CyberArk
CyberArk Conjur Secrets Manager API

Conjur is CyberArk's secrets management platform for machine identities and DevOps workloads, delivered as Conjur Open Source, Conjur Enterprise (Self-Hosted), and Conjur Cloud (SaaS). The REST API supports authenticating hosts and users, loading and replacing policy YAML, storing and retrieving versioned secrets, managing resources and roles, and retrieving public keys. The canonical OpenAPI 3.1 spec is open-sourced at github.com/cyberark/conjur-openapi-spec.
Documentation GitHub OpenAPI
OpenAPI Specification

openapi: 3.0.3
info:
  title: CyberArk Conjur Secrets Manager API
  description: >-
    Conjur Secrets Manager is CyberArk's machine-identity and secrets
    management platform, available as Conjur Open Source, Conjur
    Enterprise (Self-Hosted), and Conjur Cloud (SaaS). The REST API
    enables authenticating hosts and users, loading and updating
    policies, storing and retrieving secrets, rotating credentials,
    managing public keys, and querying audit information. The
    canonical OpenAPI specification is published at
    github.com/cyberark/conjur-openapi-spec; this file is a curated
    profile of the most-used endpoints aligned with CyberArk Secrets
    Manager Self-Hosted and SaaS.
  version: '1.0'
  contact:
    name: CyberArk Developer
    url: https://developer.cyberark.com
  license:
    name: Apache 2.0
    url: https://www.apache.org/licenses/LICENSE-2.0
externalDocs:
  description: Conjur OpenAPI Specification (canonical)
  url: https://github.com/cyberark/conjur-openapi-spec
servers:
  - url: https://conjur.example.com
    description: Conjur Self-Hosted appliance (replace with appliance hostname)
  - url: https://{tenant}.secretsmgr.cyberark.cloud/api
    description: Conjur Cloud tenant
    variables:
      tenant:
        default: tenant
        description: CyberArk Conjur Cloud tenant subdomain
security:
  - ConjurAuth: []
tags:
  - name: Authentication
    description: Authenticate hosts and users, exchange credentials for access tokens.
  - name: Policies
    description: Load, update, and replace Conjur policy YAML.
  - name: Secrets
    description: Store and retrieve secret values bound to variable resources.
  - name: Resources
    description: Inspect resources (hosts, users, groups, layers, variables) and check permissions.
  - name: Roles
    description: Manage role membership and inspect role information.
  - name: PublicKeys
    description: Retrieve public keys associated with users and hosts.
  - name: Health
    description: Health and information endpoints.
paths:
  /authn/{account}/login:
    get:
      tags:
        - Authentication
      summary: Get API key for user
      description: >-
        Exchange basic credentials for the user's API key, used as the
        password in subsequent /authenticate calls.
      operationId: login
      parameters:
        - name: account
          in: path
          required: true
          schema:
            type: string
      responses:
        '200':
          description: API key returned as plain text.
          content:
            text/plain:
              schema:
                type: string
        '401':
          description: Unauthorized
  /authn/{account}/{login}/authenticate:
    post:
      tags:
        - Authentication
      summary: Get short-lived access token
      description: >-
        Exchange API key for a short-lived Conjur access token used in
        the Authorization header on subsequent calls.
      operationId: authenticate
      parameters:
        - name: account
          in: path
          required: true
          schema:
            type: string
        - name: login
          in: path
          required: true
          schema:
            type: string
      requestBody:
        required: true
        content:
          text/plain:
            schema:
              type: string
              description: API key
      responses:
        '200':
          description: Conjur access token (Base64-encoded JSON).
          content:
            application/json:
              schema:
                type: object
        '401':
          description: Unauthorized
  /policies/{account}/policy/{identifier}:
    post:
      tags:
        - Policies
      summary: Load policy (additive)
      description: >-
        Load policy YAML additively. Existing resources are preserved.
      operationId: loadPolicy
      parameters:
        - name: account
          in: path
          required: true
          schema:
            type: string
        - name: identifier
          in: path
          required: true
          schema:
            type: string
      requestBody:
        required: true
        content:
          application/x-yaml:
            schema:
              type: string
      responses:
        '201':
          description: Policy loaded.
        '401':
          description: Unauthorized
        '422':
          description: Policy validation error
    put:
      tags:
        - Policies
      summary: Replace policy
      description: Replace policy YAML, removing resources not in the new policy.
      operationId: replacePolicy
      parameters:
        - name: account
          in: path
          required: true
          schema:
            type: string
        - name: identifier
          in: path
          required: true
          schema:
            type: string
      requestBody:
        required: true
        content:
          application/x-yaml:
            schema:
              type: string
      responses:
        '201':
          description: Policy replaced.
    patch:
      tags:
        - Policies
      summary: Update policy (additive without delete)
      operationId: updatePolicy
      parameters:
        - name: account
          in: path
          required: true
          schema:
            type: string
        - name: identifier
          in: path
          required: true
          schema:
            type: string
      requestBody:
        required: true
        content:
          application/x-yaml:
            schema:
              type: string
      responses:
        '201':
          description: Policy updated.
  /secrets/{account}/{kind}/{identifier}:
    get:
      tags:
        - Secrets
      summary: Retrieve secret value
      operationId: retrieveSecret
      parameters:
        - name: account
          in: path
          required: true
          schema:
            type: string
        - name: kind
          in: path
          required: true
          schema:
            type: string
            enum: [variable]
        - name: identifier
          in: path
          required: true
          schema:
            type: string
        - name: version
          in: query
          required: false
          schema:
            type: integer
      responses:
        '200':
          description: Secret value
          content:
            text/plain:
              schema:
                type: string
        '401':
          description: Unauthorized
        '404':
          description: Not found
    post:
      tags:
        - Secrets
      summary: Store secret value
      operationId: addSecret
      parameters:
        - name: account
          in: path
          required: true
          schema:
            type: string
        - name: kind
          in: path
          required: true
          schema:
            type: string
            enum: [variable]
        - name: identifier
          in: path
          required: true
          schema:
            type: string
      requestBody:
        required: true
        content:
          text/plain:
            schema:
              type: string
      responses:
        '201':
          description: Secret stored
  /resources/{account}:
    get:
      tags:
        - Resources
      summary: List resources
      operationId: listResources
      parameters:
        - name: account
          in: path
          required: true
          schema:
            type: string
        - name: kind
          in: query
          schema:
            type: string
            enum: [user, host, group, layer, variable, policy, webservice]
        - name: search
          in: query
          schema:
            type: string
        - name: limit
          in: query
          schema:
            type: integer
        - name: offset
          in: query
          schema:
            type: integer
      responses:
        '200':
          description: Array of resources
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/Resource'
  /resources/{account}/{kind}/{identifier}:
    get:
      tags:
        - Resources
      summary: Show resource
      operationId: showResource
      parameters:
        - name: account
          in: path
          required: true
          schema:
            type: string
        - name: kind
          in: path
          required: true
          schema:
            type: string
        - name: identifier
          in: path
          required: true
          schema:
            type: string
      responses:
        '200':
          description: Resource detail
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Resource'
  /roles/{account}/{kind}/{identifier}:
    get:
      tags:
        - Roles
      summary: Show role
      operationId: showRole
      parameters:
        - name: account
          in: path
          required: true
          schema:
            type: string
        - name: kind
          in: path
          required: true
          schema:
            type: string
        - name: identifier
          in: path
          required: true
          schema:
            type: string
      responses:
        '200':
          description: Role detail
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Role'
  /public_keys/{account}/{kind}/{identifier}:
    get:
      tags:
        - PublicKeys
      summary: Show public keys for resource
      operationId: showPublicKeys
      parameters:
        - name: account
          in: path
          required: true
          schema:
            type: string
        - name: kind
          in: path
          required: true
          schema:
            type: string
        - name: identifier
          in: path
          required: true
          schema:
            type: string
      responses:
        '200':
          description: Newline-delimited list of public keys.
          content:
            text/plain:
              schema:
                type: string
  /info:
    get:
      tags:
        - Health
      summary: Server information
      operationId: serverInfo
      responses:
        '200':
          description: Conjur server information
          content:
            application/json:
              schema:
                type: object
  /health:
    get:
      tags:
        - Health
      summary: Health check
      operationId: health
      responses:
        '200':
          description: Healthy
        '503':
          description: Unhealthy
components:
  securitySchemes:
    ConjurAuth:
      type: http
      scheme: bearer
      bearerFormat: ConjurAccessToken
  schemas:
    Resource:
      type: object
      properties:
        id:
          type: string
        owner:
          type: string
        permissions:
          type: array
          items:
            type: object
        annotations:
          type: array
          items:
            type: object
        policy_versions:
          type: array
          items:
            type: object
    Role:
      type: object
      properties:
        id:
          type: string
        members:
          type: array
          items:
            type: object
CyberArk Conjur Secrets Manager API

Documentation

Specifications

SDKs

Other Resources

OpenAPI Specification
