# Job & Plugin: Settings Keys

**Audience:** Integrators configuring `appsettings.json` or reading runtime settings via `GET /api/PluginSettings/{pluginName}`.

This page lists the settings keys most relevant to custom job and plugin integrations. For the narrative explanation of how to call Plugin Settings from inside a running binary, see the [Overview](https://claude.ai/integration/overview#what-the-agent-provides-to-your-process) page. For the full Plugin Settings API endpoint reference, see the [HTTP Reference](https://claude.ai/integration/http-reference#plugin-settings-api).

## How Settings Are Merged

Effective settings for a component come from three sources, applied in this order of precedence:

1. **Unified storage** — values applied by policy or written via `PUT /api/PluginSettings/{pluginName}/{settingName}`. These override everything below.
2. **Plugin JSON on disk** — the `Plugins/{PluginId}.json` file for managed plugins, or system-level JSON files for agent-wide settings.
3. **System defaults** — built-in defaults compiled into the agent.

Always read effective settings via `GET /api/PluginSettings/{pluginName}` rather than parsing JSON files on disk directly. The file on disk may not reflect policy overrides in unified storage.

## Application-Wide Settings (`appsettings.json`)

These keys live in the `Settings` section of `appsettings.json` next to the agent service executable. Changes require a service restart to take effect.

<table data-header-hidden="false" data-header-sticky><thead><tr><th width="252.8148193359375">Key</th><th width="112.148193359375">Type</th><th width="110.2962646484375">Common Default</th><th>Purpose</th></tr></thead><tbody><tr><td><code>KestrelHttpsPort</code></td><td>integer</td><td><code>6889</code></td><td>HTTPS port for the local API. Used to construct <code>KeeperApiBaseUrl</code> in job argument substitution.</td></tr><tr><td><code>KestrelHttpPort</code></td><td>integer</td><td><code>6888</code></td><td>HTTP port for the local API. Prefer HTTPS for all sensitive operations.</td></tr><tr><td><code>AlternativeSignatures</code></td><td>string array</td><td>—</td><td>Authenticode certificate thumbprints trusted for process authentication. Add your binary's signing certificate thumbprint here when MQTT or Plugin-tier HTTPS access must work outside a job-launched context.</td></tr><tr><td><code>AllowedNonAdminExecutables</code></td><td>string array</td><td>—</td><td>Executable base names (no path, no <code>.exe</code>) permitted to pass process authentication in a user session when the process owner is not an administrator. Only relevant for <code>ExecutionType: User</code> or <code>UserDesktop</code> tasks. Not required for <code>Service</code> tasks.</td></tr><tr><td><code>RepositoryPath</code></td><td>string</td><td>varies</td><td>Storage directory for the agent's configuration repository.</td></tr><tr><td><code>PluginPath</code></td><td>string</td><td><code>Plugins</code></td><td>Plugin root folder name or path, relative to the agent root.</td></tr></tbody></table>

Example `Settings` block showing the keys most commonly configured during integration:

```json
{
  "Settings": {
    "KestrelHttpsPort": 6889,
    "KestrelHttpPort": 6888,
    "AlternativeSignatures": [
      "A1B2C3D4E5F6789012345678901234567890ABCD"
    ],
    "AllowedNonAdminExecutables": [
      "MyTool"
    ]
  }
}
```

To get the Authenticode thumbprint of a signed Windows binary:

```powershell
Get-AuthenticodeSignature -FilePath "C:\Path\To\MyTool.exe" |
  Select-Object -ExpandProperty SignerCertificate |
  Select-Object -ExpandProperty Thumbprint
```

Use the result as a 40-character hex string with no spaces.

## MQTT Broker Settings (`MqttBrokerSettings`)

These keys configure the local MQTT broker. They live under `MqttBrokerSettings` in `appsettings.json` and are surfaced via Plugin Settings as `broker.host` and `broker.port`.

<table data-header-hidden="false" data-header-sticky><thead><tr><th width="134.9259033203125">Key</th><th width="153.4073486328125">Typical Default</th><th>Purpose</th></tr></thead><tbody><tr><td><code>IpAddress</code></td><td><code>127.0.0.1</code></td><td>Broker bind and connect address. Loopback in standard deployments.</td></tr><tr><td><code>Port</code></td><td><code>8675</code></td><td>Broker TCP port. The broker uses TLS — this is the encrypted port, not a plain TCP port.</td></tr></tbody></table>

Do not hardcode these values in your binary. Read them at runtime from Plugin Settings so your binary tracks any configuration changes an administrator makes:

```
GET {KeeperApiBaseUrl}/api/PluginSettings/KeeperPrivilegeManager
```

The response includes `broker.host` and `broker.port` as string values reflecting the effective `MqttBrokerSettings` in use by the running agent. See the [Overview](https://claude.ai/integration/overview#what-the-agent-provides-to-your-process) page for a complete code example.

## Keys Read at Runtime via Plugin Settings

These are the keys a custom job task or plugin typically reads from `GET /api/PluginSettings/KeeperPrivilegeManager` at startup. The call requires Plugin-tier authentication — it must come from a process the agent launched.

<table data-header-hidden="false" data-header-sticky><thead><tr><th width="135.6666259765625">Key</th><th width="270.6666259765625">Source Setting</th><th>Use</th></tr></thead><tbody><tr><td><code>broker.host</code></td><td><code>MqttBrokerSettings:IpAddress</code></td><td>MQTT broker hostname or IP for TLS connection</td></tr><tr><td><code>broker.port</code></td><td><code>MqttBrokerSettings:Port</code></td><td>MQTT broker port</td></tr></tbody></table>

Other keys may appear in the response depending on agent version and policy configuration. Parse only what your binary needs.

For plugin-scoped settings specific to your component, use your plugin's own ID:

```
GET {KeeperApiBaseUrl}/api/PluginSettings/{YourPluginId}
```

This returns settings stored under your plugin's namespace, merged with system defaults. Use this for any configuration your plugin needs that is separate from the system-wide broker settings.

## Last Known Good (`ConfigurationLkg`)

<table data-header-hidden="false" data-header-sticky><thead><tr><th width="235.6666259765625">Key</th><th width="94.6666259765625">Type</th><th>Effect</th></tr></thead><tbody><tr><td><code>ConfigurationLkg:Enabled</code></td><td>boolean</td><td>When <code>true</code>, the agent maintains an encrypted reference copy of each job's JSON and watches the <code>Jobs/</code> directory for drift. Hand-edited job files may be restored from the reference copy. Use the API or a <code>JobUpdate</code> policy to write jobs reliably when this is enabled.</td></tr></tbody></table>

Confirm whether Last Known Good is enabled in your deployment before choosing a job deployment method. See [Part 3](https://claude.ai/integration/custom-job-guide#part-3-author-the-job-json) of the Custom Job Integration Guide for the full explanation.

## Applying Changes

<table data-header-hidden="false" data-header-sticky><thead><tr><th width="287.3333740234375">Change type</th><th>How to apply</th></tr></thead><tbody><tr><td><code>appsettings.json</code> edits (<code>AlternativeSignatures</code>, ports, broker settings)</td><td>Restart the agent service</td></tr><tr><td>Plugin Settings via <code>PUT /api/PluginSettings/{id}/{key}</code></td><td>Takes effect immediately for subsequent reads; the plugin may need to re-read settings or restart to pick up the change depending on how it caches configuration</td></tr><tr><td>Policy-delivered settings</td><td>Applied when the Configuration Policy Processor runs on the endpoint</td></tr><tr><td>Plugin JSON on disk</td><td>Effective after agent restart, or after <code>POST /api/PluginSettings/{id}/revert</code> re-imports the file into unified storage</td></tr></tbody></table>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/keeperpam/endpoint-privilege-manager/reference/job-and-plugin-settings-keys.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.