Admin REST API

Retrieve SIEM compatible audit events using the Keeper Admin REST API

Overview

The Keeper Admin REST API allows business customers to generate tokens and interact with Keeper's REST API for 3rd party integrations such as SIEM. For vault and administration related APIs, see the Service Mode REST API.

Note: Support for CSPM and MSP Billing integrations will be available soon.

Prerequisites

Enterprise Root Administrator permissions (required to create API tokens).
Keeper Commander installed to manage tokens via CLI.

Manage API Tokens via Keeper Commander (CLI)

The Commander CLI includes a public-api-key command group with list, generate, and revoke operations. The snippets below summarize the most useful flows.

1. List API tokens

# Table view
public-api-key list

# JSON output to a file
public-api-key list --format json --output api_keys.json

# CSV export
public-api-key list --format csv --output api_keys.csv

2. Generate an API token

# 30‑day SIEM key (Read)
public-api-key generate --name "SIEM Integration" --roles "SIEM:1" --expires 30d

# Permanent key (never expires) with JSON output
public-api-key generate --name "Permanent Tool" --roles "SIEM:1" --expires never --format json --output backup_key.json

Role and action codes

Roles: SIEM
Actions: 1 = READ, 2 = READ_WRITE
Expiration options: 24h, 7d, 30d, 1y, never

Example: --roles "SIEM:1" means SIEM (read).

3. Revoke an API token

# Interactive confirmation
public-api-key revoke <token_value>

# Force (no prompt)
public-api-key revoke <token_value> --force

Audit Events API

Get Audit Events

get

Retrieves a paginated list of audit events for a specific enterprise between two dates. This endpoint is primarily used for SIEM integrations (e.g., Azure Sentinel) and is compatible with other log aggregation tools.

Results are returned in pages. Use the continuation_token from the response to retrieve the next page. When there are no more results, continuation_token will be null and has_more will be false.

Example:

curl --location 'https://keepersecurity.com/api/rest/public/events?start_date=2025-11-24T00%3A00%3A00Z&limit=20&end_date=2025-11-26T23%3A59%3A59Z' --header 'x-api-token: Bearer YOUR_API_TOKEN'

Authorizations

x-api-tokenstringRequired

Query parameters

start_datestring · date-timeRequired

end_datestring · date-timeRequired

limitinteger · min: 1 · max: 1000OptionalDefault: 100

continuation_tokenstringOptional

Responses

200

A paginated list of audit events

application/json

400

Bad request

401

Unauthorized

500

Server error

get

/public/events

GET /api/rest/public/events?start_date=2025-12-13T15%3A46%3A16.869Z&end_date=2025-12-13T15%3A46%3A16.869Z HTTP/1.1
Host: keepersecurity.com
x-api-token: YOUR_API_KEY
Accept: */*

{
  "continuation_token": "text",
  "has_more": true,
  "events": [
    {
      "audit_event": "text",
      "remote_address": "text",
      "category": "text",
      "client_version": "text",
      "enterprise_id": 1,
      "username": "text",
      "timestamp": 1
    }
  ]
}

Endpoint

GET /api/rest/public/events

Purpose Retrieve audit events within a specified date range for your enterprise.

Authentication Send your API token in the x-api-token header: x-api-token: Bearer <API_TOKEN>

Query parameters

Name

Type

Required

Description

start_date

ISO 8601

Yes

Start of the date range (e.g., 2024-07-09T00:00:00Z).

end_date

ISO 8601

Yes

End of the date range (e.g., 2025-07-10T19:45:00Z).

continuation_token

String

Only for pagination

Use the token returned by the API to fetch the next page of events.

Headers

Header

Example

x-api-token

Bearer <API_TOKEN>

Example requests

Without pagination

curl --location 'https://dev.keepersecurity.com/api/rest/public/events?start_date=2024-07-09T00%3A00%3A00Z&end_date=2025-07-10T19%3A45%3A00Z' \
  --header 'x-api-token: Bearer <API_TOKEN>'

With pagination

curl --location 'https://dev.keepersecurity.com/api/rest/public/events?start_date=2024-07-09T00%3A00%3A00Z&end_date=2025-07-10T19%3A45%3A00Z&continuation_token=<CONT_TOKEN>' \
  --header 'x-api-token: Bearer <API_TOKEN>'

Example success response (200)

{
  "has_more": true,
  "events": [
    {
      "audit_event": "login_failure",
      "remote_address": "10.15.12.197",
      "category": "ADMIN",
      "client_version": "Commander 17.1.0",
      "enterprise_id": 8560,
      "username": "[email protected]",
      "timestamp": 1751910807587
    }
  ],
  "continuation_token": "vWiXa0eu2edoe_fonw5IJHwEbLmxXOACIvuoQRh7j4XiKuu1"
}

Error codes

Code

Message

Cause

400

Missing start date

start_date query parameter is missing

400

Missing end date

end_date query parameter is missing

401

Unauthorized

Invalid or missing API token

500

Internal Server Error

Unexpected server error

Security Notes

Treat API tokens like passwords; rotate them on a schedule.
Restrict permissions to the minimum required roles and actions.
Prefer short expirations; use never only for special automation cases.
Store tokens in a secure location (e.g., Keeper Vault).

Appendix: Quick Reference (Commander)

# List
public-api-key list [--format table|json|csv] [--output <file>]

# Generate
public-api-key generate \
  --name "<name>" \
  --roles "SIEM:1" \
  --expires 24h|7d|30d|1y|never \
  [--format json|csv] [--output <file>]

# Revoke
public-api-key revoke <token_value> [--force]

PreviousAdvanced Settings NextTroubleshooting

Last updated 17 days ago

Was this helpful?