openapi: 3.0.3 info: title: CyberArk Conjur Secrets Manager API description: >- Conjur Secrets Manager is CyberArk's machine-identity and secrets management platform, available as Conjur Open Source, Conjur Enterprise (Self-Hosted), and Conjur Cloud (SaaS). The REST API enables authenticating hosts and users, loading and updating policies, storing and retrieving secrets, rotating credentials, managing public keys, and querying audit information. The canonical OpenAPI specification is published at github.com/cyberark/conjur-openapi-spec; this file is a curated profile of the most-used endpoints aligned with CyberArk Secrets Manager Self-Hosted and SaaS. version: '1.0' contact: name: CyberArk Developer url: https://developer.cyberark.com license: name: Apache 2.0 url: https://www.apache.org/licenses/LICENSE-2.0 externalDocs: description: Conjur OpenAPI Specification (canonical) url: https://github.com/cyberark/conjur-openapi-spec servers: - url: https://conjur.example.com description: Conjur Self-Hosted appliance (replace with appliance hostname) - url: https://{tenant}.secretsmgr.cyberark.cloud/api description: Conjur Cloud tenant variables: tenant: default: tenant description: CyberArk Conjur Cloud tenant subdomain security: - ConjurAuth: [] tags: - name: Authentication description: Authenticate hosts and users, exchange credentials for access tokens. - name: Policies description: Load, update, and replace Conjur policy YAML. - name: Secrets description: Store and retrieve secret values bound to variable resources. - name: Resources description: Inspect resources (hosts, users, groups, layers, variables) and check permissions. - name: Roles description: Manage role membership and inspect role information. - name: PublicKeys description: Retrieve public keys associated with users and hosts. - name: Health description: Health and information endpoints. paths: /authn/{account}/login: get: tags: - Authentication summary: Get API key for user description: >- Exchange basic credentials for the user's API key, used as the password in subsequent /authenticate calls. operationId: login parameters: - name: account in: path required: true schema: type: string responses: '200': description: API key returned as plain text. content: text/plain: schema: type: string '401': description: Unauthorized /authn/{account}/{login}/authenticate: post: tags: - Authentication summary: Get short-lived access token description: >- Exchange API key for a short-lived Conjur access token used in the Authorization header on subsequent calls. operationId: authenticate parameters: - name: account in: path required: true schema: type: string - name: login in: path required: true schema: type: string requestBody: required: true content: text/plain: schema: type: string description: API key responses: '200': description: Conjur access token (Base64-encoded JSON). content: application/json: schema: type: object '401': description: Unauthorized /policies/{account}/policy/{identifier}: post: tags: - Policies summary: Load policy (additive) description: >- Load policy YAML additively. Existing resources are preserved. operationId: loadPolicy parameters: - name: account in: path required: true schema: type: string - name: identifier in: path required: true schema: type: string requestBody: required: true content: application/x-yaml: schema: type: string responses: '201': description: Policy loaded. '401': description: Unauthorized '422': description: Policy validation error put: tags: - Policies summary: Replace policy description: Replace policy YAML, removing resources not in the new policy. operationId: replacePolicy parameters: - name: account in: path required: true schema: type: string - name: identifier in: path required: true schema: type: string requestBody: required: true content: application/x-yaml: schema: type: string responses: '201': description: Policy replaced. patch: tags: - Policies summary: Update policy (additive without delete) operationId: updatePolicy parameters: - name: account in: path required: true schema: type: string - name: identifier in: path required: true schema: type: string requestBody: required: true content: application/x-yaml: schema: type: string responses: '201': description: Policy updated. /secrets/{account}/{kind}/{identifier}: get: tags: - Secrets summary: Retrieve secret value operationId: retrieveSecret parameters: - name: account in: path required: true schema: type: string - name: kind in: path required: true schema: type: string enum: [variable] - name: identifier in: path required: true schema: type: string - name: version in: query required: false schema: type: integer responses: '200': description: Secret value content: text/plain: schema: type: string '401': description: Unauthorized '404': description: Not found post: tags: - Secrets summary: Store secret value operationId: addSecret parameters: - name: account in: path required: true schema: type: string - name: kind in: path required: true schema: type: string enum: [variable] - name: identifier in: path required: true schema: type: string requestBody: required: true content: text/plain: schema: type: string responses: '201': description: Secret stored /resources/{account}: get: tags: - Resources summary: List resources operationId: listResources parameters: - name: account in: path required: true schema: type: string - name: kind in: query schema: type: string enum: [user, host, group, layer, variable, policy, webservice] - name: search in: query schema: type: string - name: limit in: query schema: type: integer - name: offset in: query schema: type: integer responses: '200': description: Array of resources content: application/json: schema: type: array items: $ref: '#/components/schemas/Resource' /resources/{account}/{kind}/{identifier}: get: tags: - Resources summary: Show resource operationId: showResource parameters: - name: account in: path required: true schema: type: string - name: kind in: path required: true schema: type: string - name: identifier in: path required: true schema: type: string responses: '200': description: Resource detail content: application/json: schema: $ref: '#/components/schemas/Resource' /roles/{account}/{kind}/{identifier}: get: tags: - Roles summary: Show role operationId: showRole parameters: - name: account in: path required: true schema: type: string - name: kind in: path required: true schema: type: string - name: identifier in: path required: true schema: type: string responses: '200': description: Role detail content: application/json: schema: $ref: '#/components/schemas/Role' /public_keys/{account}/{kind}/{identifier}: get: tags: - PublicKeys summary: Show public keys for resource operationId: showPublicKeys parameters: - name: account in: path required: true schema: type: string - name: kind in: path required: true schema: type: string - name: identifier in: path required: true schema: type: string responses: '200': description: Newline-delimited list of public keys. content: text/plain: schema: type: string /info: get: tags: - Health summary: Server information operationId: serverInfo responses: '200': description: Conjur server information content: application/json: schema: type: object /health: get: tags: - Health summary: Health check operationId: health responses: '200': description: Healthy '503': description: Unhealthy components: securitySchemes: ConjurAuth: type: http scheme: bearer bearerFormat: ConjurAccessToken schemas: Resource: type: object properties: id: type: string owner: type: string permissions: type: array items: type: object annotations: type: array items: type: object policy_versions: type: array items: type: object Role: type: object properties: id: type: string members: type: array items: type: object