# Advanced Settings ### Advanced Configuration #### Rate Limited Rules Defines maximum API requests allowed within a specified time frame. Default Rate Limits: `60/minute, 600/hour, 6000/day` Input Format: `X/[minute|hour|day]` or `X per [minute|hour|day]` Valid Examples: "`100/minute`", "`50/hour`", "`1000 per day`" Note: Case insensitive #### IP Allow and IP Deny Lists Controls access based on IP addresses or IP network ranges. IP Allow List (Whitelist): * If specified, only IPs in this list are allowed access * Takes precedence over deny list * Default: `0.0.0.0/0` (allow all) when not specified IP Deny List (Blacklist): * IPs in this list are explicitly denied access * Only effective when allow list is not specified or when IP is not in allow list Logic Flow: 1. If IP Allow list exists: Check if IP is allowed → Grant/Deny access 2. If IP Allow list is empty: Check IP Deny list → Deny if found, otherwise allow Input Format: Comma-separated list of IP addresses or CIDR blocks Validation Rules: Each IP must be valid IPv4 address or CIDR block Valid Examples: "`192.168.1.1, 10.0.0.0/24`","`172.16.0.0/16`" Notes: Empty list is allowed (skips validation) #### Encryption Settings Optional layer of AES-256 (GCM) encryption for all REST API responses Input Format: `y` or `n` Private Key Validation Rules: * Exactly 32 characters long * Allowed characters: alphanumeric and special characters (@#$%^&+=) * Cannot be empty Note: The Key is required for API response decryption. #### Token Expiration Configures the REST API token lifespan. Input Format: Xm, Xh, or Xd where X is a positive number and time units represent m for minutes, h for hours and d for days. Validation Rules: * Value must be a positive number * Unit must be one of m, h or d * Valid Examples: "`30m`", "`24h`", "`7d`". Note: Empty input will set the token to never expire. #### Command List Specify the list of commands to be exposed via the API Input Format: Comma-separated list of valid Keeper Commander commands Validation Rules: * Must be a comma-separated list of valid Keeper Commander commands (can be seen by executing help in Commander CLI or entering some wrong command). * Cannot be empty * No spaces in individual commands. * Valid Example: "`whoami,tree,list`" **Configuration Format** Input Format: Select between 'json' or 'yaml' Validation Rules: Must be either 'json' or 'yaml' (case insensitive) **Run Mode** Input Format: Select between 'foreground' or 'background' **Foreground Mode**: Service runs in the current terminal session **Background Mode**: Service runs as a background process with logging to files Validation Rules: Must be either 'foreground' or 'background' (case insensitive) *** ### Multiple API Token Support The `service_config.yaml` file stored in the vault contains the service properties. In the file there is a section called "records". This allows you to define an API key with specific commands and token expiration. ``` encryption: '' encryption_private_key: '' ip_allowed_list: 0.0.0.0/0 ip_denied_list: '' is_advanced_security_enabled: n ngrok: y ngrok_auth_token: XXXXXXXXXX ngrok_custom_domain: myname ngrok_public_url: '' cloudflare: n cloudflare_tunnel_token: cloudflare_custom_domain: cloudflare_public_url: '' tls_certificate: n certfile: '' certpassword: '' port: 9090 rate_limiting: '' queue_enabled: y run_mode: foreground fileformat: yaml records: - api-key: XXXXXXXX command_list: tree,record-add expiration_timestamp: '9999-12-31T23:59:59' - api-key: XXXXXXXX command_list: get expiration_timestamp: '9999-12-31T23:59:59' ``` *** ### Configuration Security **Important Security Feature**: The local service configuration files are automatically encrypted using your private key to protect sensitive configuration data including API keys, tokens, and security settings. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.keeper.io/keeperpam/commander-cli/service-mode-rest-api/advanced-settings.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.