
ListAppsParams
group_id
string (uuid)

Group for which the associated apps should be retrived.

limit
integer

Maximum number of apps to return. Default limit is 1001.

offset
integer

Number of apps to skip from the beginning/start.

group_permissions
boolean

Flag specifying if group permissions should be returned with the apps.

role
string

App's role.

Valid values[ "admin", "crypto" ]
filter
string

User specified filter.

The following fields can be referenced in the filter:

  • name
  • app_type
  • created_at
  • auth_type
  • description
  • enabled
  • interface
continuation_token
string

Continuation token to continue getting results. It must be the same token returned from the backend from a previous call, or empty.

Existence of this query parameter controls the response (and the backend behavior):

  • If specified (including an empty value), the backend returns metadata alongside the collection of apps. The metadata will potentially contain a fresh continuation_token.

Note: If there is a limit specified in the request and DSM returns limit-many items in the response, it will still include a fresh continuation token if there are more items in the collection. Additionally, unlike other query parameters, limit is not required to remain unchanged in a chain of requests with coninutation_tokens.

  • If omitted, the backend returns just a collection of apps with no metadata.
OneOf
AppSortVariantByAppId
object (AppSortVariantByAppId)
sort
string Required
Pattern^app_id:(?:asc|desc)$
Exampleapp_id:asc
start
string (uuid)

Starting from a particular app_id.

AppSortVariantByAppName
object (AppSortVariantByAppName)
sort
string Required
Pattern^app_name:(?:asc|desc)$
Exampleapp_name:asc
start
string

Starting from a particular app_name.

Max length4096
Pattern^[^\n]*[^\s\n][^\n]*$
Responses
2XX

Success result

The response of the get all apps API

OneOf
object
object
items
Array of object (App)

The list of apps satisfying the request

object
account_membership
object
roles
Array of object (AppAccountRoleDescriptor)
OneOf
object
object
$type
string
Valid values[ "SystemDefined" ]
value
string
Valid values[ "AccountAdministrator", "AccountMember", "AccountAuditor" ]
object
object
$type
string
Valid values[ "Custom" ]
value
string (uuid)
acct_id
string (uuid)

The id of the Account that this application belongs to.

app_id
string (uuid)

Unique id to identify the application.

app_type
string

The user-defined type of this application.

cert_not_after
string

Certificate expiration date.

Pattern^\d{4}\d{2}\d{2}T\d{2}\d{2}\d{2}Z$
Example20170509T070912Z
client_configurations
object
common
object
retry_timeout_millis
integer | null
cache_ttl
integer | null
log
object
system
boolean | null
file
OneOf
object
object
mode
string
Valid values[ "enabled" ]
path
string | null
file_size_kb
integer | null
max_files
integer | null
Minimum0
Maximum4294967295
object
object
mode
string
Valid values[ "disabled" ]
level
string | null
h2_num_connections
integer | null
quorum_approval
object
wait_for_quorum_approval
object
enabled
boolean

Indicates whether waiting for quorum approval is activated or disabled

poll_interval_secs
integer | null

Time interval in seconds for client lib to check quorum status.

max_wait_for_secs
integer | null

Maximum time in seconds for client lib to wait for quorum reply.

pkcs11
object
fake_rsa_x9_31_keygen_support
boolean | null
signing_aes_key_as_hmac
boolean | null
exact_key_ops
boolean | null
prevent_duplicate_opaque_objects
boolean | null
opaque_objects_are_not_certificates
boolean | null
max_concurrent_requests_per_slot
integer | null
kmip
object
ignore_unknown_key_ops_for_secrets
boolean | null

Use ignore_unknown_key_ops_for with [SECRET] instead of `ignore_unknown_key_ops_for_secrets``

ignore_unknown_key_ops_for
OneOf
object
object
$type
string
Valid values[ "All" ]
object
object
$type
string
Valid values[ "Selection" ]
selection
Array of string (ObjectType)
string

Type of security object.

Valid values[ "AES", "ARIA", "DES", "DES3", "SEED", "RSA", "DSA", "EC", "KCDSA", "ECKCDSA", "BIP32", "BLS", "OPAQUE", "HMAC", "LEDABETA", "ROUND5BETA", "SECRET", "LMS", "XMSS", "MLDSA", "MLDSABETA", "MLKEM", "MLKEMBETA", "CERTIFICATE", "PBE" ]
key_ops_override
object
add_key_ops
Array of string (KeyOperations) | null

The operations to add to any key creation request (only supported in KMIP).

The following operations can be specified:

  • EXPORT
  • APPMANAGEABLE
  • HIGHVOLUME

The operations specified cannot conflict with what's specified in the key_ops field of account and/or group policies (where applicable).

Note: This is only enforced on (KMIP) creation requests since we assume updates removing key operations are intentional.

string

Operations allowed to be performed on a given key.

SIGN: If this is set, the key can be used to for signing.

VERIFY: If this is set, the key can used for verifying a signature.

ENCRYPT: If this is set, the key can be used for encryption.

DECRYPT: If this is set, the key can be used for decryption.

WRAPKEY: If this is set, the key can be used wrapping other keys. The key being wrapped must have the EXPORT operation enabled.

UNWRAPKEY: If this is set, the key can be used to unwrap a wrapped key.

DERIVEKEY: If this is set, the key can be used to derive another key.

TRANSFORM: If this is set, the key can be transformed.

MACGENERATE: If this is set, the key can be used to compute a cryptographic Message Authentication Code (MAC) on a message.

MACVERIFY: If they is set, the key can be used to verify a MAC.

EXPORT: If this is set, the value of the key can be retrieved with an authenticated request. This shouldn't be set unless required. It is more secure to keep the key's value inside DSM only.

APPMANAGEABLE: Without this operation, management operations like delete, destroy, rotate, activate, restore, revoke, revert, update, remove_private, etc. cannot be performed by a crypto App. A user with access or admin app can still perform these operations. This option is only relevant for crypto apps.

HIGHVOLUME: If this is set, audit logs will not be recorded for the key. High volume here tries to signify a key that is being used a lot and will produce lots of logs. Setting this operation disables audit logs for the key.

AGREEKEY: If this is set, the key can be used for key agreement. Both the private and public key should have this option enabled to perform an agree operation.

ENCAPSULATE: If this is set, the key can be used for key encapsulation. The result is a new symmetric key and a ciphertext.

DECAPSULATE: If this is set, the key can be used for key decapsulation. If decapsulation succeeds, the result is a new symmetric key.

Valid values[ "SIGN", "VERIFY", "ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "DERIVEKEY", "TRANSFORM", "MACGENERATE", "MACVERIFY", "EXPORT", "APPMANAGEABLE", "HIGHVOLUME", "AGREEKEY", "ENCAPSULATE", "DECAPSULATE" ]
tep
object
schema
OneOf
object
object
$type
string
Valid values[ "OpenAPI" ]
openapi
string
key_map
Array of object
object
path
object
api_path
string
method
string
context
string
Valid values[ "request", "response" ]
key_path
string
kid
string (uuid)
mode
string

Cipher mode used for symmetric key algorithms.

Valid values[ "ECB", "CBC", "CBCNOPAD", "CFB", "OFB", "CTR", "GCM", "CCM", "KW", "KWP", "FF1" ]
created_at
string

Timestamp when the application was created.

Pattern^\d{4}\d{2}\d{2}T\d{2}\d{2}\d{2}Z$
Example20170509T070912Z
creator

A security principal.

OneOf
PrincipalVariantApp
object (PrincipalVariantApp)
app
string (uuid)
PrincipalVariantUser
object (PrincipalVariantUser)
user
string (uuid)
PrincipalVariantPlugin
object (PrincipalVariantPlugin)
plugin
string (uuid)
PrincipalVariantUserViaApp
object (PrincipalVariantUserViaApp)
userviaapp
object
user_id
string (uuid)
scopes
Array of string (OauthScope)
string

OAuth scope.

Valid values[ "app", "openid", "email", "profile" ]
string
string
Valid values[ "system" ]
string
string
Valid values[ "unregistereduser" ]
default_group
string (uuid) | null

The default group an application belongs to.

description
string | null

Description of this application.

enabled
boolean

Whether this application is enabled.

groups
OneOf
object
object
property*
Array of string (AppPermissions) additionalProperties
string

Operations allowed to be performed by an app.

SIGN:

VERIFY:

ENCRYPT:

DECRYPT:

WRAPKEY:

UNWRAPKEY:

DERIVEKEY:

MACGENERATE:

MACVERIFY:

EXPORT:

MANAGE:

AGREEKEY:

MASKDECRYPT:

AUDIT:

TRANSFORM:

CREATE_SOBJECTS:

COPY_SOBJECTS:

ROTATE_SOBJECTS:

ACTIVATE_SOBJECTS:

REVOKE_SOBJECTS:

REVERT_SOBJECTS:

MOVE_SOBJECTS:

UPDATE_SOBJECTS_PROFILE:

UPDATE_SOBJECTS_ENABLED_STATE:

UPDATE_SOBJECT_POLICIES:

UPDATE_KEY_OPS:

DELETE_KEY_MATERIAL:

DELETE_SOBJECTS:

DESTROY_SOBJECTS:

RESTORE_EXTERNAL_SOBJECTS:

CALCULATE_DIGEST:

ENCAPSULATE:

DECAPSULATE:

Valid values[ "SIGN", "VERIFY", "ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "DERIVEKEY", "MACGENERATE", "MACVERIFY", "EXPORT", "MANAGE", "AGREEKEY", "MASKDECRYPT", "AUDIT", "TRANSFORM", "CREATE_SOBJECTS", "COPY_SOBJECTS", "ROTATE_SOBJECTS", "ACTIVATE_SOBJECTS", "REVOKE_SOBJECTS", "REVERT_SOBJECTS", "MOVE_SOBJECTS", "UPDATE_SOBJECTS_PROFILE", "UPDATE_SOBJECTS_ENABLED_STATE", "UPDATE_SOBJECT_POLICIES", "UPDATE_KEY_OPS", "DELETE_KEY_MATERIAL", "DELETE_SOBJECTS", "DESTROY_SOBJECTS", "RESTORE_EXTERNAL_SOBJECTS", "CALCULATE_DIGEST", "ENCAPSULATE", "DECAPSULATE" ]
array
array
string (uuid)
interface
string | null

Interface used with this application (PKCS11, CNG, JCE, KMIP, etc).

ip_address_policy

The IPs that are allowed for an application. ipv4 or ipv6 both are acceptable types.

OneOf
string
string
Valid values[ "allow_all" ]
IpAddressPolicyVariantWhitelist
object (IpAddressPolicyVariantWhitelist)
whitelist
Array of string
string
last_operations
object
generic
integer | null
tokenization
integer | null
tep
integer | null
accelerator
integer | null
secrets_management
integer | null
lastused_at
string

Timestamp when the application was most recently used.

Pattern^\d{4}\d{2}\d{2}T\d{2}\d{2}\d{2}Z$
Example20170509T070912Z
legacy_access
boolean

If a requester is updating an App or retrieving its credentials, they must have the relevant permissions in all Groups that App has access to. But for legacy Apps, requester is required to have relevant permissions in any of the groups that App has access to.

name
string

Name of this application, which must be unique within an account.

Max length4096
Pattern^[^\n]*[^\s\n][^\n]*$
oauth_config

OAuth settings for an app. If enabled, an app can request to act on behalf of a user.

OneOf
object
object
state
string
Valid values[ "enabled" ]
redirect_uris
Array of string
string
object
object
state
string
Valid values[ "disabled" ]
role
string

App's role.

Valid values[ "admin", "crypto" ]
auth_type
OneOf
string
string
Valid values[ "All" ]
string
string
Valid values[ "Secret", "GoogleServiceAccount", "SignedJwt", "Ldap", "AwsIam", "AwsXks", "GoogleWorkspaceCSE", "Certificate", "TrustedCa" ]
auth_type_all
Array of string (OneAppAuthType) | null

If auth_type is all, this field will include the list of individual auth types for the app

string

Authentication method of an app.

Valid values[ "Secret", "GoogleServiceAccount", "SignedJwt", "Ldap", "AwsIam", "AwsXks", "GoogleWorkspaceCSE", "Certificate", "TrustedCa" ]
metadata
object
continuation_token
string | null

Continuation token to continue getting results. If the response contains a continuation_token, the results returned are partial. In that case, the client can make the same request with this continuation token to continue getting results.

count
integer

Count of the items in the collection matching the request

count_accuracy

An indicator of how accurate a count of objects is.

OneOf
object
object
$type
string
Valid values[ "Exact" ]
object
object
$type
string
Valid values[ "Approximate" ]
App
array (App)
object
account_membership
object
roles
Array of object (AppAccountRoleDescriptor)
OneOf
object
object
$type
string
Valid values[ "SystemDefined" ]
value
string
Valid values[ "AccountAdministrator", "AccountMember", "AccountAuditor" ]
object
object
$type
string
Valid values[ "Custom" ]
value
string (uuid)
acct_id
string (uuid)

The id of the Account that this application belongs to.

app_id
string (uuid)

Unique id to identify the application.

app_type
string

The user-defined type of this application.

cert_not_after
string

Certificate expiration date.

Pattern^\d{4}\d{2}\d{2}T\d{2}\d{2}\d{2}Z$
Example20170509T070912Z
client_configurations
object
common
object
retry_timeout_millis
integer | null
cache_ttl
integer | null
log
object
system
boolean | null
file
OneOf
object
object
mode
string
Valid values[ "enabled" ]
path
string | null
file_size_kb
integer | null
max_files
integer | null
Minimum0
Maximum4294967295
object
object
mode
string
Valid values[ "disabled" ]
level
string | null
h2_num_connections
integer | null
quorum_approval
object
wait_for_quorum_approval
object
enabled
boolean

Indicates whether waiting for quorum approval is activated or disabled

poll_interval_secs
integer | null

Time interval in seconds for client lib to check quorum status.

max_wait_for_secs
integer | null

Maximum time in seconds for client lib to wait for quorum reply.

pkcs11
object
fake_rsa_x9_31_keygen_support
boolean | null
signing_aes_key_as_hmac
boolean | null
exact_key_ops
boolean | null
prevent_duplicate_opaque_objects
boolean | null
opaque_objects_are_not_certificates
boolean | null
max_concurrent_requests_per_slot
integer | null
kmip
object
ignore_unknown_key_ops_for_secrets
boolean | null

Use ignore_unknown_key_ops_for with [SECRET] instead of `ignore_unknown_key_ops_for_secrets``

ignore_unknown_key_ops_for
OneOf
object
object
$type
string
Valid values[ "All" ]
object
object
$type
string
Valid values[ "Selection" ]
selection
Array of string (ObjectType)
string

Type of security object.

Valid values[ "AES", "ARIA", "DES", "DES3", "SEED", "RSA", "DSA", "EC", "KCDSA", "ECKCDSA", "BIP32", "BLS", "OPAQUE", "HMAC", "LEDABETA", "ROUND5BETA", "SECRET", "LMS", "XMSS", "MLDSA", "MLDSABETA", "MLKEM", "MLKEMBETA", "CERTIFICATE", "PBE" ]
key_ops_override
object
add_key_ops
Array of string (KeyOperations) | null

The operations to add to any key creation request (only supported in KMIP).

The following operations can be specified:

  • EXPORT
  • APPMANAGEABLE
  • HIGHVOLUME

The operations specified cannot conflict with what's specified in the key_ops field of account and/or group policies (where applicable).

Note: This is only enforced on (KMIP) creation requests since we assume updates removing key operations are intentional.

string

Operations allowed to be performed on a given key.

SIGN: If this is set, the key can be used to for signing.

VERIFY: If this is set, the key can used for verifying a signature.

ENCRYPT: If this is set, the key can be used for encryption.

DECRYPT: If this is set, the key can be used for decryption.

WRAPKEY: If this is set, the key can be used wrapping other keys. The key being wrapped must have the EXPORT operation enabled.

UNWRAPKEY: If this is set, the key can be used to unwrap a wrapped key.

DERIVEKEY: If this is set, the key can be used to derive another key.

TRANSFORM: If this is set, the key can be transformed.

MACGENERATE: If this is set, the key can be used to compute a cryptographic Message Authentication Code (MAC) on a message.

MACVERIFY: If they is set, the key can be used to verify a MAC.

EXPORT: If this is set, the value of the key can be retrieved with an authenticated request. This shouldn't be set unless required. It is more secure to keep the key's value inside DSM only.

APPMANAGEABLE: Without this operation, management operations like delete, destroy, rotate, activate, restore, revoke, revert, update, remove_private, etc. cannot be performed by a crypto App. A user with access or admin app can still perform these operations. This option is only relevant for crypto apps.

HIGHVOLUME: If this is set, audit logs will not be recorded for the key. High volume here tries to signify a key that is being used a lot and will produce lots of logs. Setting this operation disables audit logs for the key.

AGREEKEY: If this is set, the key can be used for key agreement. Both the private and public key should have this option enabled to perform an agree operation.

ENCAPSULATE: If this is set, the key can be used for key encapsulation. The result is a new symmetric key and a ciphertext.

DECAPSULATE: If this is set, the key can be used for key decapsulation. If decapsulation succeeds, the result is a new symmetric key.

Valid values[ "SIGN", "VERIFY", "ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "DERIVEKEY", "TRANSFORM", "MACGENERATE", "MACVERIFY", "EXPORT", "APPMANAGEABLE", "HIGHVOLUME", "AGREEKEY", "ENCAPSULATE", "DECAPSULATE" ]
tep
object
schema
OneOf
object
object
$type
string
Valid values[ "OpenAPI" ]
openapi
string
key_map
Array of object
object
path
object
api_path
string
method
string
context
string
Valid values[ "request", "response" ]
key_path
string
kid
string (uuid)
mode
string

Cipher mode used for symmetric key algorithms.

Valid values[ "ECB", "CBC", "CBCNOPAD", "CFB", "OFB", "CTR", "GCM", "CCM", "KW", "KWP", "FF1" ]
created_at
string

Timestamp when the application was created.

Pattern^\d{4}\d{2}\d{2}T\d{2}\d{2}\d{2}Z$
Example20170509T070912Z
creator

A security principal.

OneOf
PrincipalVariantApp
object (PrincipalVariantApp)
app
string (uuid)
PrincipalVariantUser
object (PrincipalVariantUser)
user
string (uuid)
PrincipalVariantPlugin
object (PrincipalVariantPlugin)
plugin
string (uuid)
PrincipalVariantUserViaApp
object (PrincipalVariantUserViaApp)
userviaapp
object
user_id
string (uuid)
scopes
Array of string (OauthScope)
string

OAuth scope.

Valid values[ "app", "openid", "email", "profile" ]
string
string
Valid values[ "system" ]
string
string
Valid values[ "unregistereduser" ]
default_group
string (uuid) | null

The default group an application belongs to.

description
string | null

Description of this application.

enabled
boolean

Whether this application is enabled.

groups
OneOf
object
object
property*
Array of string (AppPermissions) additionalProperties
string

Operations allowed to be performed by an app.

SIGN:

VERIFY:

ENCRYPT:

DECRYPT:

WRAPKEY:

UNWRAPKEY:

DERIVEKEY:

MACGENERATE:

MACVERIFY:

EXPORT:

MANAGE:

AGREEKEY:

MASKDECRYPT:

AUDIT:

TRANSFORM:

CREATE_SOBJECTS:

COPY_SOBJECTS:

ROTATE_SOBJECTS:

ACTIVATE_SOBJECTS:

REVOKE_SOBJECTS:

REVERT_SOBJECTS:

MOVE_SOBJECTS:

UPDATE_SOBJECTS_PROFILE:

UPDATE_SOBJECTS_ENABLED_STATE:

UPDATE_SOBJECT_POLICIES:

UPDATE_KEY_OPS:

DELETE_KEY_MATERIAL:

DELETE_SOBJECTS:

DESTROY_SOBJECTS:

RESTORE_EXTERNAL_SOBJECTS:

CALCULATE_DIGEST:

ENCAPSULATE:

DECAPSULATE:

Valid values[ "SIGN", "VERIFY", "ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "DERIVEKEY", "MACGENERATE", "MACVERIFY", "EXPORT", "MANAGE", "AGREEKEY", "MASKDECRYPT", "AUDIT", "TRANSFORM", "CREATE_SOBJECTS", "COPY_SOBJECTS", "ROTATE_SOBJECTS", "ACTIVATE_SOBJECTS", "REVOKE_SOBJECTS", "REVERT_SOBJECTS", "MOVE_SOBJECTS", "UPDATE_SOBJECTS_PROFILE", "UPDATE_SOBJECTS_ENABLED_STATE", "UPDATE_SOBJECT_POLICIES", "UPDATE_KEY_OPS", "DELETE_KEY_MATERIAL", "DELETE_SOBJECTS", "DESTROY_SOBJECTS", "RESTORE_EXTERNAL_SOBJECTS", "CALCULATE_DIGEST", "ENCAPSULATE", "DECAPSULATE" ]
array
array
string (uuid)
interface
string | null

Interface used with this application (PKCS11, CNG, JCE, KMIP, etc).

ip_address_policy

The IPs that are allowed for an application. ipv4 or ipv6 both are acceptable types.

OneOf
string
string
Valid values[ "allow_all" ]
IpAddressPolicyVariantWhitelist
object (IpAddressPolicyVariantWhitelist)
whitelist
Array of string
string
last_operations
object
generic
integer | null
tokenization
integer | null
tep
integer | null
accelerator
integer | null
secrets_management
integer | null
lastused_at
string

Timestamp when the application was most recently used.

Pattern^\d{4}\d{2}\d{2}T\d{2}\d{2}\d{2}Z$
Example20170509T070912Z
legacy_access
boolean

If a requester is updating an App or retrieving its credentials, they must have the relevant permissions in all Groups that App has access to. But for legacy Apps, requester is required to have relevant permissions in any of the groups that App has access to.

name
string

Name of this application, which must be unique within an account.

Max length4096
Pattern^[^\n]*[^\s\n][^\n]*$
oauth_config

OAuth settings for an app. If enabled, an app can request to act on behalf of a user.

OneOf
object
object
state
string
Valid values[ "enabled" ]
redirect_uris
Array of string
string
object
object
state
string
Valid values[ "disabled" ]
role
string

App's role.

Valid values[ "admin", "crypto" ]
auth_type
OneOf
string
string
Valid values[ "All" ]
string
string
Valid values[ "Secret", "GoogleServiceAccount", "SignedJwt", "Ldap", "AwsIam", "AwsXks", "GoogleWorkspaceCSE", "Certificate", "TrustedCa" ]
auth_type_all
Array of string (OneAppAuthType) | null

If auth_type is all, this field will include the list of individual auth types for the app

string

Authentication method of an app.

Valid values[ "Secret", "GoogleServiceAccount", "SignedJwt", "Ldap", "AwsIam", "AwsXks", "GoogleWorkspaceCSE", "Certificate", "TrustedCa" ]