Python SDK
Detailed Python SDK docs for Keeper Secrets Manager
Download and Installation
Install with PIP
Python Requirements: Python 3.9 or higher
For more information, see https://pypi.org/project/keeper-secrets-manager-core/
Source Code
Find the Python source code in the GitHub repository
Related Packages:
Using the SDK
Initialize
One-Time Token behavior: The token is consumed on first use, including on failed attempts. If initialization fails, the SDK (v17.3.0+) automatically removes the incomplete config file (file-based storage only). Generate a new One-Time Token from your KSM Application and retry.
At least one API call (e.g. get_secrets()) must follow initialization to complete token binding and fully populate the config file. Subsequent runs without a token use the config file directly.
Parameter
Type
Required
Default
Description
token
str
Optional
None
One-time access token. Required on first run to bind the application; omit once config is bound
config
KeyValueStorage
Optional
FileKeyValueStorage()
Storage backend. Defaults to client-config.json in the current directory if not provided
hostname
str
Optional
None
Override the server hostname. Required when using a bare token without a region prefix
verify_ssl_certs
bool
Optional
True
Verify SSL certificates on outbound requests
Configuration files are automatically created with secure permissions (0600 on Unix-based systems) in v17.1.0+.
Retrieve Secrets
Parameter
Type
Required
Default
Description
uids
List[str]
Optional
None
Record UIDs to fetch
Response
Type: Record[]
All Keeper records, or records with the given UIDs
Retrieve Values From a Secret
Retrieve a Password
This shortcut gets the password of a secret once that secret has been retrieved from Keeper Secrets Manager.
Retrieve Standard Fields
Parameter
Type
Required
Default
Description
field_type
str
Yes
Field type to get
value
str or List[str]
Optional
None
If passed, set the value of the field to the given value
single
bool
Optional
False
Return only the first value
Field types are based on the Keeper Record Type. For a detailed list of available fields based on the Keeper Record Type, see the record-type-info command in Keeper Commander.
Retrieve Custom Fields
Parameter
Type
Required
Default
Description
label
str
Yes
Label of the custom field
field_type
str
Optional
None
Field type to get
value
str or List[str]
Optional
None
If passed, set the value of the field to the given value
single
bool
Optional
False
Return only the first value
Custom fields are any field that is not part of the record type definition, but can be added by users.
It is possible for multiple fields of the same custom type to appear on a single record, to differentiate these fields, the field label is required.
Response
Type: str or List[str]
the value or values of the field. Will be a single value only if the single=True option is passed.
Retrieve Secrets by Title
record_title
str
Yes
Record title to search for
Access Linked Records (GraphSync)
PAM records can carry links to credential records. Links are not included in get_secrets() responses by default. Request them via get_secrets_with_options() with request_links=True, then call record.get_links() to access them as typed KeeperRecordLink objects.
KeeperRecordLink attributes
record_uid
str
UID of the linked record
path
str or None
Link type discriminator. None = credential link to another record; "meta" = PAM settings self-link; "ai_settings" / "jit_settings" = encrypted settings self-links
data
str or None
Raw base64 link payload. Use accessor methods instead of reading this directly
KeeperRecordLink methods
is_admin_user()
bool
Linked credential is an admin user
is_launch_credential()
bool
Link is a launch credential
is_iam_user()
bool
Linked credential is an IAM user
belongs_to()
bool
Linked credential belongs to the record
allows_rotation()
bool
Rotation is permitted (credential or meta link)
allows_connections()
bool
Connections are permitted
allows_port_forwards()
bool
Port forwarding is permitted
allows_session_recording()
bool
Session recording is enabled
get_rotation_settings()
dict or None
Rotation schedule and complexity settings
get_meta_data()
dict or None
Full PAM settings payload (path == "meta")
get_link_data()
dict or None
Complete parsed link payload for any path
Retrieve Values using Keeper Notation
See Keeper Notation documentation to learn about Keeper Notation format and capabilities
Parameter
Type
Required
Description
query
str
Yes
Keeper Notation query for getting a value from a specified field
Returns
Type: str or List[str]
The value of the queried field
Retrieve a TOTP Code
Parameter
Type
Required
Description
url
str
Yes
TOTP URI in otpauth:// format. Raises ValueError if the URI scheme is not otpauth
Update a Secret
Record update commands don't update local record data on success (esp. updated record revision) so any consecutive updates to an already updated record will fail due to revision mismatch. Make sure to reload all updated records after each update batch.
Save Changes to a Secret
record
KeeperRecord
Yes
Record to save
Set field values using the field method. For a detailed list of available fields based on the Keeper Record Type, see the record-type-info command in Keeper Commander. Some fields have multiple values, in these cases the value can be set to a list.
Update a Standard Field Value
Parameter
Type
Required
Default
Description
field_type
str
Yes
Field type to get
value
str or List[str]
Optional
None
If passed, set the value of the field to the given value
single
bool
Optional
False
Return only the first value
Update a Custom Field Value
Parameter
Type
Required
Default
Description
label
str
Yes
Label of the custom field
field_type
str
Optional
None
Field type to get
value
str or List[str]
Optional
None
If passed, set the value of the field to the given value
single
bool
Optional
False
Return only the first value
Generate a Random Password
length
int
Optional
32
Minimum total password length
lowercase
int
Optional
None
Minimum lowercase chars (positive), exact count (zero or negative), or unconstrained (None)
uppercase
int
Optional
None
Minimum uppercase chars (positive), exact count (zero or negative), or unconstrained (None)
digits
int
Optional
None
Minimum digit chars (positive), exact count (zero or negative), or unconstrained (None)
special_characters
int
Optional
None
Minimum special chars (positive), exact count (zero or negative), or unconstrained (None)
special_characterset
str
Optional
"!@#$%()+;<>=?[]{}^.,
Custom set of characters to draw from when generating the special character portion
Each character-class parameter sets the minimum count if positive, an exact count if zero or negative, or is unconstrained if None (the default). When all four groups are None, or when the total of all exact counts is less than length, the remaining positions are filled from all enabled groups uniformly at random.
Download a File
Parameter
Type
Required
Default
Description
file_path
str
Yes
Path to save file to
create_folders
bool
No
False
Create folders in the file_path if not present
Upload a File
Upload File:
Creating the Keeper File Upload Object:
Upload File
owner_record
KeeperRecord
Yes
The record to attach the uploaded file to
file
KeeperFileUpload
Yes
The File to upload
Keeper File Upload From File
path
str
Yes
Path to the file to upload
file_name
str
No
None
What the name of the file will be in Keeper once uploaded
file_title
str
No
None
What the title of the file will be in Keeper once uploaded
mime_type
str
No
None
The type of data in the file. If none is provided, 'application/octet-stream' will be used
Returns
Type: str
The file UID of the attached file
Remove File Attachments
record
KeeperRecord
Yes
The record to update
links_to_remove
str or List[str]
No
File UID(s) to remove from the record
After removing files, make sure to reload the record with get_secrets() if you plan to make additional updates, as the record revision will have changed.
Create a Secret
Prerequisites:
Shared folder UID
Shared folder must be accessible by the Secrets Manager Application
You and the Secrets Manager application must have edit permission
There must be at least one record in the shared folder
Created records and record fields must be formatted correctly
See the documentation for expected field formats for each record type
TOTP fields accept only URL generated outside of the KSM SDK
After record creation, you can upload file attachments using upload_file
folder_uid
str
Yes
record
KeeperRecord
Yes
create_options
CreateOptions
Yes
record
KeeperRecord
Yes
This example creates a login type record with a login value and a generated password.
Replace '[FOLDER UID]' in the example with the UID of a shared folder that your Secrets Manager has access to.
This example creates a record with a custom record type.
Replace '[FOLDER UID]' in the example with the UID of a shared folder that your Secrets Manager has access to.
Returns
Type: str
The record UID of the new record
Delete a Secret
The Python KSM SDK can delete records in the Keeper Vault.
record_uids
str or List[str]
Yes
UID or list of UIDs of records to delete
Caching
To protect against losing access to your secrets when network access is lost, the Python SDK allows caching of secrets to the local machine in an encrypted file.
Setup and Configure Cache
In order to setup caching in the Python SDK, include a caching post function when creating a SecretsManager object.
The Python SDK includes a default caching function in KSMCache class which stores cached queries to a local file thus serving as a disaster recovery function (as long as there's network connectivity it always prefers network over cached data and will use cache only if web vault is inaccessible). You can create your own caching function using KSMCache as a starting point - ex. one that prefers local cache over network access and provide own cache management (ex. refresh cached data once every 5 min)
The default KSMCache stores only the most recent response. If you call get_secrets(['<uid>']) and then call get_secrets() without arguments while offline, the second call returns only the one cached record, not your full vault.
Updating a record from cache (or creating new record) invalidates cached record data and consecutive updates of the same record will fail. Batch updates work as long as they modify different records. Always follow up cached record updates with a call to get_secrets function to refresh cache (and pull updated metadata from vault like the new record revision etc.)
Creating your own caching function
For start create caching function with following arguments and call post_function
Then you can implement any custom logic of caching using KSMCache. Full basic example:
Folders
Folders have full CRUD support - create, read, update and delete operations.
Read Folders
Downloads full folder hierarchy.
Response
Type: List[KeeperFolder]
Example Usage
Create a Folder
Requires CreateOptions and folder name to be provided. The folder UID parameter in CreateOptions is required - UID of a shared folder, while sub-folder UID is optional and if missing new regular folder is created directly under the parent (shared folder). There's no requirement for the sub-folder to be a direct descendant of the parent shared folder - it could be many levels deep.
create_options
CreateOptions
Yes
The parent and sub-folder UIDs
folder_name
str
Yes
The Folder name
folders
List[KeeperFolder]
No
None
List of folders to use in the search for parent and sub-folder from CreateOptions
Example Usage
Update a Folder
Updates the folder metadata - currently folder name only.
folder_uid
str
Yes
The folder UID
folder_name
str
Yes
The new folder name
folders
List[KeeperFolder]
No
None
List of folders to use in the search for parent folder
Example Usage
Delete Folders
Removes a list of folders. Use force_deletion flag to remove non-empty folders.
When using force_deletion avoid sending parent with its children folder UIDs. Depending on the delete order you may get an error - ex. if parent force-deleted child first. There's no guarantee that list will always be processed in FIFO order.
Any folders UIDs missing from the vault or not shared to the KSM Application will not result in error.
folder_uids
List[str]
Yes
The folder UID list
force_deletion
bool
No
False
Force deletion of non-empty folders
Example Usage
Proxy support
Environment variable
Keeper Secrets Manager SDK uses the requests library to support the HTTPS_PROXY environment variable by default
Every request including Keeper Secrets Manager requests will go through declared proxy
Using environment variables for proxy settings is preferred because it keeps configuration out of code, ensures consistency across tools, and simplifies deployment.
SecretsManager parameter
Optionally, you can pass your proxy url to SecretsManager if you want proxy to be used only in SDK:
If your proxy has authentication, just pass your username and password in proxy url
Advanced Configuration
Custom Server Public Key
For isolated or private deployments where the SDK cannot ship with the server public key, supply an EC P-256 public key via either of two paths. Precedence is programmatic > pre-existing config.
Programmatic — pass server_public_key and server_public_key_id to SecretsManager():
Config file — add serverPublicKey and serverPublicKeyId to an existing bound ksm-config.json before the first call. These two fields supplement the bound configuration, they do not replace it:
Last updated