# Secrets Manager App Commands ### Secrets Manager App Commands This subset of secrets manager command deal with keeper secrets manager applications found in vault under **Secrets Manager > My Applications.** These Commands help with performing CRUD and share/un-share operations for applications, so that you can use the app to access your vault data like secrets and folders. **Commands**: * [list](#secrets-manager-app-list) * [create](#secrets-manager-app-create) * [view](#secrets-manager-app-view) * [delete](#secrets-manager-app-delete) * [share](#secrets-manager-app-share) * [unshare](#secrets-manager-app-unshare) ### Secrets Manager App List This action retrieves and displays a table of all Secrets Manager applications currently available in the Keeper vault. Each row contains the unique application UID and the application’s title. This is useful for quickly reviewing all registered apps before managing access or clients.

DotNet CLI

**Command:** `ksm list` **Flags:** * `--folder` : Shared Folder UID or name. "share", "unshare" only * `-e, --can-edit` : Can secret be edited? "share", "unshare" only * `--client-name` : Client name. "add-client", "remove-client" only * `--unlock-ip` : Unlock IP Address? "add-client" only * `--create-expire` : Device creation expitation in minutes. "add-client" only * `--access-expire` : Device access expitation in minutes. "add-client" only * `--b64` : Return KSM configuration intead of one time token "add-client" only * `--email` : User UID or email address."app-share", "app-unshare" only * `--is-admin` : Share as admin user. "app-share", "app-unshare" only * `--help` : Display this help screen. * `--version` : Display version information. * `value pos. 0` : KSM command options: "`view`", "`create`", "`delete`", "`share`", "`unshare`", "`add-client`", "`delete-client`", "`list`", "`app-share`", "`app-unshare`" * `value pos. 1` : Secret Manager application UID or Title **Example:** ``` My Vault> ksm list # Application UID Title --- ---------------------- --------------- 1 ksm_app_uid DemoApplication ```

DotNet SDK

Application list can be obtained from sdk using the following snippet, provided the vault is authenticated before. ```csharp foreach (var app in context.Vault.KeeperRecords.OfType()) { Console.WriteLine(app.Uid, app.Title); } ```

PowerCommander

**Command**: `Get-KeeperSecretManagerApp` **Aliases:** `ksm` **Flags**: * `-Uid` * `-Filter` * `-Detail` **Example:** ```powershell PS> Get-KeeperSecretManagerApp ksm # Get specific app Get-KeeperSecretManagerApp -Uid "AppUID" ```

Python CLI

**Command**: `secrets-manager-app --command='list'` **Parameters**: * `--command` : list **Example:** ```sh My Vault> secrets-manager-app --command='list' App Name App UID Records Folders Devices Last Access --------- ---------------------- -------- ------- ------- --------- My App ksm_app_uid 10 2 40 2025-01-01 ```

Python SDK

**Function:** `list_secrets_manager_apps` ```python from keepersdk.vault import ksm_management app_list = ksm_management.list_secrets_manager_apps(vault=vault) for app in app_list: print(app.name) print(app.uid) print(app.records) print(app.folders) print(app.count) print(app.last_access) print(app.client_devices) print(app.shared_secrets) ```

### Secrets Manager App Create The `create` action creates a new Secrets Manager Application record in the Keeper Vault. This application can later be configured with client devices and shared folders for secrets management and automation use cases. Optionally, an application name (`KsmId`) can be specified during creation. Once created, the application’s UID and title will be displayed in the output.

DotNet CLI

**Command**: `ksm create ` **Flags:** * `--folder` : Shared Folder UID or name. "share", "unshare" only * `-e, --can-edit` : Can secret be edited? "share", "unshare" only * `--client-name` : Client name. "add-client", "remove-client" only * `--unlock-ip` : Unlock IP Address? "add-client" only * `--create-expire` : Device creation expiration in minutes. "add-client" only * `--access-expire` : Device access expiration in minutes. "add-client" only * `--b64` : Return KSM configuration instead of one time token "add-client" only * `--email` : User UID or email address. "app-share", "app-unshare" only * `--is-admin` : Share as admin user. "app-share", "app-unshare" only * `--help` : Display this help screen. * `--version` : Display version information. * `value pos. 0` : KSM command: "`view`", "`create`", "`delete`", "`share`", "`unshare`", "`add-client`", "`delete-client`", "`list`", "`app-share`", "`app-unshare`" * `value pos. 1` : Secret Manager application UID or Title **Example:** ```sh My Vault> ksm create DemoApplicationCreateTest Application UID: Title: DemoApplicationCreateTest ```

DotNet SDK

**Function:** `CreateSecretManagerApplication` **Example:** ```csharp var ApplicationRecord = await context.Vault.CreateSecretManagerApplication(ApplicationName);# ```

PowerCommander

**Command:** `Add-KeeperSecretManagerApp ` **Flags**: * `-AppName` **Example:** ```powershell PS> Add-KeeperSecretManagerApp DemoPowerShellCreateApp UID Type Title Info --- ---- ----- ---- ksm_app_uid app DemoPowerShellCreateApp ```

Python CLI

**Command:** `secrets-manager-app --command='create' or 'add'` **Parameters:** * `--command` {list,get,add,create,remove,share,unshare}\ One of: list, get, add, create, remove, share, unshare * `--app, -a` : Use to set name of the secrets manager app to be created **Options**: * `--force, -f` : Use to forcefully add secrets manager app with same name **Example:** ```sh My Vault> secrets-manager-app --command='create' --app='My App' Application successfully created added (UID: 0xXXxxX0x_xx0x0xXxXxXX) ```

Python SDK

**Function:** `create_secrets_manager_app` ```python from keepersdk.vault import ksm_management ksm_management.create_secrets_manager_app(vault=vault, name='App Name', force_add=True) ```

### Secrets Manager App View Displays detailed information about a specific Secrets Manager Application using its UID/Name. This command retrieves the application record from the vault and prints relevant metadata, including its UID, title, shared status, linked shared folders, and any associated records. **Behaviour:** * Fetches the Secrets Manager Application from the vault using the provided Name. * Outputs a summary of the application’s details, similar to how they are stored in Keeper. * Useful for auditing or reviewing configuration and access relationships.

DotNet CLI

**Command** : `ksm view ` **Flags :** * `--folder` : Shared Folder UID or name. "share", "unshare" only * `-e, --can-edit` : Can secret be edited? "share", "unshare" only * `--client-name` : Client name. "add-client", "remove-client" only * `--unlock-ip` : Unlock IP Address? "add-client" only * `--create-expire` : Device creation expiration in minutes. "add-client" only * `--access-expire` : Device access expiration in minutes. "add-client" only * `--b64` : Return KSM configuration instead of one time token "add-client" only * `--email` : User UID or email address. "app-share", "app-unshare" only * `--is-admin` : Share as admin user. "app-share", "app-unshare" only * `--help` : Display this help screen. * `--version` : Display version information. * `value pos. 0` : KSM command: "`view`", "`create`", "`delete`", "`share`", "`unshare`", "`add-client`", "`delete-client`", "`list`", "`app-share`", "`app-unshare`" * `value pos. 1` : Secret Manager application UID or Title **Example:** ```sh My Vault> ksm view DemoApplication Application UID: ksm_app_uid Title: DemoApplication Shares # Share Type Share UID Share Title Editable Created --- ------------ ---------------------- ------------------ -------- ----------------- 1 SharedFolder share_uid Demo Shared Folder - 7/23/2025 9:07 AM Devices # Name Device ID Created Last Accessed --- ----------- --------- ----------------- ------------- 1 Device name XX2ABC 7/23/2025 9:06 AM ```

DotNet SDK

**Function:** `TryGetKeeperRecord` **Example:** ```csharp public bool TryGetKeeperRecord(string recordUid, out KeeperRecord application) ```

PowerCommander

**Command:** `Get-KeeperSecretManagerApp` **Aliases :** `ksm ` **Flags** : * `Uid` * `Filter` * `Detail` **Example:** ```powershell PS> ksm ksm_app_uid -Detail Uid Title IsExternalShare DeviceCount ShareCount --- ----- --------------- ----------- ---------- ksm_app_uid DemoApplication False 1 1 ```

Python CLI

**Command:** `secrets-manager-app --command='get'` **Parameters:** * `--command` = get * `--app, -a` : The UID or title of the secrets-manager-app to be fetched **Example:** ```sh My Vault> secrets-manager-app --command='get' --app='My App' Secrets Manager Application App Name: My App App UID: abcd_1234_XXXX Client Device 1 ============================ Device Name: 0XxXX00Xx0x Short ID: ABCD1234 Created on: 2025-01-01 00:00:00 Expires On: None First Access: None Last Access: None IP Lock: False IP Address: -- Share Type UID Title Permissions --------------- ---------------- ---------- -------------- Folder abcd1234ABCD1234 App Folder True ```

Python SDK

**Function:** `get_secrets_manager_app` ```python from keepersdk.vault import ksm_management ksm_management.get_secrets_manager_app(vault: vault_online.VaultOnline, uid_or_name: str) -> ksm.SecretsManagerApp: ```

### Secrets Manager App Delete This Command removes the application whose UID or name is given by user. **Behaviour:** * Fetches the secrets manager application based on name or uid provided * Asks user confirmation (in power shell) * Deletes the application with given UID

DotNet CLI

**Command:** `ksm delete ` **Flags :** * `--folder` : Shared Folder UID or name. "share", "unshare" only * `-e, --can-edit` : Can secret be edited? "share", "unshare" only * `--client-name` : Client name. "add-client", "remove-client" only * `--unlock-ip` : Unlock IP Address? "add-client" only * `--create-expire` : Device creation expiration in minutes. "add-client" only * `--access-expire` : Device access expiration in minutes. "add-client" only * `--b64` : Return KSM configuration instead of one time token "add-client" only * `--email` : User UID or email address. "app-share", "app-unshare" only * `--is-admin` : Share as admin user. "app-share", "app-unshare" only * `--help` : Display this help screen. * `--version` : Display version information. * `value pos. 0` : KSM command: "`view`", "`create`", "`delete`", "`share`", "`unshare`", "`add-client`", "`delete-client`", "`list`", "`app-share`", "`app-unshare`" * `value pos. 1` : Secret Manager application UID or Title **Example:** ```sh My Vault> ksm delete ksm_app_uid KSM Application DemoApplicationCreateTest has been deleted. ```

DotNet SDK

**Function**: `DeleteSecretManagerApplication` **Example:** ```csharp public async Task DeleteSecretManagerApplication(string applicationId) ```

PowerCommander

**Command:** `Remove-KeeperSecretManagerApp ` **alias**: `ksm-delete` **Example:** ```powershell PS> ksm-delete ksm_app_uid Confirm Are you sure you want to perform this action? Performing the operation "Delete" on target "Secrets Manager App UID: ksm_app_uid". [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): Y System.Threading.Tasks.VoidTaskResult Secrets Manager Application with UID 'ksm_app_uid' has been deleted. ```

Python CLI

**Command:** `secrets-manager-app --command='remove' --app=''` **Parameters**: `--command` remove **Options**: `--force` Use force to delete secrets manager apps with clients **Example:** ```sh My Vault> secrets-manager-app --command='remove' --app='My App' --force Application was successfully removed (UID: XX0XXXX000xx-XxxxXXxxX) ```

Python SDK

**Function:** `remove_secrets_manager_app` ```python from keepersdk.vault import ksm_management ksm_management.remove_secrets_manager_app(vault: vault_online.VaultOnline, uid_or_name: str, force: Optional[bool] = False): ```

### Secrets Manager App Share This command shares the application with users mentioned. In case the user is not part of shareable pool ( By default, it will be your team/enterprise) then an invitation to share will be sent to the email mentioned and an email invitation for sharing will be sent. **Behaviour:** * Fetches the app details and its information related to shares * checks if the user is already in shareable pool and if user has access to the app * once the app is shareable, it will be shared with user else an email will be sent to user with invite.

DotNet CLI

**Command**: `ksm app-share APP_UID --email=USER_EMAIL --is-admin --can-edit --folder=` **Flags**

Flag	Usage	Description
--can-edit	--can-edit	When this flag is used in command, this sets user can edit to true which will make the application which is shared to user be editable by user, else the application will be readonly
--folder	--folder=UID	When this flag is given, it has to be given in format of --folder=FOLDER_UID which will share just the subfolder to the user instead of all the things which this application has acces to
--is-admin	--is-admin	When this flag is given, , this gives the user an admin permission to the application and everything which is being shared with the user.
--email	--email=id	This is required field. it should be given in format of --email=EMAIL_ID and this will be the user email to which we will be sharing to.

**Example:** ```sh My Vault> ksm app-share APP_UID --email=USER_EMAIL --is-admin --can-edit --folder= User is not found in the list of users for sharing. Share invitation request has been sent to user . Please wait for the user to accept the request before sharing the application. Application "DemoApplication" has been shared with user ```

DotNet SDK

**Function:** `ShareRecordWithUser` **Flags:**

Function Parameter	Usage	Description
recordUid	<Record UID>	This is UID of the application/record which needs to be shared
username	<Email>	This is Email or userid of the user with whom we are sharing the application
options.CanEdit	boolean	can edit the application data
options.CanShare	boolean	can share the application
userType	Enum	Type of the user - Enterprise or regular user

**Example:** ```csharp public async Task ShareRecordWithUser(string recordUid, string username, IRecordShareOptions options) ``` ```csharp public async Task PutUserToSharedFolder(string sharedFolderUid, string userId, UserType userType, IUserShareOptions options) ``` **Note:** * Sharing the application this way has to follow a process. * when we are sharing an application with user, first we have to get all records to which this application has access to. * once we get all records, we have to share them all with the user in question with required permissions using `RevokeShareFromUser` . * once we get all the shared folders which the application has access to, then put the user into each shared folder using the `PutUserToSharedFolder` . * finally once all the above steps are done, then share the application with the user with appropriate permissions using `ShareRecordWithUser` . * Now Sharing of application is done.

PowerCommander

**Command:** `Grant-KeeperAppAccess -ApplicationId -UserUid ` **Flags:**

Flag	Usage	Description
-IsAdmin	-IsAdmin	When this flag is given, , this gives the user an admin permission to the application and everything which is being shared with the user.
-UserUid	-UserUid <id>	This is required field. it should be given in format of -UserUid EMAIL_ID. This will be the user email to which we will be sharing to.

**Example:** ```powershell PS> Grant-KeeperAppAccess -ApplicationId -UserUid -IsAdmin Granting Secrets Manager application access to ''... Successfully granted access to application for user ''. ```

Python CLI

**Command**: `secrets-manager-app --command='share'` **Flags**: * `--command` = share * `-a, --app` : Name or UID of app to be share * `-e, --email` : Email of user with whom the app is to be shared/unshared * `--admin` : Admin permissions to share and edit the records present in the app **Example:** ```sh My Vault> secrets-manager-app --command='share' --email='abc@email.com' --app='My App' Record access permissions has been granted to user 'abc@email.com' Share updates processed successfully ```

Python SDK

**Function:** ```python success_responses, failed_responses = ksm_management.share_secrets_manager_app( vault=vault, enterprise=enterprise_data, app_uid=app_uid_or_name, emails=user_emails, action="grant", can_edit=can_edit, can_share=can_share, ) # Note: SDK may return (None, None) due to list.extend() in return; treat as success. if success_responses: print(f"KSM app '{app_uid_or_name}': {action} succeeded for {len(success_responses)} user(s).") if failed_responses: for r in failed_responses: print(f" Failed: {r}") if (not success_responses or success_responses is None) and ( not failed_responses or failed_responses is None ): print(f"KSM app '{app_uid_or_name}': {action} completed for {len(user_emails)} user(s).") ```

### Secrets Manager App UnShare This command removes the application shares with users mentioned. The user's access to the application along with folder and records under the application will be revoked. **Behavior:** * Fetches the app details and its information related to shares * checks if user has access to the app * If the user is not found the command exits stating the same. * If app is shared with the user, then we remove access to the underlying records and folder which are present in app, then app access is revoked.

DotNet CLI

**Command**: `ksm app-unshare APP_UID --email=USER_EMAIL` **Flags**

Flag	Usage	Description
email	--email=id	This is required field. it should be given in format of --email=EMAIL_ID and this will be the user whose access is revoked with respect to application.

**Example:** ```sh My Vault> ksm app-unshare ksm_app_uid --email= Application "DemoApplication" has been unshared from user ```

DotNet SDK

**Function:** `ShareRecordWithUser` **Flags:**

Function Parameter	Usage	Description
recordUid	<Record UID>	This is UID of the application/record which needs to be revoked
username	<Email>	This is Email or userid of the user with whom we are revoking the application from
userType	Enum	Type of the user - Enterprise or regular user

**Example:** ```csharp public async Task RevokeShareFromUser(string recordUid, string username) ``` ```csharp public async Task RemoveUserFromSharedFolder(string sharedFolderUid, string userId, UserType userType) ``` **Note:** * revoking the application access has to follow this process * when we are revoking an application from user, first we have to get all records to which this application has access to * once we get all records, we have to revoke them all from the user in question with required permissions `RevokeShareFromUser` * once we get all the shared folders which the application has access to, then remove the user from each shared folder using the `RemoveUserFromSharedFolder` * finally once all the above steps are done, then revoke the application from user using `RevokeShareFromUser` * Now revoking of application is done.

PowerCommander

**Command:** `Revoke-KeeperAppAccess -ApplicationId -UserUid ` **Flags:**

Flag	Usage	Description
UserUid	-UserUid <id>	This is required field. it should be given in format of -UserUid EMAIL_ID. This will be the user email to which we will be sharing to.

**Example:** ```powershell PS> Revoke-KeeperAppAccess -ApplicationId ksm_app_uid -UserUid Revoking Secrets Manager application access from ''... Successfully revoked access to application 'ksm_app_uid' from user ''. ```

Python CLI

**Command:** `secrets-manager-app --command='unshare'` **Parameters**: `--command` = unshare `-a` `--app` Name or UID of app to be share `-e` `--email` E-Mail of user with whom the app is to be shared/unshared **Example:** ```sh My Vault> secrets-manager-app --command='unshare' --email='abc@email.com' --app='My App' Record access permissions has been revoked from user 'abc@email.com' Share updates processed successfully ```

Python SDK

**Function:** ```python success_responses, failed_responses = ksm_management.share_secrets_manager_app( vault=vault, enterprise=enterprise_data, app_uid=app_uid_or_name, emails=user_emails, action="remove", can_edit=can_edit, can_share=can_share, ) # Note: SDK may return (None, None) due to list.extend() in return; treat as success. if success_responses: print(f"KSM app '{app_uid_or_name}': {action} succeeded for {len(success_responses)} user(s).") if failed_responses: for r in failed_responses: print(f" Failed: {r}") if (not success_responses or success_responses is None) and ( not failed_responses or failed_responses is None ): print(f"KSM app '{app_uid_or_name}': {action} completed for {len(user_emails)} user(s).") ```