Developer SDKs

Overview
The Keeper Secrets Manager SDKs are purpose-built to provide extremely simple, fast and efficient access to Secrets Management functionality from all popular languages. 
Installation
Java
JavaScript
Python
.Net
GoLang
Install With Gradle
Reference the maven repository:
repositories {
    mavenCentral()
}
​
dependencies {
    implementation 'com.keepersecurity.secrets-manager:core:16.3.1'
}
More installation options can be found on the Java/Kotlin SDK page​
​
Source Code
Find the Java source code in the GitHub repository​
Install With NPM
npm install @keeper-security/secrets-manager-core
​
Source Code
Find the JavaScript source code in the GitHub repository​
Install With PIP
pip3 install -U keeper-secrets-manager-core
​
Source Code
Find the Python source code in the GitHub repository​
Install With DotNet
dotnet add package Keeper.SecretsManager
​
Source Code
Find the .Net source code in the GitHub repository​
Install With Go
import (
	ksm "github.com/keeper-security/secrets-manager-go/core"
	klog "github.com/keeper-security/secrets-manager-go/core/logger"
)
​
Source Code
Find the Go source code in the GitHub repository​
Authentication
The Secrets Manager SDK authenticates to the Keeper Vault using either the One Time Access Token or using the generated keys within the local configuration file.  To generate one or more One Time Access Tokens from Commander CLI use the secrets-manager client add command.
$ keeper shell
​
... login ...
​
My Vault> secrets-manager client add --app MyApplication --unlock-ip
Initialization
Secrets Manager SDKs utilize a configuration file to hold connection tokens and settings.  These examples show how to create a config file using the SDKs and a One-Time Access Token.
For information on other ways to create a config file, see the Config File documentation.
Java
JavaScript
Python
.Net
GoLang
import com.keepersecurity.secretsManager.core.*;
import static com.keepersecurity.secretsManager.core.SecretsManager.*;
​
public class KSMSample {
​
    public static void main(String[] args){
        // oneTimeToken is used only once to initialize the storage
        // after the first run, subsequent calls will use ksm-config.json
        String oneTimeToken = "[ONE TIME TOKEN]";
        KeyValueStorage storage = new LocalConfigStorage("ksm-config.json");
        try {
            // after the first run, this line can be removed
            initializeStorage(storage, oneTimeToken);
​
            SecretsManagerOptions options = new SecretsManagerOptions(storage);
        } catch (Exception e) {
            System.out.println(e.getMessage());
        }
        
        // Rest of the code using `options`
    }
}
const {
    getSecrets,
    initializeStorage,
    localConfigStorage,
    downloadFile,
    updateSecret
} = require('@keeper-security/secrets-manager-core')
​
const oneTimeToken = '[One Time Access Token]'
​
const getKeeperRecords = async () => {
    const storage = localConfigStorage("ksm-config.json")
    await initializeStorage(storage, oneTimeToken)
    const {records} = await getSecrets({storage: storage})
    console.log(records)
​
    const firstRecord = records[0]
    const firstRecordPassword = firstRecord.data.fields.find(x => x.type === 'password')
    console.log(firstRecordPassword.value[0])
}
​
getKeeperRecords().finally()
from keeper_secrets_manager_core import SecretsManager
from keeper_secrets_manager_core.storage import FileKeyValueStorage
​
oneTimeToken = "[One Time Access Token]"
​
secrets_manager = SecretsManager(
    # One time tokens can be used only once - afterwards use the generated config file
    token=oneTimeToken,
    config=FileKeyValueStorage('ksm-config.json')
)
​
# Retrieve all password records (will also initialize config)
records = secrets_manager.get_secrets()
​
using System;
using SecretsManager;
​
var oneTimeToken = "[One Time Access Token]";
var storage = new LocalConfigStorage("ksm-config.json");
try {
    // One time tokens can be used only once - afterwards use the generated config file
    SecretsManagerClient.InitializeStorage(storage, oneTimeToken);
    var options = new SecretsManagerOptions(storage);
    
    // Retrieve all password records (will also initialize config)
    var records = (await SecretsManagerClient.GetSecrets(options)).Records;
    Console.WriteLine(quot;Received {records.Length} record(s)");
    
    // get the password from the first record
    var firstRecord = records[0];
    var password = records[0].FieldValue("password").ToString();
    Console.WriteLine(quot;Password: {password}");
} catch (Exception e) {
    Console.WriteLine(e);
}
package main
​
// Import Secrets Manager
import ksm "github.com/keeper-security/secrets-manager-go/core"
​
func main() {
​
	onetimeAccessCode := "[One Time Access Token]"
​
	options := &ksm.ClientOptions{
		// One time tokens can be used only once - afterwards use the generated config file
		Token:  onetimeAccessCode,
		Config: ksm.NewFileKeyValueStorage("ksm-config.json")}
​
	sm := ksm.NewSecretsManager(options)
​
	// Retrieve all password records (will also initialize config)
	allRecords, _ := sm.GetSecrets([]string{})
​
	// Get password from first record:
​
	firstRecord := allRecords[0]
​
	firstRecordPassword := firstRecord.Password()
​
	print("Password: [", firstRecordPassword, "]")
}
After a config file has been initialized, the One-Time Access Token should be removed from code
This initialization code will create a configuration file on the device local storage.
Field
Description
hostname
The destination host where your Enterprise tenant is located:

keepersecurity.com
keepersecurity.eu
keepersecurity.com.au
govcloud.keepersecurity.us
token
One Time Access Token generated from Commander or Vault UI
config
Filename to store the local config
After initialization, the config file will contain a few more generated keys:
Config Name
Description
appKey
Application Private Key (AES-256)
clientID
Unique Client Device Identifier
privateKey
Client Device Private Key (ECC secp256r1)
Retrieve All Secrets
Java
JavaScript
Python
.Net
GoLang
import com.keepersecurity.secretsManager.core.*;
import static com.keepersecurity.secretsManager.core.SecretsManager.*;
import java.io.FileOutputStream;
​
public class KSMSample {
  
  public static void main(String[] args){
    // get pre-initialized storage
    KeyValueStorage storage = new LocalConfigStorage("ksm-config.json");
    try { 
        SecretsManagerOptions options = new SecretsManagerOptions(storage);
        
        // get all available secrets
        KeeperSecrets secrets = SecretsManager.getSecrets(options);
        
        // print out record details
        System.out.println(secrets.getRecords());
      } catch (Exception e) {
        System.out.println(e.getMessage());
      } 
    }
}
const {
    getSecrets,
    initializeStorage,
    localConfigStorage,
    downloadFile,
    updateSecret
} = require('@keeper-security/secrets-manager-core')
​
const oneTimeToken = '[One Time Access Token]'
​
const getKeeperRecords = async () => {
    const storage = localConfigStorage("ksm-config.json")
    await initializeStorage(storage, oneTimeToken)
    const {records} = await getSecrets({storage: storage})
}
​
getKeeperRecords().finally()
from keeper_secrets_manager_core import SecretsManager
from keeper_secrets_manager_core.storage import FileKeyValueStorage
​
secrets_manager = SecretsManager(
    config=FileKeyValueStorage('ksm-config.json')
)
​
all_records = secrets_manager.get_secrets()
​
# print out all record JSON data
for record in all_records:
    # record.print() # print record to STDOUT
    print(record.uid + " - " + record.title)
    print("\tLogin: " + record.field('login')[0])
    print("\tPassword: " + record.field('password')[0])
​
using System;
using System.Threading.Tasks;
using SecretsManager;
​
private static async Task retrieveAllSecrets()
{
    // get pre-initialized storage
    var storage = new LocalConfigStorage("ksm-config.json");
    var options = new SecretsManagerOptions(storage);
            
    // get all available secrets
    var records = (await SecretsManagerClient.GetSecrets(options)).Records;
    foreach (var record in records)
    {
        Console.WriteLine(record.RecordUid + " - " + record.Data.title);
        foreach (var field in record.Data.fields)
        {
            Console.WriteLine("\t" + field.label + " (" + field.type + "): [" + String.Join(", ", field.value) + "]");
        }
    }
}
package main
​
// Import Secrets Manager
import ksm "github.com/keeper-security/secrets-manager-go/core"
​
func main() {
​
	options := &ksm.ClientOptions{
		// One time tokens can be used only once - afterwards use the generated config file
		Config: ksm.NewFileKeyValueStorage("ksm-config.json")}
​
	sm := ksm.NewSecretsManager(options)
​
	// Retrieve all password records (will also initialize config)
	allRecords, _ := sm.GetSecrets([]string{})
​
	for _, record := range allRecords {
		println("UID", record.Uid, ", title [", record.Title(), "]")
	}
}
These examples assumes a Secrets Manager config file has already been initialized.
See the Initialization section for how to initialize a config file.
Retrieve One Individual Secret
Get Secrets By Record Title
Java
JavaScript
Python
.Net
GoLang
import com.keepersecurity.secretsManager.core.*;
import java.util.List;
​
public class KSMSample {
    public static void main(String[] args){
        // get pre-initialized storage
        KeyValueStorage storage = new LocalConfigStorage("ksm-config.json");
        try {
            SecretsManagerOptions options = new SecretsManagerOptions(storage);
​
            // title of the record to fetch
            String recordTitle = "My Credentials";
            
            // search for record by title
            KeeperRecord myCredentials = secrets.getRecords().getSecretByTitle(recordTitle);
​
            // print out record details
            System.out.println("Record UID: " + myCredentials.getRecordUid());
            System.out.println("Title: " + myCredentials.getData().getTitle());
        } catch (Exception e) {
            System.out.println(e.getMessage());
        }
    }
}
const {
    getSecretByTitle,
    localConfigStorage,
} = require('@keeper-security/secrets-manager-core')
​
const getKeeperRecord = async () => {
    const options = { storage: localConfigStorage("ksm-config.json") 
    const {myCredential} = await getSecretByTitle(options, "My Credential")
}
​
getKeeperRecord().finally()
from keeper_secrets_manager_core import SecretsManager
from keeper_secrets_manager_core.storage import FileKeyValueStorage
​
secrets_manager = SecretsManager(
    config=FileKeyValueStorage('ksm-config.json')
)
​
record_title = "My Record"
​
record = secrets_manager.get_secret_by_title(record_title)
​
if record:
    print(record.uid + " - " + record.title)
    print("\tLogin: " + record.field('login')[0])
    print("\tPassword: " + record.field('password')[0])
else:
    print("No record found with title: " + record_title)
​
using System;
using System.Threading.Tasks;
using SecretsManager;
​
private static async Task getOneIndividualSecret()
{
    var storage = new LocalConfigStorage("ksm-config.json");
    var options = new SecretsManagerOptions(storage);
    var records = (await SecretsManagerClient.GetSecretsByTitle(
            options, "My Credentials")
        ).Records;
    foreach (var record in records)
    {
        Console.WriteLine(record.RecordUid + " - " + record.Data.title);
        foreach (var field in record.Data.fields)
        {
            Console.WriteLine("\t" + field.label + " (" + field.type + "): [" + String.Join(", ", field.value) + "]");
        }
    }
}
package main
​
// Import Secrets Manager
import ksm "github.com/keeper-security/secrets-manager-go/core"
​
func main() {
​
	options := &ksm.ClientOptions{
		// One time tokens can be used only once - afterwards use the generated config file
		Config: ksm.NewFileKeyValueStorage("ksm-config.json")}
​
	sm := ksm.NewSecretsManager(options)
​
	// Retrieve one individual record by Title
	allRecords, _ := ksm.GetSecretsByTitle("My Credentials")
​
	for _, record := range allRecords {
		println("UID", record.Uid, ", title [", record.Title(), "]")
	}
}
Get Secrets By Record UID
In this example, the Record UID is XXX
Java
JavaScript
Python
.Net
GoLang
import com.keepersecurity.secretsManager.core.*;
import java.util.List;
​
public class KSMSample {
    public static void main(String[] args){
        // get pre-initialized storage
        KeyValueStorage storage = new LocalConfigStorage("ksm-config.json");
        try {
            SecretsManagerOptions options = new SecretsManagerOptions(storage);
​
            // create a filter with the UID of the record we want
            List<String> uidFilter = List.of("[XXX]");
​
            // fetch secrets with the filter
            KeeperSecrets secrets = SecretsManager.getSecrets(options, uidFilter);
​
            // get the desired secret from the fetch results
            KeeperRecord myCredentials = secrets.getRecords().get(0);
​
            // print out record details
            System.out.println("Record UID: " + myCredentials.getRecordUid());
            System.out.println("Title: " + myCredentials.getData().getTitle());
        } catch (Exception e) {
            System.out.println(e.getMessage());
        }
    }
}
const {
    getSecretsByTitle,
    localConfigStorage,
} = require('@keeper-security/secrets-manager-core')
​
const oneTimeToken = '[One Time Access Token]'
​
const getKeeperRecord = async () => {
    const options = { storage: localConfigStorage("config.json") 
    const {myCredential} = await getSecrets(options, ["XXX"]
}
​
getKeeperRecord().finally()
from keeper_secrets_manager_core import SecretsManager
from keeper_secrets_manager_core.storage import FileKeyValueStorage
​
secrets_manager = SecretsManager(
    config=FileKeyValueStorage('ksm-config.json')
)
​
UID_FILTER = ['RECORD_UID']
​
record = secrets_manager.get_secrets(UID_FILTER)[0]
​
print(record.uid + " - " + record.title)
print("\tLogin: " + record.field('login')[0])
print("\tPassword: " + record.field('password')[0])
​
With a secret retrieved, individual fields can be retrieved from the secret.
# Get a standard template field
login = record.field('login', single=True)
​
# Get a custom field, e.g. API Key
api_key = record.custom_field('API Key', single=True)
using System;
using System.Threading.Tasks;
using SecretsManager;
​
private static async Task getOneIndividualSecret()
{
    var storage = new LocalConfigStorage("ksm-config.json");
    var options = new SecretsManagerOptions(storage);
    var records = (await SecretsManagerClient.GetSecrets(
            options, new[] { "XXX" })
        ).Records;
    foreach (var record in records)
    {
        Console.WriteLine(record.RecordUid + " - " + record.Data.title);
        foreach (var field in record.Data.fields)
        {
            Console.WriteLine("\t" + field.label + " (" + field.type + "): [" + String.Join(", ", field.value) + "]");
        }
    }
}
package main
​
// Import Secrets Manager
import ksm "github.com/keeper-security/secrets-manager-go/core"
​
func main() {
​
	options := &ksm.ClientOptions{
		// One time tokens can be used only once - afterwards use the generated config file
		Config: ksm.NewFileKeyValueStorage("ksm-config.json")}
​
	sm := ksm.NewSecretsManager(options)
​
	// Retrieve one individual record by UID (will also initialize config)
	allRecords, _ := sm.GetSecrets([]string{"[Record UID]"})
​
	for _, record := range allRecords {
		println("UID", record.Uid, ", title [", record.Title(), "]")
	}
}
These examples assumes a Secrets Manager config file has already been initialized.
See the Initialization section for how to initialize a config file.
​
Retrieve a Password
Example to retrieve an individual record password field.
In this example, the Record UID is XXX
Java
JavaScript
Python
.Net
GoLang
import com.keepersecurity.secretsManager.core.*;
import java.util.List;
​
public class KSMSample {
    public static void main(String[] args){
        // get pre-initialized storage
        KeyValueStorage storage = new LocalConfigStorage("ksm-config.json");
        try {
            SecretsManagerOptions options = new SecretsManagerOptions(storage);
​
            // create a filter with the UID of the record we want
            List<String> uidFilter = List.of("XXX");
​
            // fetch secrets with the filter
            KeeperSecrets secrets = SecretsManager.getSecrets(options, uidFilter);
​
            // get the desired secret from the fetch results
            KeeperRecord myCredentials = secrets.getRecords().get(0);
​
            // get and print out password
            String pwd = myCredentials.getPassword();
            System.out.println("Password from Keeper: " + pwd);
        } catch (Exception e) {
            System.out.println(e.getMessage());
        }
    }
}
secret.data.fields.find(x => x.type === 'password')
from keeper_secrets_manager_core import SecretsManager
from keeper_secrets_manager_core.storage import FileKeyValueStorage
​
secrets_manager = SecretsManager(
    config=FileKeyValueStorage('ksm-config.json')
)
​
# Get an individual secret by UID
UID_FILTER = 'XXX'
secret = secrets_manager.get_secrets([UID_FILTER])[0]
​
# Get a password from the secret
secret.field('password', single=True)
using System;
using System.Threading.Tasks;
using SecretsManager;
​
private static async Task retrieveAPassword()
{
    var storage = new LocalConfigStorage("ksm-config.json");
    var options = new SecretsManagerOptions(storage);
    var records = (await SecretsManagerClient.GetSecrets(
            options, new[] { "XXX" })
        ).Records;
    foreach (var record in records)
    {
        // retrieve "password" field
        var passwordVal = record.FieldValue("password");
            
        Console.WriteLine(record.RecordUid + " - " + record.Data.title + " - password=[" + passwordVal + "]");
    }
}
package main
​
// Import Secrets Manager
import ksm "github.com/keeper-security/secrets-manager-go/core"
​
func main() {
​
	options := &ksm.ClientOptions{
		// One time tokens can be used only once - afterwards use the generated config file
		Config: ksm.NewFileKeyValueStorage("ksm-config.json")}
​
	sm := ksm.NewSecretsManager(options)
​
	// Retrieve all records (will also initialize config)
	allRecords, _ := sm.GetSecrets([]string{})
​
	for _, record := range allRecords {
		passwordMethod1 := record.Password()
		//passwordMethod2 := record.GetFieldValueByType("password") // retrieve password by accessing field
		println("UID", record.Uid, ", Password [", passwordMethod1, "]")
	}
}
These examples assumes a Secrets Manager config file has already been initialized.
See the Initialization section for how to initialize a config file.
Download a File Attachment
Java
JavaScript
Python
.Net
GoLang
import com.keepersecurity.secretsManager.core.*;
​
import java.io.FileOutputStream;
import java.util.List;
​
public class KSMSample {
    public static void main(String[] args){
        // get pre-initialized storage
        KeyValueStorage storage = new LocalConfigStorage("ksm-config.json");
        try {
            SecretsManagerOptions options = new SecretsManagerOptions(storage);
​
            // create a filter with the UID of the record we want
            List<String> uidFilter = List.of("XXX");
​
            // fetch secrets with the filter
            KeeperSecrets secrets = SecretsManager.getSecrets(options, uidFilter);
​
            // get the desired secret from the fetch results
            KeeperRecord myCredentials = secrets.getRecords().get(0);
​
            // get a file reference by filename from the record
            KeeperFile file = myCredentials.getFileByName("acme.cer");
​
            // download the file
            byte[] fileBytes = SecretsManager.downloadFile(file);
            String filename = file.getData().getName();
            FileOutputStream fos = new FileOutputStream(filename);
            fos.write(fileBytes);
            System.out.println("Downloaded File: " + filename);
        } catch (Exception e) {
            System.out.println("KSM ran into an problem: " + e.getMessage());
        }
    }
}
const file = firstRecord.files.find(x => x.data.name === 'acme.cer')
if (file) {
    const fileBytes = await downloadFile(file)
    fs.writeFileSync(file.data.name, fileBytes)
}
from keeper_secrets_manager_core import SecretsManager
from keeper_secrets_manager_core.storage import FileKeyValueStorage
​
secrets_manager = SecretsManager(
    config=FileKeyValueStorage('ksm-config.json')
)
​
# Get an individual secret by UID
UID_FILTER = 'XXX'
secret = secrets_manager.get_secrets([UID_FILTER])[0]
​
# Save all files to a /tmp folder (create folder if does not exist)
for file in secret.files:
    print("file: %s" % file)
    file.save_file("/tmp/" + file.name, True)
using System;
using System.IO;
using System.Threading.Tasks;
using SecretsManager;
​
private static async Task downloadAFileAttachment()
{
    var storage = new LocalConfigStorage("ksm-config.json");
    var options = new SecretsManagerOptions(storage);
    
    // get record by UID
    var records = (await SecretsManagerClient.GetSecrets(
            options, new[] { "XXX" })
        ).Records;
    foreach (var record in records)
    {
        // download the file from the 1st record
        var file = record.GetFileByName("acme.cer");
        if (file != null)
        {
            var fileBytes = SecretsManagerClient.DownloadFile(file);
            // write bytes to the disc
            await File.WriteAllBytesAsync(file.Data.name, fileBytes);
        }            
    }
}
package main
​
// Import Secrets Manager
import ksm "github.com/keeper-security/secrets-manager-go/core"
​
func main() {
​
	options := &ksm.ClientOptions{
		// One time tokens can be used only once - afterwards use the generated config file
		Config: ksm.NewFileKeyValueStorage("ksm-config.json")}
​
	sm := ksm.NewSecretsManager(options)
​
	// Retrieve all password records (will also initialize config)
	allRecords, _ := sm.GetSecrets([]string{"[Record UID]"})
​
	for _, record := range allRecords {
​
		// Search file by title
		file := record.FindFileByTitle("[FILE TITLE]")
​
		// get file from the array by its index
		//file := record.Files[0]
​
		// Safe file to the disc
		file.SaveFile("/tmp/"+file.Name, true)
	}
}
These examples assumes a Secrets Manager config file has already been initialized.
See the Initialization section for how to initialize a config file.
Upload a File Attachment
Java
JavaScript
Python
.Net
GoLang
import com.keepersecurity.secretsManager.core.*;
​
import java.io.File;
import java.io.FileInputStream;
import java.util.Arrays;
​
public class KSMSample {
    public static void main(String[] args){
        // get pre-initialized storage
        KeyValueStorage storage = new LocalConfigStorage("ksm-config.json");
        try {
            SecretsManagerOptions options = new SecretsManagerOptions(storage);
​
            // create a filter with the UID of the record we want
            List<String> uidFilter = List.of("XXX");
​
            // fetch secrets with the filter
            KeeperSecrets secrets = SecretsManager.getSecrets(options, uidFilter);
​
            // get the desired secret to upload a file to
            KeeperRecord ownerRecord = secrets.getRecords().get(0);
        
            // get bytes from file to upload
            File file = new File("./myFile.json");
            FileInputStream fl = new FileInputStream(file);
            byte[] fileBytes = new byte[(int)file.length()];
            fl.read(fileBytes);
            fl.close();
            
            // create a Keeper File to upload
            KeeperFileUpload myFile = new KeeperFileUpload(
                "myFile.json",
                "My File", 
                "application/json", 
                fileBytes
            );
​
            // upload the file to the selected record
            SecretsManager.uploadFile(options, ownerRecord, myFile);
            
        } catch (Exception e) {
            System.out.println("KSM ran into an problem: " + e.getMessage());
        }
    }
}
import * as fs from "fs";
import {getSecrets, uploadFile} from "@keeper-security/secrets-manager-core";
​
// get record to attach file to
const {records} = await getSecrets({storage: storage}, ['XXX'])
const ownerRecord = records[0]
​
// get file data to upload
const fileData = fs.readFileSync('./assets/my-file.json')
​
// upload file to selected record
await uploadFile(options, ownerRecord, {
    name: 'my-file.json',
    title: 'Sample File',
    type: 'application/json',
    data: fileData
})
from keeper_secrets_manager_core import SecretsManager
from keeper_secrets_manager_core.storage import FileKeyValueStorage
from keeper_secrets_manager_core.core import KeeperFileUpload
​
secrets_manager = SecretsManager(
    config=FileKeyValueStorage('ksm-config.json')
)
​
# Get an individual secret by UID to attach the file to
UID_FILTER = 'XXX'
owner_record= secrets_manager.get_secrets([UID_FILTER])[0]
​
# Prepare file data for upload
my_file = KeeperFileUpload.from_file("./myFile.json", "myfile.json", "My File") 
​
# Upload file attached to the owner record
upload_file(owner_record, file: my_file)
​
Overview

Installation

Install With Gradle

Source Code

Install With NPM

​

Source Code

Install With PIP

Source Code

Install With DotNet

​

Source Code

Install With Go

​

Source Code

Authentication

Initialization

Retrieve All Secrets

Retrieve One Individual Secret

Get Secrets By Record Title

Get Secrets By Record UID

Retrieve a Password

Download a File Attachment

Upload a File Attachment
