Advanced Settings

Advanced Configuration

Rate Limited Rules

Defines maximum API requests allowed within a specified time frame.

Default Rate Limits: 60/minute, 600/hour, 6000/day

Input Format: X/[minute|hour|day] or X per [minute|hour|day]

Valid Examples: "100/minute", "50/hour", "1000 per day"

Note: Case insensitive

IP Allow and IP Deny Lists

Controls access based on IP addresses or IP network ranges.

IP Allow List (Whitelist):

• If specified, only IPs in this list are allowed access

• Takes precedence over deny list

• Default: 0.0.0.0/0 (allow all) when not specified

IP Deny List (Blacklist):

• IPs in this list are explicitly denied access

• Only effective when allow list is not specified or when IP is not in allow list

Logic Flow:

1. If IP Allow list exists: Check if IP is allowed → Grant/Deny access

2. If IP Allow list is empty: Check IP Deny list → Deny if found, otherwise allow

Input Format: Comma-separated list of IP addresses or CIDR blocks

Validation Rules: Each IP must be valid IPv4 address or CIDR block

Valid Examples: "192.168.1.1, 10.0.0.0/24","172.16.0.0/16"

Notes: Empty list is allowed (skips validation)

Encryption Settings

Optional layer of AES-256 (GCM) encryption for all REST API responses

Input Format: y or n

Private Key Validation Rules:

• Exactly 32 characters long

• Allowed characters: alphanumeric and special characters (@#$%^&+=)

• Cannot be empty

Note: The Key is required for API response decryption.

Token Expiration

Configures the REST API token lifespan.

Input Format: Xm, Xh, or Xd where X is a positive number and time units represent m for minutes, h for hours and d for days.

Validation Rules:

• Value must be a positive number

• Unit must be one of m, h or d

• Valid Examples: "30m", "24h", "7d".

Note: Empty input will set the token to never expire.

Command List

Specify the list of commands to be exposed via the API

Input Format: Comma-separated list of valid Keeper Commander commands

Validation Rules:

• Must be a comma-separated list of valid Keeper Commander commands (can be seen by executing help in Commander CLI or entering some wrong command).

• Cannot be empty

• No spaces in individual commands.

• Valid Example: "whoami,tree,list"

Configuration Format

Input Format: Select between 'json' or 'yaml'

Validation Rules: Must be either 'json' or 'yaml' (case insensitive)

Run Mode

Input Format: Select between 'foreground' or 'background'

Foreground Mode: Service runs in the current terminal session Background Mode: Service runs as a background process with logging to files

Validation Rules: Must be either 'foreground' or 'background' (case insensitive)

Multiple API Token Support

The service_config.yaml file stored in the vault contains the service properties. In the file there is a section called "records". This allows you to define an API key with specific commands and token expiration.

encryption: ''
encryption_private_key: ''
ip_allowed_list: 0.0.0.0/0
ip_denied_list: ''
is_advanced_security_enabled: n
ngrok: y
ngrok_auth_token: XXXXXXXXXX
ngrok_custom_domain: myname
ngrok_public_url: ''
cloudflare: n
cloudflare_tunnel_token: 
cloudflare_custom_domain: 
cloudflare_public_url: ''
tls_certificate: n
certfile: ''
certpassword: ''
port: 9090
rate_limiting: ''
queue_enabled: y
run_mode: foreground
fileformat: yaml
records:
- api-key: XXXXXXXX
  command_list: tree,record-add
  expiration_timestamp: '9999-12-31T23:59:59'
- api-key: XXXXXXXX
  command_list: get
  expiration_timestamp: '9999-12-31T23:59:59'

Configuration Security

Important Security Feature: The local service configuration files are automatically encrypted using your private key to protect sensitive configuration data including API keys, tokens, and security settings.