# Local Endpoints

**Audience:** IT admins who run management tasks against the agent (health checks, plugin control, jobs, settings) from scripts or tools. *** ### Overview Keeper Privilege Manager exposes an **HTTP/HTTPS API** on **localhost only** (default ports 6888 HTTP, 6889 HTTPS). Use it for health checks, plugin start/stop/restart, job listing and trigger, settings and plugin settings, registration, and other management operations. All endpoints are **local** to the machine; they are not intended to be exposed to the network. **Base URLs:** * **HTTP:** `http://127.0.0.1:6888` * `HTTP: automatically redirects to HTTPS:` * **HTTPS:** `https://127.0.0.1:6889` * Because this communication occurs entirely on the local machine, KEPM automatically manages the certificate lifecycle and validation. The certificate is kept in memory (not written to disk), is rotated internally, and a new certificate is generated each time the service starts. **Authorization levels:** * **Public** — No auth (health, root, system status). * **Plugin** — Caller must be a process launched by Keeper Privilege Manager with valid certificate (e.g. plugins, jobs). * **Elevated Admin** — Caller must have admin privileges (or be a trusted system process) and valid certificate. Many management operations require **Plugin** or **Admin**. Scripts run manually often use **Admin** (e.g. from an elevated PowerShell or as root). For certificate-based calls, the product may provide a client certificate for script use; see your deployment docs. *** ### Public Endpoints (no auth) Use these for monitoring and basic checks. | Method | Path | Description | | ------ | -------------------- | ---------------------------------------------------------------- | | GET | `/health` | Health check. Returns status (e.g. healthy), timestamp, version. | | GET | `/` | Root; service name, status, version. | | GET | `/api/system/status` | System status: running, plugin count, job count (total/enabled). | **Examples:** ``` curl -k https://localhost:6889/health curl -k https://localhost:6889/ curl -k https://localhost:6889/api/system/status ``` *** ### Plugin Management | Method | Path | Auth | Description | | ------ | ----------------------------- | ------ | -------------------------------------------------------------- | | GET | `/api/plugins` | Plugin | List all plugins (id, name, status, processId, lastStartTime). | | POST | `/api/plugins/{name}/start` | Admin | Start a plugin. | | POST | `/api/plugins/{name}/stop` | Admin | Stop a plugin. | | POST | `/api/plugins/{name}/restart` | Admin | Restart a plugin. | Replace `{name}` with the plugin id (e.g. KeeperPolicy, KeeperAPI). Use these to recover from a stuck plugin or after changing plugin config. *** ### Job Management | Method | Path | Auth | Description | | ------ | --------------------------- | ------ | ----------------------------------------------------------------- | | GET | `/api/Jobs` | Plugin | List all registered jobs (id, name, enabled, schedule, last run). | | GET | `/api/Jobs/{jobId}` | Plugin | Get one job by id. | | POST | `/api/Jobs` | Admin | Create a job (JSON body). | | PUT | `/api/Jobs/{jobId}` | Admin | Update a job. | | DELETE | `/api/Jobs/{jobId}` | Admin | Delete a job. | | POST | `/api/Jobs/{jobId}/run` | Admin | Run job immediately. | | POST | `/api/Jobs/{jobId}/trigger` | Admin | Trigger job with event context (JSON body). | | POST | `/api/Jobs/validate` | Admin | Validate job JSON (POST body = job JSON). | Use **run** or **trigger** for on-demand execution; use **validate** before creating or updating jobs. *** ### Settings

Method	Path	Auth	Description
GET	`/api/Settings`	Plugin	Get all app settings (sensitive values may be masked).
GET	`/api/Settings/{key}`	Plugin	Get one setting by key (e.g. Settings:KestrelHttpsPort).
PUT	`/api/Settings/{key}`	Admin	Update a setting (body = value).
POST	`/api/Settings/revert`	Admin	Revert settings to defaults (optional body: list of keys).

*** ### Plugin Settings

Method	Path	Auth	Description
GET	`/api/PluginSettings/{pluginName}`	Plugin	Get all settings for a plugin.
GET	`/api/PluginSettings/{pluginName}/{settingName}`	Plugin	Get one plugin setting.
PUT	`/api/PluginSettings/{pluginName}/{settingName}`	Admin	Update one plugin setting (body = value).
POST	`/api/PluginSettings/revert-all`	Admin	Re-import all plugin settings from their JSON files on disk.
POST	`/api/PluginSettings/{pluginName}/revert`	Admin	Re-import one plugin’s settings from its JSON file.

Use **revert** or **revert-all** after editing plugin JSON files or after pushing config via policy so the in-memory settings match disk. *** ### Keeper Registration

Method	Path	Auth	Description
GET	`/api/Keeper/registration`	Plugin	Get agent registration status (AgentUID, IsRegistered, Hostname, etc.).
POST	`/api/Keeper/register`	Admin (or public in some deployments)	Register agent; query param `token=...` (and optional `force=true`).
POST	`/api/Keeper/unregister`	Admin	Unregister agent.

**Example (register):** ``` curl -X POST "https://localhost:6889/api/Keeper/register?token=YOUR_TOKEN" -k ``` *** ### Other Endpoint Groups The API also includes endpoints for: * **Audit** — GET/POST audit events. * **Notifications** — Send notifications. * **File access** — Request, grant, revoke file access; history. * **User session** — Launch process in user session, validate launch. * **Ephemeral** — Launch ephemeral account, list/delete accounts, cleanup. * **Controls** — Control requests, approvals, launch approved request. * **Credentials** — Risk assessment credentials (store/get/delete). * **Path variables** — Create/update/delete custom path variables (if enabled). Exact paths and request/response shapes follow the product’s API; the tables above cover the most common **management** tasks. For scripting, use **HTTPS**, handle **403** (auth) and **404** (not found), and use Admin or the appropriate certificate where required.