Update app settings like groups, client config, etc.

  • Published on Jul 22, 2025
  • 13 minute(s) read
Prev Next
Patch
/sys/v1/apps/{app_id}

Update app settings like groups, client config, etc.

Security
HTTP
Type bearer
API Key: apiKeyAuth
Header parameter nameAuthorization
Path parameters
app_id
string (uuid) Required
Query parameters
GetAppParams
object
group_permissions
boolean

Flag specifying if group permissions should be returned with the app group.

role
string

The App's role.

Body parameters
object
account_membership
object
roles
Array of object (AppAccountRoleDescriptor) Required
OneOf
object
object
$type
string Required
Valid values[ "SystemDefined" ]
value
string Required
Valid values[ "AccountAdministrator", "AccountMember", "AccountAuditor" ]
object
object
$type
string Required
Valid values[ "Custom" ]
value
string (uuid) Required
add_groups
OneOf
object
object
property*
Array of string (AppPermissions) additionalProperties
string

Operations allowed to be performed by an app.

SIGN:

VERIFY:

ENCRYPT:

DECRYPT:

WRAPKEY:

UNWRAPKEY:

DERIVEKEY:

MACGENERATE:

MACVERIFY:

EXPORT:

MANAGE:

AGREEKEY:

MASKDECRYPT:

AUDIT:

TRANSFORM:

CREATE_SOBJECTS:

COPY_SOBJECTS:

ROTATE_SOBJECTS:

ACTIVATE_SOBJECTS:

REVOKE_SOBJECTS:

REVERT_SOBJECTS:

MOVE_SOBJECTS:

UPDATE_SOBJECTS_PROFILE:

UPDATE_SOBJECTS_ENABLED_STATE:

UPDATE_SOBJECT_POLICIES:

UPDATE_KEY_OPS:

DELETE_KEY_MATERIAL:

DELETE_SOBJECTS:

DESTROY_SOBJECTS:

RESTORE_EXTERNAL_SOBJECTS:

CALCULATE_DIGEST:

ENCAPSULATE:

DECAPSULATE:

Valid values[ "SIGN", "VERIFY", "ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "DERIVEKEY", "MACGENERATE", "MACVERIFY", "EXPORT", "MANAGE", "AGREEKEY", "MASKDECRYPT", "AUDIT", "TRANSFORM", "CREATE_SOBJECTS", "COPY_SOBJECTS", "ROTATE_SOBJECTS", "ACTIVATE_SOBJECTS", "REVOKE_SOBJECTS", "REVERT_SOBJECTS", "MOVE_SOBJECTS", "UPDATE_SOBJECTS_PROFILE", "UPDATE_SOBJECTS_ENABLED_STATE", "UPDATE_SOBJECT_POLICIES", "UPDATE_KEY_OPS", "DELETE_KEY_MATERIAL", "DELETE_SOBJECTS", "DESTROY_SOBJECTS", "RESTORE_EXTERNAL_SOBJECTS", "CALCULATE_DIGEST", "ENCAPSULATE", "DECAPSULATE" ]
array
array
string (uuid)
app_type
string | null

The user-defined type of this application.

client_configurations
object
common
OneOf
string
string
Valid values[ "remove" ]
object
object
retry_timeout_millis
integer | null
cache_ttl
integer | null
log
object
system
boolean | null
file
OneOf
object
object
mode
string Required
Valid values[ "enabled" ]
path
string | null
file_size_kb
integer | null
max_files
integer | null
Minimum0
Maximum4294967295
object
object
mode
string Required
Valid values[ "disabled" ]
level
string | null
h2_num_connections
integer | null
quorum_approval
object
wait_for_quorum_approval
object
enabled
boolean Required

Indicates whether waiting for quorum approval is activated or disabled

poll_interval_secs
integer | null

Time interval in seconds for client lib to check quorum status.

max_wait_for_secs
integer | null

Maximum time in seconds for client lib to wait for quorum reply.

pkcs11
OneOf
string
string
Valid values[ "remove" ]
object
object
fake_rsa_x9_31_keygen_support
boolean | null
signing_aes_key_as_hmac
boolean | null
exact_key_ops
boolean | null
prevent_duplicate_opaque_objects
boolean | null
opaque_objects_are_not_certificates
boolean | null
max_concurrent_requests_per_slot
integer | null
kmip
OneOf
string
string
Valid values[ "remove" ]
object
object
ignore_unknown_key_ops_for_secrets
boolean | null

Use ignore_unknown_key_ops_for with [SECRET] instead of `ignore_unknown_key_ops_for_secrets``

ignore_unknown_key_ops_for
OneOf
object
object
$type
string Required
Valid values[ "All" ]
object
object
$type
string Required
Valid values[ "Selection" ]
selection
Array of string (ObjectType) Required
string

Type of security object.

Valid values[ "AES", "ARIA", "DES", "DES3", "SEED", "RSA", "DSA", "EC", "KCDSA", "ECKCDSA", "BIP32", "BLS", "OPAQUE", "HMAC", "LEDABETA", "ROUND5BETA", "SECRET", "LMS", "XMSS", "MLDSA", "MLDSABETA", "MLKEM", "MLKEMBETA", "CERTIFICATE", "PBE" ]
key_ops_override
object
add_key_ops
Array of string (KeyOperations) | null

The operations to add to any key creation request (only supported in KMIP).

The following operations can be specified:

  • EXPORT
  • APPMANAGEABLE
  • HIGHVOLUME

The operations specified cannot conflict with what's specified in the key_ops field of account and/or group policies (where applicable).

Note: This is only enforced on (KMIP) creation requests since we assume updates removing key operations are intentional.

string

Operations allowed to be performed on a given key.

SIGN: If this is set, the key can be used to for signing.

VERIFY: If this is set, the key can used for verifying a signature.

ENCRYPT: If this is set, the key can be used for encryption.

DECRYPT: If this is set, the key can be used for decryption.

WRAPKEY: If this is set, the key can be used wrapping other keys. The key being wrapped must have the EXPORT operation enabled.

UNWRAPKEY: If this is set, the key can be used to unwrap a wrapped key.

DERIVEKEY: If this is set, the key can be used to derive another key.

TRANSFORM: If this is set, the key can be transformed.

MACGENERATE: If this is set, the key can be used to compute a cryptographic Message Authentication Code (MAC) on a message.

MACVERIFY: If they is set, the key can be used to verify a MAC.

EXPORT: If this is set, the value of the key can be retrieved with an authenticated request. This shouldn't be set unless required. It is more secure to keep the key's value inside DSM only.

APPMANAGEABLE: Without this operation, management operations like delete, destroy, rotate, activate, restore, revoke, revert, update, remove_private, etc. cannot be performed by a crypto App. A user with access or admin app can still perform these operations. This option is only relevant for crypto apps.

HIGHVOLUME: If this is set, audit logs will not be recorded for the key. High volume here tries to signify a key that is being used a lot and will produce lots of logs. Setting this operation disables audit logs for the key.

AGREEKEY: If this is set, the key can be used for key agreement. Both the private and public key should have this option enabled to perform an agree operation.

ENCAPSULATE: If this is set, the key can be used for key encapsulation. The result is a new symmetric key and a ciphertext.

DECAPSULATE: If this is set, the key can be used for key decapsulation. If decapsulation succeeds, the result is a new symmetric key.

Valid values[ "SIGN", "VERIFY", "ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "DERIVEKEY", "TRANSFORM", "MACGENERATE", "MACVERIFY", "EXPORT", "APPMANAGEABLE", "HIGHVOLUME", "AGREEKEY", "ENCAPSULATE", "DECAPSULATE" ]
tep
OneOf
string
string
Valid values[ "remove" ]
object
object
schema
OneOf
object
object
$type
string Required
Valid values[ "OpenAPI" ]
openapi
string
key_map
Array of object Required
object
path
object Required
api_path
string Required
method
string Required
context
string Required
Valid values[ "request", "response" ]
key_path
string Required
kid
string (uuid) Required
mode
string Required

Cipher mode used for symmetric key algorithms.

Valid values[ "ECB", "CBC", "CBCNOPAD", "CFB", "OFB", "CTR", "GCM", "CCM", "KW", "KWP", "FF1" ]
credential
OneOf
AppCredentialRequestVariantAll
object (AppCredentialRequestVariantAll)
all
Array of object (OneAppCredentialRequest) Required

Using all, clients can specify a combination of two credentials:

  • one must be a mutual TLS credential (either certificate or trustedca),
  • the other must be a general app credential (one of secret, awsiam, signedjwt, or ldap)

Apps authenticating with this variant must present both forms of credentials, i.e., they must present a client certificate during TLS handshake, and also present the other form of credential in the HTTP request.

OneOf
OneAppCredentialRequestVariantSecret
object (OneAppCredentialRequestVariantSecret)
secret
OneOf
string
string
object
object
size
integer | null

Size of the secret to be generated in bytes

Minimum0
Maximum4294967295
OneAppCredentialRequestVariantCertificate
object (OneAppCredentialRequestVariantCertificate)
certificate
string (byte) Required

PKI Certificate based authentication.

OneAppCredentialRequestVariantTrustedCa
object (OneAppCredentialRequestVariantTrustedCa)
trustedca
ca_certificate
string (byte) Required
check_revocation
boolean | null

When true, revocation status of certificates is checked, and revoked certificates are rejected

OneOf
TrustAnchorSubjectVariantSubject
object (TrustAnchorSubjectVariantSubject)
subject
Array of array Required
Array of string
Min items2
Max items2
string
TrustAnchorSubjectVariantSubjectGeneral
object (TrustAnchorSubjectVariantSubjectGeneral)
subject_general
OneOf
SubjectGeneralVariantDirectoryName
object (SubjectGeneralVariantDirectoryName)
directory_name
Array of array Required
Array of string
Min items2
Max items2
string
SubjectGeneralVariantDnsName
object (SubjectGeneralVariantDnsName)
dns_name
string Required
SubjectGeneralVariantIpAddress
object (SubjectGeneralVariantIpAddress)
ip_address
OneOf
string (ipv4)
string
string (ipv6)
string
OneAppCredentialRequestVariantGoogleServiceAccount
object (OneAppCredentialRequestVariantGoogleServiceAccount)
googleserviceaccount
object Required
access_reason_policy
object
allow
Array of string (GoogleAccessReason) Required

Set of allowed Google Access reasons.

string

An access reason provided by Google when making EKMS API calls.

Valid values[ "REASON_UNSPECIFIED", "CUSTOMER_INITIATED_SUPPORT", "GOOGLE_INITIATED_SERVICE", "THIRD_PARTY_DATA_REQUEST", "GOOGLE_INITIATED_REVIEW", "CUSTOMER_INITIATED_ACCESS", "GOOGLE_INITIATED_SYSTEM_OPERATION", "REASON_NOT_EXPECTED", "MODIFIED_CUSTOMER_INITIATED_ACCESS", "MODIFIED_GOOGLE_INITIATED_SYSTEM_OPERATION", "GOOGLE_RESPONSE_TO_PRODUCTION_ALERT", "CUSTOMER_AUTHORIZED_WORKFLOW_SERVICING" ]
allow_missing_reason
boolean Required

Accept incoming requests which do not specify any access reasons.

groups
object | null

Mapping for all groups an application is part of and the Gcp specific permissions it has within each of those groups.

property*
Array of string (GcpAppPermissions) additionalProperties
string

CRYPTO_SPACE_GET_INFO:

CRYPTO_SPACE_GET_PUBLIC_KEY:

Valid values[ "CRYPTO_SPACE_GET_INFO", "CRYPTO_SPACE_GET_PUBLIC_KEY" ]
OneAppCredentialRequestVariantSignedJwt
object (OneAppCredentialRequestVariantSignedJwt)
signedjwt
object Required
valid_issuers
Array of string Required
string
signing_keys

Signing keys used to validate JSON Web Signature objects including signed JSON Web Tokens.

OneOf
object
object
kind
string Required
Valid values[ "stored" ]
keys
object Required

Mapping key ids to DER-encoded public key.

property*
string (byte) additionalProperties
object
object
kind
string Required
Valid values[ "fetched" ]
url
string Required
cache_duration
integer Required

Number of seconds that the service is allowed to cache the fetched keys.

OneAppCredentialRequestVariantLdap
object (OneAppCredentialRequestVariantLdap)
ldap
string (uuid) Required

LDAP credentials of an App used for authentication.

OneAppCredentialRequestVariantAwsIam
object (OneAppCredentialRequestVariantAwsIam)
awsiam
object Required
OneAppCredentialRequestVariantAwsXks
object (OneAppCredentialRequestVariantAwsXks)
awsxks
object Required
access_key_id
string | null
secret_key
string
OneAppCredentialRequestVariantGoogleWorkspaceCse
object (OneAppCredentialRequestVariantGoogleWorkspaceCse)
googleworkspacecse
object Required
object
OneOf
OneAppCredentialRequestVariantSecret
object (OneAppCredentialRequestVariantSecret)
secret
OneOf
string
string
object
object
size
integer | null

Size of the secret to be generated in bytes

Minimum0
Maximum4294967295
OneAppCredentialRequestVariantCertificate
object (OneAppCredentialRequestVariantCertificate)
certificate
string (byte) Required

PKI Certificate based authentication.

OneAppCredentialRequestVariantTrustedCa
object (OneAppCredentialRequestVariantTrustedCa)
trustedca
ca_certificate
string (byte) Required
check_revocation
boolean | null

When true, revocation status of certificates is checked, and revoked certificates are rejected

OneOf
TrustAnchorSubjectVariantSubject
object (TrustAnchorSubjectVariantSubject)
subject
Array of array Required
Array of string
Min items2
Max items2
string
TrustAnchorSubjectVariantSubjectGeneral
object (TrustAnchorSubjectVariantSubjectGeneral)
subject_general
OneOf
SubjectGeneralVariantDirectoryName
object (SubjectGeneralVariantDirectoryName)
directory_name
Array of array Required
Array of string
Min items2
Max items2
string
SubjectGeneralVariantDnsName
object (SubjectGeneralVariantDnsName)
dns_name
string Required
SubjectGeneralVariantIpAddress
object (SubjectGeneralVariantIpAddress)
ip_address
OneOf
string (ipv4)
string
string (ipv6)
string
OneAppCredentialRequestVariantGoogleServiceAccount
object (OneAppCredentialRequestVariantGoogleServiceAccount)
googleserviceaccount
object Required
access_reason_policy
object
allow
Array of string (GoogleAccessReason) Required

Set of allowed Google Access reasons.

string

An access reason provided by Google when making EKMS API calls.

Valid values[ "REASON_UNSPECIFIED", "CUSTOMER_INITIATED_SUPPORT", "GOOGLE_INITIATED_SERVICE", "THIRD_PARTY_DATA_REQUEST", "GOOGLE_INITIATED_REVIEW", "CUSTOMER_INITIATED_ACCESS", "GOOGLE_INITIATED_SYSTEM_OPERATION", "REASON_NOT_EXPECTED", "MODIFIED_CUSTOMER_INITIATED_ACCESS", "MODIFIED_GOOGLE_INITIATED_SYSTEM_OPERATION", "GOOGLE_RESPONSE_TO_PRODUCTION_ALERT", "CUSTOMER_AUTHORIZED_WORKFLOW_SERVICING" ]
allow_missing_reason
boolean Required

Accept incoming requests which do not specify any access reasons.

groups
object | null

Mapping for all groups an application is part of and the Gcp specific permissions it has within each of those groups.

property*
Array of string (GcpAppPermissions) additionalProperties
string

CRYPTO_SPACE_GET_INFO:

CRYPTO_SPACE_GET_PUBLIC_KEY:

Valid values[ "CRYPTO_SPACE_GET_INFO", "CRYPTO_SPACE_GET_PUBLIC_KEY" ]
OneAppCredentialRequestVariantSignedJwt
object (OneAppCredentialRequestVariantSignedJwt)
signedjwt
object Required
valid_issuers
Array of string Required
string
signing_keys

Signing keys used to validate JSON Web Signature objects including signed JSON Web Tokens.

OneOf
object
object
kind
string Required
Valid values[ "stored" ]
keys
object Required

Mapping key ids to DER-encoded public key.

property*
string (byte) additionalProperties
object
object
kind
string Required
Valid values[ "fetched" ]
url
string Required
cache_duration
integer Required

Number of seconds that the service is allowed to cache the fetched keys.

OneAppCredentialRequestVariantLdap
object (OneAppCredentialRequestVariantLdap)
ldap
string (uuid) Required

LDAP credentials of an App used for authentication.

OneAppCredentialRequestVariantAwsIam
object (OneAppCredentialRequestVariantAwsIam)
awsiam
object Required
OneAppCredentialRequestVariantAwsXks
object (OneAppCredentialRequestVariantAwsXks)
awsxks
object Required
access_key_id
string | null
secret_key
string
OneAppCredentialRequestVariantGoogleWorkspaceCse
object (OneAppCredentialRequestVariantGoogleWorkspaceCse)
googleworkspacecse
object Required
credential_migration_period
integer | null

Migration period for which credentials(and its sessions) remain valid during api key regeneration.

Minimum0
Maximum4294967295
default_group
string (uuid) | null

The default group an application belongs to.

del_groups
Array of string | null

Groups an application no longer needs to be a part of. Array of UUID of groups.

string (uuid)
description
string | null

Description of this application.

enabled
boolean | null

Whether this application is enabled.

interface
string | null

Interface used with this application (PKCS11, CNG, JCE, KMIP, etc).

ip_address_policy

The IPs that are allowed for an application. ipv4 or ipv6 both are acceptable types.

OneOf
string
string
Valid values[ "allow_all" ]
IpAddressPolicyVariantWhitelist
object (IpAddressPolicyVariantWhitelist)
whitelist
Array of string Required
string
mod_groups
OneOf
object
object
property*
Array of string (AppPermissions) additionalProperties
string

Operations allowed to be performed by an app.

SIGN:

VERIFY:

ENCRYPT:

DECRYPT:

WRAPKEY:

UNWRAPKEY:

DERIVEKEY:

MACGENERATE:

MACVERIFY:

EXPORT:

MANAGE:

AGREEKEY:

MASKDECRYPT:

AUDIT:

TRANSFORM:

CREATE_SOBJECTS:

COPY_SOBJECTS:

ROTATE_SOBJECTS:

ACTIVATE_SOBJECTS:

REVOKE_SOBJECTS:

REVERT_SOBJECTS:

MOVE_SOBJECTS:

UPDATE_SOBJECTS_PROFILE:

UPDATE_SOBJECTS_ENABLED_STATE:

UPDATE_SOBJECT_POLICIES:

UPDATE_KEY_OPS:

DELETE_KEY_MATERIAL:

DELETE_SOBJECTS:

DESTROY_SOBJECTS:

RESTORE_EXTERNAL_SOBJECTS:

CALCULATE_DIGEST:

ENCAPSULATE:

DECAPSULATE:

Valid values[ "SIGN", "VERIFY", "ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "DERIVEKEY", "MACGENERATE", "MACVERIFY", "EXPORT", "MANAGE", "AGREEKEY", "MASKDECRYPT", "AUDIT", "TRANSFORM", "CREATE_SOBJECTS", "COPY_SOBJECTS", "ROTATE_SOBJECTS", "ACTIVATE_SOBJECTS", "REVOKE_SOBJECTS", "REVERT_SOBJECTS", "MOVE_SOBJECTS", "UPDATE_SOBJECTS_PROFILE", "UPDATE_SOBJECTS_ENABLED_STATE", "UPDATE_SOBJECT_POLICIES", "UPDATE_KEY_OPS", "DELETE_KEY_MATERIAL", "DELETE_SOBJECTS", "DESTROY_SOBJECTS", "RESTORE_EXTERNAL_SOBJECTS", "CALCULATE_DIGEST", "ENCAPSULATE", "DECAPSULATE" ]
array
array
string (uuid)
name
string | null

Name of this application, which must be unique within an account.

Max length4096
Pattern^[^\n]*[^\s\n][^\n]*$
oauth_config

OAuth settings for an app. If enabled, an app can request to act on behalf of a user.

OneOf
object
object
state
string Required
Valid values[ "enabled" ]
redirect_uris
Array of string Required
string
object
object
state
string Required
Valid values[ "disabled" ]
role
string

App's role.

Valid values[ "admin", "crypto" ]
secret_size
integer | null

Size in bytes of app's secret.

Minimum0
Maximum4294967295
Responses
2XX

Success result

object
account_membership
object
roles
Array of object (AppAccountRoleDescriptor)
OneOf
object
object
$type
string
Valid values[ "SystemDefined" ]
value
string
Valid values[ "AccountAdministrator", "AccountMember", "AccountAuditor" ]
object
object
$type
string
Valid values[ "Custom" ]
value
string (uuid)
acct_id
string (uuid)

The id of the Account that this application belongs to.

app_id
string (uuid)

Unique id to identify the application.

app_type
string

The user-defined type of this application.

cert_not_after
string

Certificate expiration date.

Pattern^\d{4}\d{2}\d{2}T\d{2}\d{2}\d{2}Z$
Example20170509T070912Z
client_configurations
object
common
object
retry_timeout_millis
integer | null
cache_ttl
integer | null
log
object
system
boolean | null
file
OneOf
object
object
mode
string
Valid values[ "enabled" ]
path
string | null
file_size_kb
integer | null
max_files
integer | null
Minimum0
Maximum4294967295
object
object
mode
string
Valid values[ "disabled" ]
level
string | null
h2_num_connections
integer | null
quorum_approval
object
wait_for_quorum_approval
object
enabled
boolean

Indicates whether waiting for quorum approval is activated or disabled

poll_interval_secs
integer | null

Time interval in seconds for client lib to check quorum status.

max_wait_for_secs
integer | null

Maximum time in seconds for client lib to wait for quorum reply.

pkcs11
object
fake_rsa_x9_31_keygen_support
boolean | null
signing_aes_key_as_hmac
boolean | null
exact_key_ops
boolean | null
prevent_duplicate_opaque_objects
boolean | null
opaque_objects_are_not_certificates
boolean | null
max_concurrent_requests_per_slot
integer | null
kmip
object
ignore_unknown_key_ops_for_secrets
boolean | null

Use ignore_unknown_key_ops_for with [SECRET] instead of `ignore_unknown_key_ops_for_secrets``

ignore_unknown_key_ops_for
OneOf
object
object
$type
string
Valid values[ "All" ]
object
object
$type
string
Valid values[ "Selection" ]
selection
Array of string (ObjectType)
string

Type of security object.

Valid values[ "AES", "ARIA", "DES", "DES3", "SEED", "RSA", "DSA", "EC", "KCDSA", "ECKCDSA", "BIP32", "BLS", "OPAQUE", "HMAC", "LEDABETA", "ROUND5BETA", "SECRET", "LMS", "XMSS", "MLDSA", "MLDSABETA", "MLKEM", "MLKEMBETA", "CERTIFICATE", "PBE" ]
key_ops_override
object
add_key_ops
Array of string (KeyOperations) | null

The operations to add to any key creation request (only supported in KMIP).

The following operations can be specified:

  • EXPORT
  • APPMANAGEABLE
  • HIGHVOLUME

The operations specified cannot conflict with what's specified in the key_ops field of account and/or group policies (where applicable).

Note: This is only enforced on (KMIP) creation requests since we assume updates removing key operations are intentional.

string

Operations allowed to be performed on a given key.

SIGN: If this is set, the key can be used to for signing.

VERIFY: If this is set, the key can used for verifying a signature.

ENCRYPT: If this is set, the key can be used for encryption.

DECRYPT: If this is set, the key can be used for decryption.

WRAPKEY: If this is set, the key can be used wrapping other keys. The key being wrapped must have the EXPORT operation enabled.

UNWRAPKEY: If this is set, the key can be used to unwrap a wrapped key.

DERIVEKEY: If this is set, the key can be used to derive another key.

TRANSFORM: If this is set, the key can be transformed.

MACGENERATE: If this is set, the key can be used to compute a cryptographic Message Authentication Code (MAC) on a message.

MACVERIFY: If they is set, the key can be used to verify a MAC.

EXPORT: If this is set, the value of the key can be retrieved with an authenticated request. This shouldn't be set unless required. It is more secure to keep the key's value inside DSM only.

APPMANAGEABLE: Without this operation, management operations like delete, destroy, rotate, activate, restore, revoke, revert, update, remove_private, etc. cannot be performed by a crypto App. A user with access or admin app can still perform these operations. This option is only relevant for crypto apps.

HIGHVOLUME: If this is set, audit logs will not be recorded for the key. High volume here tries to signify a key that is being used a lot and will produce lots of logs. Setting this operation disables audit logs for the key.

AGREEKEY: If this is set, the key can be used for key agreement. Both the private and public key should have this option enabled to perform an agree operation.

ENCAPSULATE: If this is set, the key can be used for key encapsulation. The result is a new symmetric key and a ciphertext.

DECAPSULATE: If this is set, the key can be used for key decapsulation. If decapsulation succeeds, the result is a new symmetric key.

Valid values[ "SIGN", "VERIFY", "ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "DERIVEKEY", "TRANSFORM", "MACGENERATE", "MACVERIFY", "EXPORT", "APPMANAGEABLE", "HIGHVOLUME", "AGREEKEY", "ENCAPSULATE", "DECAPSULATE" ]
tep
object
schema
OneOf
object
object
$type
string
Valid values[ "OpenAPI" ]
openapi
string
key_map
Array of object
object
path
object
api_path
string
method
string
context
string
Valid values[ "request", "response" ]
key_path
string
kid
string (uuid)
mode
string

Cipher mode used for symmetric key algorithms.

Valid values[ "ECB", "CBC", "CBCNOPAD", "CFB", "OFB", "CTR", "GCM", "CCM", "KW", "KWP", "FF1" ]
created_at
string

Timestamp when the application was created.

Pattern^\d{4}\d{2}\d{2}T\d{2}\d{2}\d{2}Z$
Example20170509T070912Z
creator

A security principal.

OneOf
PrincipalVariantApp
object (PrincipalVariantApp)
app
string (uuid)
PrincipalVariantUser
object (PrincipalVariantUser)
user
string (uuid)
PrincipalVariantPlugin
object (PrincipalVariantPlugin)
plugin
string (uuid)
PrincipalVariantUserViaApp
object (PrincipalVariantUserViaApp)
userviaapp
object
user_id
string (uuid)
scopes
Array of string (OauthScope)
string

OAuth scope.

Valid values[ "app", "openid", "email", "profile" ]
string
string
Valid values[ "system" ]
string
string
Valid values[ "unregistereduser" ]
default_group
string (uuid) | null

The default group an application belongs to.

description
string | null

Description of this application.

enabled
boolean

Whether this application is enabled.

groups
OneOf
object
object
property*
Array of string (AppPermissions) additionalProperties
string

Operations allowed to be performed by an app.

SIGN:

VERIFY:

ENCRYPT:

DECRYPT:

WRAPKEY:

UNWRAPKEY:

DERIVEKEY:

MACGENERATE:

MACVERIFY:

EXPORT:

MANAGE:

AGREEKEY:

MASKDECRYPT:

AUDIT:

TRANSFORM:

CREATE_SOBJECTS:

COPY_SOBJECTS:

ROTATE_SOBJECTS:

ACTIVATE_SOBJECTS:

REVOKE_SOBJECTS:

REVERT_SOBJECTS:

MOVE_SOBJECTS:

UPDATE_SOBJECTS_PROFILE:

UPDATE_SOBJECTS_ENABLED_STATE:

UPDATE_SOBJECT_POLICIES:

UPDATE_KEY_OPS:

DELETE_KEY_MATERIAL:

DELETE_SOBJECTS:

DESTROY_SOBJECTS:

RESTORE_EXTERNAL_SOBJECTS:

CALCULATE_DIGEST:

ENCAPSULATE:

DECAPSULATE:

Valid values[ "SIGN", "VERIFY", "ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "DERIVEKEY", "MACGENERATE", "MACVERIFY", "EXPORT", "MANAGE", "AGREEKEY", "MASKDECRYPT", "AUDIT", "TRANSFORM", "CREATE_SOBJECTS", "COPY_SOBJECTS", "ROTATE_SOBJECTS", "ACTIVATE_SOBJECTS", "REVOKE_SOBJECTS", "REVERT_SOBJECTS", "MOVE_SOBJECTS", "UPDATE_SOBJECTS_PROFILE", "UPDATE_SOBJECTS_ENABLED_STATE", "UPDATE_SOBJECT_POLICIES", "UPDATE_KEY_OPS", "DELETE_KEY_MATERIAL", "DELETE_SOBJECTS", "DESTROY_SOBJECTS", "RESTORE_EXTERNAL_SOBJECTS", "CALCULATE_DIGEST", "ENCAPSULATE", "DECAPSULATE" ]
array
array
string (uuid)
interface
string | null

Interface used with this application (PKCS11, CNG, JCE, KMIP, etc).

ip_address_policy

The IPs that are allowed for an application. ipv4 or ipv6 both are acceptable types.

OneOf
string
string
Valid values[ "allow_all" ]
IpAddressPolicyVariantWhitelist
object (IpAddressPolicyVariantWhitelist)
whitelist
Array of string
string
last_operations
object
generic
integer | null
tokenization
integer | null
tep
integer | null
accelerator
integer | null
secrets_management
integer | null
lastused_at
string

Timestamp when the application was most recently used.

Pattern^\d{4}\d{2}\d{2}T\d{2}\d{2}\d{2}Z$
Example20170509T070912Z
legacy_access
boolean

If a requester is updating an App or retrieving its credentials, they must have the relevant permissions in all Groups that App has access to. But for legacy Apps, requester is required to have relevant permissions in any of the groups that App has access to.

name
string

Name of this application, which must be unique within an account.

Max length4096
Pattern^[^\n]*[^\s\n][^\n]*$
oauth_config

OAuth settings for an app. If enabled, an app can request to act on behalf of a user.

OneOf
object
object
state
string
Valid values[ "enabled" ]
redirect_uris
Array of string
string
object
object
state
string
Valid values[ "disabled" ]
role
string

App's role.

Valid values[ "admin", "crypto" ]
auth_type
OneOf
string
string
Valid values[ "All" ]
string
string
Valid values[ "Secret", "GoogleServiceAccount", "SignedJwt", "Ldap", "AwsIam", "AwsXks", "GoogleWorkspaceCSE", "Certificate", "TrustedCa" ]
auth_type_all
Array of string (OneAppAuthType) | null

If auth_type is all, this field will include the list of individual auth types for the app

string

Authentication method of an app.

Valid values[ "Secret", "GoogleServiceAccount", "SignedJwt", "Ldap", "AwsIam", "AwsXks", "GoogleWorkspaceCSE", "Certificate", "TrustedCa" ]