search

Local Endpoints

Audience: IT admins who run management tasks against the agent (health checks, plugin control, jobs, settings) from scripts or tools.

hashtag
Overview

Keeper Privilege Manager exposes an HTTP/HTTPS API on localhost only (default ports 6888 HTTP, 6889 HTTPS). Use it for health checks, plugin start/stop/restart, job listing and trigger, settings and plugin settings, registration, and other management operations. All endpoints are local to the machine; they are not intended to be exposed to the network.

Base URLs:

  • HTTP: http://127.0.0.1:6888

    • HTTP: automatically redirects to HTTPS:

  • HTTPS: https://127.0.0.1:6889

    • Because this communication occurs entirely on the local machine, KEPM automatically manages the certificate lifecycle and validation. The certificate is kept in memory (not written to disk), is rotated internally, and a new certificate is generated each time the service starts.

Authorization levels:

  • Public — No auth (health, root, system status).

  • Plugin — Caller must be a process launched by Keeper Privilege Manager with valid certificate (e.g. plugins, jobs).

  • Elevated Admin — Caller must have admin privileges (or be a trusted system process) and valid certificate.

Many management operations require Plugin or Admin. Scripts run manually often use Admin (e.g. from an elevated PowerShell or as root). For certificate-based calls, the product may provide a client certificate for script use; see your deployment docs.

hashtag
Public Endpoints (no auth)

Use these for monitoring and basic checks.

Method
Path
Description

GET

/health

Health check. Returns status (e.g. healthy), timestamp, version.

GET

/

Root; service name, status, version.

GET

/api/system/status

System status: running, plugin count, job count (total/enabled).

Examples:

hashtag
Plugin Management

Method
Path
Auth
Description

GET

/api/plugins

Plugin

List all plugins (id, name, status, processId, lastStartTime).

POST

/api/plugins/{name}/start

Admin

Start a plugin.

POST

/api/plugins/{name}/stop

Admin

Stop a plugin.

POST

/api/plugins/{name}/restart

Admin

Restart a plugin.

Replace {name} with the plugin id (e.g. KeeperPolicy, KeeperAPI). Use these to recover from a stuck plugin or after changing plugin config.

hashtag
Job Management

Method
Path
Auth
Description

GET

/api/Jobs

Plugin

List all registered jobs (id, name, enabled, schedule, last run).

GET

/api/Jobs/{jobId}

Plugin

Get one job by id.

POST

/api/Jobs

Admin

Create a job (JSON body).

PUT

/api/Jobs/{jobId}

Admin

Update a job.

DELETE

/api/Jobs/{jobId}

Admin

Delete a job.

POST

/api/Jobs/{jobId}/run

Admin

Run job immediately.

POST

/api/Jobs/{jobId}/trigger

Admin

Trigger job with event context (JSON body).

POST

/api/Jobs/validate

Admin

Validate job JSON (POST body = job JSON).

Use run or trigger for on-demand execution; use validate before creating or updating jobs.

hashtag
Settings

Method
Path
Auth
Description

GET

/api/Settings

Plugin

Get all app settings (sensitive values may be masked).

GET

/api/Settings/{key}

Plugin

Get one setting by key (e.g. Settings:KestrelHttpsPort).

PUT

/api/Settings/{key}

Admin

Update a setting (body = value).

POST

/api/Settings/revert

Admin

Revert settings to defaults (optional body: list of keys).

hashtag
Plugin Settings

Method
Path
Auth
Description

GET

/api/PluginSettings/{pluginName}

Plugin

Get all settings for a plugin.

GET

/api/PluginSettings/{pluginName}/{settingName}

Plugin

Get one plugin setting.

PUT

/api/PluginSettings/{pluginName}/{settingName}

Admin

Update one plugin setting (body = value).

POST

/api/PluginSettings/revert-all

Admin

Re-import all plugin settings from their JSON files on disk.

POST

/api/PluginSettings/{pluginName}/revert

Admin

Re-import one plugin’s settings from its JSON file.

Use revert or revert-all after editing plugin JSON files or after pushing config via policy so the in-memory settings match disk.

hashtag
Keeper Registration

Method
Path
Auth
Description

GET

/api/Keeper/registration

Plugin

Get agent registration status (AgentUID, IsRegistered, Hostname, etc.).

POST

/api/Keeper/register

Admin (or public in some deployments)

Register agent; query param token=... (and optional force=true).

POST

/api/Keeper/unregister

Admin

Unregister agent.

Example (register):

hashtag
Other Endpoint Groups

The API also includes endpoints for:

  • Audit — GET/POST audit events.

  • Notifications — Send notifications.

  • File access — Request, grant, revoke file access; history.

  • User session — Launch process in user session, validate launch.

  • Ephemeral — Launch ephemeral account, list/delete accounts, cleanup.

  • Controls — Control requests, approvals, launch approved request.

  • Credentials — Risk assessment credentials (store/get/delete).

  • Path variables — Create/update/delete custom path variables (if enabled).

Exact paths and request/response shapes follow the product’s API; the tables above cover the most common management tasks. For scripting, use HTTPS, handle 403 (auth) and 404 (not found), and use Admin or the appropriate certificate where required.

hashtag
Return to Reference Index

PreviousJobs: Definition & FormatNextLocalization Service

Last updated

Was this helpful?