Secrets Manager App Commands

This page shows how to use secrets manager commands focused on app usage

Secrets Manager App Commands

This subset of secrets manager command deal with keeper secrets manager applications found in vault under Secrets Manager > My Applications. These Commands help with performing CRUD and share/un-share operations for applications, so that you can use the app to access your vault data like secrets and folders.

Commands:

Secrets Manager App List

This action retrieves and displays a table of all Secrets Manager applications currently available in the Keeper vault. Each row contains the unique application UID and the application’s title. This is useful for quickly reviewing all registered apps before managing access or clients.

DotNet CLI

Command: ksm list

Flags:

  • --folder : Shared Folder UID or name. "share", "unshare" only

  • -e, --can-edit : Can secret be edited? "share", "unshare" only

  • --client-name : Client name. "add-client", "remove-client" only

  • --unlock-ip : Unlock IP Address? "add-client" only

  • --create-expire : Device creation expitation in minutes. "add-client" only

  • --access-expire : Device access expitation in minutes. "add-client" only

  • --b64 : Return KSM configuration intead of one time token "add-client" only

  • --email : User UID or email address."app-share", "app-unshare" only

  • --is-admin : Share as admin user. "app-share", "app-unshare" only

  • --help : Display this help screen.

  • --version : Display version information.

  • value pos. 0 : KSM command options: "view", "create", "delete", "share", "unshare", "add-client", "delete-client", "list", "app-share", "app-unshare"

  • value pos. 1 : Secret Manager application UID or Title

Example:

My Vault> ksm list

  #  Application UID         Title          
---  ----------------------  ---------------
  1  ksm_app_uid             DemoApplication
DotNet SDK

Application list can be obtained from sdk using the following snippet, provided the vault is authenticated before.

foreach (var app in context.Vault.KeeperRecords.OfType<ApplicationRecord>())
{
    Console.WriteLine(app.Uid, app.Title);
}
PowerCommander

Command: Get-KeeperSecretManagerApp

Aliases: ksm

Flags:

  • -Uid

  • -Filter

  • -Detail

Example:

PS> Get-KeeperSecretManagerApp
ksm

# Get specific app
Get-KeeperSecretManagerApp -Uid "AppUID"
Python CLI

Command: secrets-manager-app --command='list'

Parameters:

  • --command : list

Example:

My Vault> secrets-manager-app --command='list'

App Name     App UID                 Records   Folders  Devices  Last Access     
---------    ----------------------  --------  -------  -------  ---------
My App       ksm_app_uid             10         2       40       2025-01-01
Python SDK

Function: list_secrets_manager_apps

from keepersdk.vault import ksm_management

app_list = ksm_management.list_secrets_manager_apps(vault=vault)
for app in app_list:
    print(app.name)
    print(app.uid)
    print(app.records)
    print(app.folders)
    print(app.count)
    print(app.last_access)
    print(app.client_devices)
    print(app.shared_secrets)

Secrets Manager App Create

The create action creates a new Secrets Manager Application record in the Keeper Vault. This application can later be configured with client devices and shared folders for secrets management and automation use cases. Optionally, an application name (KsmId) can be specified during creation.

Once created, the application’s UID and title will be displayed in the output.

DotNet CLI

Command: ksm create <APP_NAME>

Flags:

  • --folder : Shared Folder UID or name. "share", "unshare" only

  • -e, --can-edit : Can secret be edited? "share", "unshare" only

  • --client-name : Client name. "add-client", "remove-client" only

  • --unlock-ip : Unlock IP Address? "add-client" only

  • --create-expire : Device creation expiration in minutes. "add-client" only

  • --access-expire : Device access expiration in minutes. "add-client" only

  • --b64 : Return KSM configuration instead of one time token "add-client" only

  • --email : User UID or email address. "app-share", "app-unshare" only

  • --is-admin : Share as admin user. "app-share", "app-unshare" only

  • --help : Display this help screen.

  • --version : Display version information.

  • value pos. 0 : KSM command: "view", "create", "delete", "share", "unshare", "add-client", "delete-client", "list", "app-share", "app-unshare"

  • value pos. 1 : Secret Manager application UID or Title

Example:

My Vault> ksm create DemoApplicationCreateTest
     Application UID: <AppUID>
               Title: DemoApplicationCreateTest
DotNet SDK

Function: CreateSecretManagerApplication

Example:

var ApplicationRecord = await context.Vault.CreateSecretManagerApplication(ApplicationName);#
PowerCommander

Command: Add-KeeperSecretManagerApp <appName>

Flags:

  • -AppName

Example:

PS> Add-KeeperSecretManagerApp DemoPowerShellCreateApp

UID                    Type Title                   Info
---                    ---- -----                   ----
ksm_app_uid            app  DemoPowerShellCreateApp
Python CLI

Command: secrets-manager-app --command='create' or 'add'

Parameters:

  • --command {list,get,add,create,remove,share,unshare} One of: list, get, add, create, remove, share, unshare

  • --app, -a : Use to set name of the secrets manager app to be created

Options:

  • --force, -f : Use to forcefully add secrets manager app with same name

Example:

My Vault> secrets-manager-app --command='create' --app='My App'
Application successfully created added (UID: 0xXXxxX0x_xx0x0xXxXxXX)
Python SDK

Function: create_secrets_manager_app

from keepersdk.vault import ksm_management

ksm_management.create_secrets_manager_app(vault=vault, name='App Name', force_add=True)

Secrets Manager App View

Displays detailed information about a specific Secrets Manager Application using its UID/Name.

This command retrieves the application record from the vault and prints relevant metadata, including its UID, title, shared status, linked shared folders, and any associated records.

Behaviour:

  • Fetches the Secrets Manager Application from the vault using the provided Name.

  • Outputs a summary of the application’s details, similar to how they are stored in Keeper.

  • Useful for auditing or reviewing configuration and access relationships.

DotNet CLI

Command : ksm view <AppName>

Flags :

  • --folder : Shared Folder UID or name. "share", "unshare" only

  • -e, --can-edit : Can secret be edited? "share", "unshare" only

  • --client-name : Client name. "add-client", "remove-client" only

  • --unlock-ip : Unlock IP Address? "add-client" only

  • --create-expire : Device creation expiration in minutes. "add-client" only

  • --access-expire : Device access expiration in minutes. "add-client" only

  • --b64 : Return KSM configuration instead of one time token "add-client" only

  • --email : User UID or email address. "app-share", "app-unshare" only

  • --is-admin : Share as admin user. "app-share", "app-unshare" only

  • --help : Display this help screen.

  • --version : Display version information.

  • value pos. 0 : KSM command: "view", "create", "delete", "share", "unshare", "add-client", "delete-client", "list", "app-share", "app-unshare"

  • value pos. 1 : Secret Manager application UID or Title

Example:

My Vault> ksm view DemoApplication       
     Application UID: ksm_app_uid
               Title: DemoApplication

Shares
  #  Share Type    Share UID               Share Title         Editable  Created          
---  ------------  ----------------------  ------------------  --------  -----------------
  1  SharedFolder  share_uid               Demo Shared Folder  -         7/23/2025 9:07 AM

Devices
  #  Name         Device ID  Created            Last Accessed
---  -----------  ---------  -----------------  -------------
  1  Device name  XX2ABC     7/23/2025 9:06 AM
DotNet SDK

Function: TryGetKeeperRecord

Example:

public bool TryGetKeeperRecord(string recordUid, out KeeperRecord application)
PowerCommander

Command: Get-KeeperSecretManagerApp

Aliases : ksm <uid>

Flags :

  • Uid

  • Filter

  • Detail

Example:

PS> ksm ksm_app_uid -Detail

Uid                    Title           IsExternalShare DeviceCount ShareCount
---                    -----           --------------- ----------- ----------
ksm_app_uid            DemoApplication False           1           1
Python CLI

Command: secrets-manager-app --command='get'

Parameters:

  • --command = get

  • --app, -a : The UID or title of the secrets-manager-app to be fetched

Example:

My Vault> secrets-manager-app --command='get' --app='My App'

Secrets Manager Application
App Name: My App
App UID: abcd_1234_XXXX

Client Device 1
============================
Device Name: 0XxXX00Xx0x
Short ID: ABCD1234
Created on: 2025-01-01 00:00:00
Expires On: None
First Access: None
Last Access: None
IP Lock: False
IP Address: --

Share Type        UID                Title        Permissions
---------------   ----------------   ----------   --------------
Folder            abcd1234ABCD1234   App Folder   True
Python SDK

Function: get_secrets_manager_app

from keepersdk.vault import ksm_management


ksm_management.get_secrets_manager_app(vault: vault_online.VaultOnline, uid_or_name: str) -> ksm.SecretsManagerApp:

Secrets Manager App Delete

This Command removes the application whose UID or name is given by user.

Behaviour:

  • Fetches the secrets manager application based on name or uid provided

  • Asks user confirmation (in power shell)

  • Deletes the application with given UID

DotNet CLI

Command: ksm delete <APP_UID>

Flags :

  • --folder : Shared Folder UID or name. "share", "unshare" only

  • -e, --can-edit : Can secret be edited? "share", "unshare" only

  • --client-name : Client name. "add-client", "remove-client" only

  • --unlock-ip : Unlock IP Address? "add-client" only

  • --create-expire : Device creation expiration in minutes. "add-client" only

  • --access-expire : Device access expiration in minutes. "add-client" only

  • --b64 : Return KSM configuration instead of one time token "add-client" only

  • --email : User UID or email address. "app-share", "app-unshare" only

  • --is-admin : Share as admin user. "app-share", "app-unshare" only

  • --help : Display this help screen.

  • --version : Display version information.

  • value pos. 0 : KSM command: "view", "create", "delete", "share", "unshare", "add-client", "delete-client", "list", "app-share", "app-unshare"

  • value pos. 1 : Secret Manager application UID or Title

Example:

My Vault> ksm delete ksm_app_uid
KSM Application DemoApplicationCreateTest has been deleted.
DotNet SDK

Function: DeleteSecretManagerApplication

Example:

public async Task DeleteSecretManagerApplication(string applicationId)
PowerCommander

Command: ksm-delete <APP_UID>

Example:

PS> ksm-delete ksm_app_uid

Confirm
Are you sure you want to perform this action?
Performing the operation "Delete" on target "Secrets Manager App UID: ksm_app_uid".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): Y
System.Threading.Tasks.VoidTaskResult
Secrets Manager Application with UID 'ksm_app_uid' has been deleted.
Python CLI

Command: secrets-manager-app --command='remove' --app='<app_uid_or_name>'

Parameters:

--command remove

Options:

--force Use force to delete secrets manager apps with clients

Example:

My Vault> secrets-manager-app --command='remove' --app='My App' --force
Application was successfully removed (UID: XX0XXXX000xx-XxxxXXxxX)
Python SDK

Function: remove_secrets_manager_app

from keepersdk.vault import ksm_management
ksm_management.remove_secrets_manager_app(vault: vault_online.VaultOnline, uid_or_name: str, force: Optional[bool] = False):

Secrets Manager App Share

This command shares the application with users mentioned. In case the user is not part of shareable pool ( By default, it will be your team/enterprise) then an invitation to share will be sent to the email mentioned and an email invitation for sharing will be sent.

Behaviour:

  • Fetches the app details and its information related to shares

  • checks if the user is already in shareable pool and if user has access to the app

  • once the app is shareable, it will be shared with user else an email will be sent to user with invite.

DotNet CLI

Command: ksm app-share APP_UID --email=USER_EMAIL --is-admin --can-edit --folder=<FOLDER_UID_FOR_SHARE_FOLDER>

Flags

Flag
Usage
Description

--can-edit

--can-edit

When this flag is used in command, this sets user can edit to true which will make the application which is shared to user be editable by user, else the application will be readonly

--folder

--folder=UID

When this flag is given, it has to be given in format of --folder=FOLDER_UID which will share just the subfolder to the user instead of all the things which this application has acces to

--is-admin

--is-admin

When this flag is given, , this gives the user an admin permission to the application and everything which is being shared with the user.

--email

--email=id

This is required field. it should be given in format of --email=EMAIL_ID and this will be the user email to which we will be sharing to.

Example:

My Vault> ksm app-share APP_UID --email=USER_EMAIL --is-admin --can-edit --folder=<FOLDER_UID_FOR_SHARE_FOLDER>
User <user> is not found in the list of users for sharing.
Share invitation request has been sent to user <user_email>. Please wait for the user to accept the request before sharing the application.
Application "DemoApplication" has been shared with user <USER_EMAIL>
DotNet SDK

Function: ShareRecordWithUser

Flags:

Function Parameter
Usage
Description

recordUid

<Record UID>

This is UID of the application/record which needs to be shared

username

<Email>

This is Email or userid of the user with whom we are sharing the application

options.CanEdit

boolean

can edit the application data

options.CanShare

boolean

can share the application

userType

Enum

Type of the user - Enterprise or regular user

Example:

public async Task ShareRecordWithUser(string recordUid, string username, IRecordShareOptions options)
public async Task PutUserToSharedFolder(string sharedFolderUid,
            string userId,
            UserType userType,
            IUserShareOptions options)

Note:

  • Sharing the application this way has to follow a process.

  • when we are sharing an application with user, first we have to get all records to which this application has access to.

  • once we get all records, we have to share them all with the user in question with required permissions using RevokeShareFromUser .

  • once we get all the shared folders which the application has access to, then put the user into each shared folder using the PutUserToSharedFolder .

  • finally once all the above steps are done, then share the application with the user with appropriate permissions using ShareRecordWithUser .

  • Now Sharing of application is done.

PowerCommander

Command: Grant-KeeperAppAccess -ApplicationId <APP_UID> -UserUid <USER_ID>

Flags:

Flag
Usage
Description

-IsAdmin

-IsAdmin

When this flag is given, , this gives the user an admin permission to the application and everything which is being shared with the user.

-UserUid

-UserUid <id>

This is required field. it should be given in format of -UserUid EMAIL_ID. This will be the user email to which we will be sharing to.

Example:

PS> Grant-KeeperAppAccess -ApplicationId <APP_UID> -UserUid <USER_UID> -IsAdmin
Granting Secrets Manager application access to '<APP_UID>'...
Successfully granted access to application <APP_UID> for user '<USER_UID>'.
Python CLI

Command: secrets-manager-app --command='share'

Flags:

  • --command = share

  • -a, --app : Name or UID of app to be share

  • -e, --email : Email of user with whom the app is to be shared/unshared

  • --admin : Admin permissions to share and edit the records present in the app

Example:

My Vault> secrets-manager-app --command='share' --email='[email protected]' --app='My App'
Record <APP_UID> access permissions has been granted to user '[email protected]'
Share updates processed successfully
Python SDK

Function: Coming Soon

Secrets Manager App UnShare

This command removes the application shares with users mentioned. The user's access to the application along with folder and records under the application will be revoked.

Behavior:

  • Fetches the app details and its information related to shares

  • checks if user has access to the app

  • If the user is not found the command exits stating the same.

  • If app is shared with the user, then we remove access to the underlying records and folder which are present in app, then app access is revoked.

DotNet CLI

Command: ksm app-unshare APP_UID --email=USER_EMAIL

Flags

Flag
Usage
Description

email

--email=id

This is required field. it should be given in format of --email=EMAIL_ID and this will be the user whose access is revoked with respect to application.

Example:

My Vault> ksm app-unshare ksm_app_uid --email=<user_email>                                                  
Application "DemoApplication" has been unshared from user <user_email>
DotNet SDK

Function: ShareRecordWithUser

Flags:

Function Parameter
Usage
Description

recordUid

<Record UID>

This is UID of the application/record which needs to be revoked

username

<Email>

This is Email or userid of the user with whom we are revoking the application from

userType

Enum

Type of the user - Enterprise or regular user

Example:

public async Task RevokeShareFromUser(string recordUid, string username)
public async Task RemoveUserFromSharedFolder(string sharedFolderUid, string userId, UserType userType)

Note:

  • revoking the application access has to follow this process

  • when we are revoking an application from user, first we have to get all records to which this application has access to

  • once we get all records, we have to revoke them all from the user in question with required permissions RevokeShareFromUser

  • once we get all the shared folders which the application has access to, then remove the user from each shared folder using the RemoveUserFromSharedFolder

  • finally once all the above steps are done, then revoke the application from user using RevokeShareFromUser

  • Now revoking of application is done.

PowerCommander

Command: Revoke-KeeperAppAccess -ApplicationId <APP_UID> -UserUid <USER_ID>

Flags:

Flag
Usage
Description

UserUid

-UserUid <id>

This is required field. it should be given in format of -UserUid EMAIL_ID. This will be the user email to which we will be sharing to.

Example:

PS> Revoke-KeeperAppAccess -ApplicationId ksm_app_uid -UserUid <user_email>
Revoking Secrets Manager application access from '<user_email>'...
Successfully revoked access to application 'ksm_app_uid' from user '<user_email>'.
Python CLI

Command: secrets-manager-app --command='unshare'

Parameters:

--command = unshare

-a --app Name or UID of app to be share

-e --email E-Mail of user with whom the app is to be shared/unshared

Example:

My Vault> secrets-manager-app --command='unshare' --email='[email protected]' --app='My App'
Record <APP_UID> access permissions has been revoked from user '[email protected]'
Share updates processed successfully
Python SDK

Function: Coming Soon

PreviousSecrets Manager commandsNextSecrets Manager Client Commands

Last updated

Was this helpful?