# Secrets Manager Client Commands
### Overview
A client is a specific device that authenticates using a one-time token and gets access to secrets through the application it’s linked to.
### Commands supported
* [Secrets Manager Client Add Command](#secrets-manager-client-add)
* [Secrets Manager Client Remove Command](#secrets-manager-client-remove)
### Secrets Manager Client Add
This command creates a new client identity and generates a **one-time access token** for securely initialising the Secrets Manager SDK on that device.
DotNet CLI
**Command:** `ksm`
**Action:**
`add-client` : This will add a new device / add a new configuration to the secrets manager application. The user can now access the secrets manager application and vault parts which this app has access to using this client configuration.
**Flag:**
* `--client-name` : Client name. "add-client", "remove-client" only
* `--unlock-ip` : Unlock IP Address? "add-client" only
* `--create-expire` : Device creation expiration in minutes. "add-client" only
* `--access-expire` : Device access expiration in minutes. "add-client" only
* `--b64` : Return KSM configuration instead of one-time token "add-client" only
* `value pos. 1` : Secret Manager application UID or Title
**Example:**
```shell
My Vault> ksm add-client ksm_app_uid --client-name "Example Client"
Successfully generated Client Device
One-Time Access Token: US:device_token
IP Lock: Enabled
Token Expires On: 9/1/2025 10:23:15 AM
App Access Expires On: Never
```
DotNet SDK
**Function:**
```csharp
public async Task> AddSecretManagerClient(
string applicationId, bool? unlockIp = null, int? firstAccessExpireInMinutes = null,
int? accessExpiresInMinutes = null, string name = null)
```
**Arguments:**
`applicationId` - This is application uid of the application to whom this device will be linked to.
`unlockIp` - This flag sets whether the client data generated using the command is locked to single IP from which it is first used or if it can be used from any computer as long as configuration is migrated across. setting this flag to true will unlock IP
`firstAccessExpireInMinutes` - this integer is time in minutes from which the configuration will become obsolete if not used
`accessExpiresInMinutes` - this integer is time in minutes from which this configuration will be obsolete and expired.
`name` - Name of the client which will be stored on secrets manager application. this will be visible on secrets manager app in vault in web app/UI.
PowerCommander
**Command** : `Add-KeeperSecretManagerClient`
**Aliases :** `ksm-addclient`
**Flag** :
* `-App` : Application UID
* `-Name` : Name of the device
* `-UnlockIP` : Unlock IP Address
* `-B64` : Return KSM configuration instead of one time token "add-client" only
**Example:**
```powershell
PS > Add-KeeperSecretManagerClient -App ksm_app_uid -Name "Exmaple Device"
US:device_token
```
Python CLI
**Command:** `secrets-manager-client`
**Parameters:**
* `--command` Add or Remove
* `-a` `--app` Application name or UID
* `-n` `--name` Client Name
* `-c` `--count` Number of tokens, default is 1
* `-s` -`-secret` Record UID added to KSM app
* `-x` `--first-access-expires-in-min`
Time for the first request to expire in minutes from the time
when this command is executed. Max 1440 min(24 hrs).
Default: 60
* `-p` `--access-expire-in-min`
Time interval that this client can access the KSM application.
After this time, access is denied. Time is entered in minutes
starting from the time when command is executed.
**Options:**
* `-f` `--force` Skip confirmation prompts
* `-l` `--unlock-ip` Unlock IP address where client can be accessed
* `--return-tokens` Return the device tokens
**Example:**
```sh
My Vault> secrets-manager-client --command add --app="ksm_app_uid" --name "test client"
Successfully generated Client Device
====================================
One-Time Access Token: US:access_token
Name: test client
IP Lock: Enabled
Token Expires On: 2025-11-05 16:20:14
App Access Expires on: Never
Warning: Configuration is now locked to your current IP. To keep in unlock you can add flag `--unlock-ip` or use the One-time token to generate configuration on the host that has the IP that needs to be locked.
```
Python SDK
**Function:**
```python
master_key = vault.vault_data.get_record_key(record_uid=app_uid)
if not master_key:
raise ValueError(f"Could not retrieve app key for application {app_uid}")
server = keeper_auth_context.keeper_endpoint.server
current_time_ms = int(time.time() * MILLISECONDS_PER_SECOND)
first_access_expire_duration_ms = (
current_time_ms + first_access_expires_in_minutes * MILLISECONDS_PER_MINUTE
)
access_expire_in_ms = (
access_expire_in_minutes * MILLISECONDS_PER_MINUTE
if access_expire_in_minutes else None
)
for i in range(count):
result = ksm_management.KSMClientManagement.add_client_to_ksm_app(
vault=vault,
uid=app_uid,
client_name=client_name or "",
count=count,
index=i,
unlock_ip=unlock_ip,
first_access_expire_duration_ms=first_access_expire_duration_ms,
access_expire_in_ms=access_expire_in_ms,
master_key=master_key,
server=server,
)
print(result["output_string"])
if result.get("token_info"):
print(f" One-Time Token: {result['token_info'].get('oneTimeToken', '')}")
```
### Secrets Manager Client Remove
This command revokes a device’s access to secrets by removing its client registration.
DotNet CLI
**Command:** `ksm`
**Action:** `delete-client`
**Flag:**
* `--client-name` : Client name. "add-client", "remove-client" only
* `--b64` : Return KSM configuration instead of one-time token "add-client" only
* `value pos. 1` : Secret Manager application UID or Title
**Example:**
```bash
My Vault> ksm delete-client ksm_app_uid --client-name "Example Client"
Client "Example Client" has been deleted from application Test_Gateway Application
```
DotNet SDK
**Function:**
```csharp
public async Task DeleteSecretManagerClient(string applicationId, string deviceId)
```
**Arguments:**
`ApplicationId` : Id of KSM app
`deviceId` : Id of KSM device configuration
**Example:**
```csharp
var applicationID = "";
var deviceId = "";
await vault.DeleteSecretManagerClient(applicationId,DeviceId);
```
PowerCommander
**Command:** `Remove-KeeperSecretManagerClient`
**Aliases :** `ksm-rmclient`
**Flag:**
* `-App` : Application UID
* `-Name` : Name of the device
* `-WhatIf`
* `-Confirm`
**Example:**
```powershell
PS > Remove-KeeperSecretManagerClient -App ksm_app_uid -Name "Exmaple Device" -Confirm
Confirm
Are you sure you want to perform this action?
Performing the operation "Removing KSM Device 'Exmaple Device'" on target "Test_Gateway Application".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): Y
```
Python CLI
**Command:** `secrets-manager-client`
**Parameters:**
* `--command` Add or Remove
* `-i` `--client` ID of client to be removed, obtain from secrets-manager-app
get which lists clients
**Options**:
* `-f` `--force` Skip confirmation prompts
**Example:**
```sh
My Vault> secrets-manager-client --command remove --app="ksm-app-uid" -i "client-uid"
Are you sure you want to delete 1 matching client(s) from this application? [y/n]: y
Client removal was successful
My Vault>
```
Python SDK
**Function:**
```python
ksm_management.KSMClientManagement.remove_clients_from_ksm_app(
vault=vault,
uid=app_uid,
client_names_and_ids=client_ids, ##only client ids are supported
callable=confirm_remove,
)
```