# Admin REST API

## Overview

The Keeper Admin REST API allows business customers to generate tokens and interact with Keeper's REST API for 3rd party integrations such as SIEM. For vault and administration related APIs, see the [Service Mode REST API](https://docs.keeper.io/en/keeperpam/commander-cli/service-mode-rest-api).

> Note: Support for **CSPM** and **MSP Billing** integrations will be available soon.

### Prerequisites

* Enterprise **Root Administrator** permissions (required to create API tokens).
* **Keeper Commander** installed to manage tokens via CLI.

### Manage API Tokens via Keeper Commander (CLI)

The **Commander** CLI includes a `public-api-key` command group with **list**, **generate**, and **revoke** operations. The snippets below summarize the most useful flows.

#### 1. List API tokens

```bash
# Table view
public-api-key list

# JSON output to a file
public-api-key list --format json --output api_keys.json

# CSV export
public-api-key list --format csv --output api_keys.csv
```

#### 2. Generate an API token

```bash
# 30‑day SIEM key (Read)
public-api-key generate --name "SIEM Integration" --roles "SIEM:1" --expires 30d

# Permanent key (never expires) with JSON output
public-api-key generate --name "Permanent Tool" --roles "SIEM:1" --expires never --format json --output backup_key.json
```

**Role and action codes**

* **Roles**: `SIEM`
* **Actions**: `1 = READ`, `2 = READ_WRITE`
* **Expiration options**: `24h`, `7d`, `30d`, `1y`, `never`

> Example: `--roles "SIEM:1"` means SIEM (read).

#### 3. Revoke an API token

```bash
# Interactive confirmation
public-api-key revoke <token_value>

# Force (no prompt)
public-api-key revoke <token_value> --force
```

#### Security Notes

* Treat API tokens like passwords; rotate them on a schedule.
* Restrict permissions to the minimum required roles and actions.
* Prefer short expirations; use `never` only for special automation cases.
* Store tokens in a secure location (e.g., Keeper Vault).