# .NET SDK

## Download and Installation ### Prerequisites > `dotnet add package Keeper.SecretsManager` For more information, see ### Source Code Find the .Net source code in the [GitHub repository](https://github.com/Keeper-Security/secrets-manager/tree/master/sdk/dotNet) ## Using the SDK ### Initialize Storage {% hint style="info" %} Using token only to generate a new config (for later usage) requires at least one read operation to bind the token and fully populate `config.json` {% endhint %} In order to retrieve secrets, you must first initialize the local storage on your machine. ```csharp SecretsManagerClient.InitializeStorage(storage: IKeyValueStorage, oneTimeToken: string, hostName: string = null) ```

Parameter	Type	Required	Default	Description
Parameter	Type	Required	Default	Description
`storage`	`IKeyValueStorage`	Yes		Storage implementation for persisting config
`oneTimeToken`	`string`	Yes		One Time Access Token used to initialize the config
`hostName`	`string`	Optional	null	Keeper server hostname (auto-detected from token if omitted)

#### **Example Usage** ```csharp var storage = new LocalConfigStorage("ksm-config.json"); SecretsManagerClient.InitializeStorage(storage, "[One Time Access Token]"); // Using token only to generate a config (for later usage) // requires at least one access operation to bind the token var options = new SecretsManagerOptions(storage); await SecretsManagerClient.GetSecrets(options); ``` {% hint style="success" %} **Automatic File Security** (v17.1.0+) The .NET SDK automatically secures configuration and cache files: * **Unix/macOS**: Sets `chmod 600` (owner read/write only) * **Windows**: Restricts ACLs to current user only Files protected: * `ksm-config.json` (or your custom config file name) * `cache.dat` (if using caching) No additional configuration needed - the SDK handles this automatically. {% endhint %} #### Secrets Manager Options ```csharp SecretsManagerOptions( IKeyValueStorage storage, QueryFunction queryFunction = null, bool allowUnverifiedCertificate = false, string proxyUrl = null ) ```

Parameter	Type	Required	Default	Description
Parameter	Type	Required	Default	Description
`storage`	`IKeyValueStorage`	Yes
`queryFunction`	`QueryFunction`	Optional	null
`allowUnverifiedCertificate`	`bool`	Optional	false
`proxyUrl`	`string`	Optional	null

### Retrieve Secrets ```csharp GetSecrets(options: SecretsManagerOptions, recordsFilter: string[] = null): Task ``` | Parameter | Type | Required | Default | Description | | --------------- | ----------------------- | -------- | ------- | ------------------------------- | | `options` | `SecretsManagerOptions` | Yes | | Storage and query configuration | | `recordsFilter` | `string[]` | Optional | `null` | Record search filters | **Response** Type: `KeeperSecrets` Object containing all Keeper records, or records that match the given filter criteria **Example Usage** Retrieve all Secrets ```csharp var options = new SecretsManagerOptions(storage, testPostFunction); var secrets = await SecretsManagerClient.GetSecrets(options); ``` ### Retrieve Secrets by Title ```csharp // get all matching records async Task> GetSecretsByTitle(SecretsManagerOptions options, string recordTitle) // get only the first matching record async Task GetSecretByTitle(SecretsManagerOptions options, string recordTitle) ```

Parameter	Type	Required	Description
`options`	SecretsManagerOptions	Yes	Preconfigured options
`recordTitle`	string	Yes	Record title to search for

**Example Usage** ```csharp using System; using System.Threading.Tasks; using SecretsManager; private static async Task getOneIndividualSecret() { var storage = new LocalConfigStorage("ksm-config.json"); var options = new SecretsManagerOptions(storage); var records = await SecretsManagerClient.GetSecretsByTitle( options, "My Credentials"); foreach (var record in records) { Console.WriteLine(record.RecordUid + " - " + record.Data.title); foreach (var field in record.Data.fields) { Console.WriteLine("\t" + field.label + " (" + field.type + "): [" + String.Join(", ", field.value) + "]"); } } } ``` ### Retrieve Values from a Secret **Retrieve a Password** {% tabs %} {% tab title="Get Password" %} ```csharp secret.FieldValue("password") ``` {% endtab %} {% tab title="Example Usage" %} ```csharp var storage = new LocalConfigStorage(configName); Console.WriteLine($"Local Config Storage opened from the file {configName}"); if (clientKey != null) SecretsManagerClient.InitializeStorage(storage, ""); var options = new SecretsManagerOptions(storage); //get secrets var secrets= (await SecretsManagerClient.GetSecrets(options)).Records; // get the password from the first secret var firstSecret= secrets[0]; var password = firstSecret.FieldValue("password").ToString(); ``` {% endtab %} {% endtabs %} Field types are based on the Keeper [Record Type](/en/enterprise-guide/record-types.md). For a detailed list of available fields based on the Keeper Record Type, see the [record-type-info](/en/keeperpam/commander-cli/command-reference/record-commands/record-type-commands.md#record-type-info-command) command in Keeper Commander. **Retrieve Other Fields Using Keeper Notation** {% tabs %} {% tab title="Get Value" %} ```csharp GetValue(KeeperSecrets secrets, string notation) ``` {% endtab %} {% tab title="Example Usage" %} ```csharp var storage = new LocalConfigStorage(configName); Console.WriteLine($"Local Config Storage opened from the file {configName}"); if (clientKey != null) SecretsManagerClient.InitializeStorage(storage, ""); var options = new SecretsManagerOptions(storage); //get secrets var secrets = (await SecretsManagerClient.GetSecrets(options)).Records; // get login field value using dot notation var password = Notation.GetValue(secrets, "BediNKCMG21ztm5xGYgNww/field/login"); ``` {% endtab %} {% endtabs %} {% hint style="info" %} See [Keeper Notation documentation](/en/keeperpam/secrets-manager/about/keeper-notation.md) to learn about Keeper Notation format and capabilities {% endhint %}

Parameter	Type	Required	Default	Description
Parameter	Type	Required	Default	Description
`secrets`	`KeeperSecrets`	Yes		Secrets to query
`notation`	`string`	Yes		Field query in dot notation format

**Retrieve TOTP Code** {% tabs %} {% tab title="Get TOTP Code" %} ```csharp CryptoUtils.GetTotpCode(string url) ``` {% endtab %} {% tab title="Example Usage" %} ```csharp var storage = new LocalConfigStorage(configName); Console.WriteLine($"Local Config Storage opened from the file {configName}"); if (clientKey != null) SecretsManagerClient.InitializeStorage(storage, ""); var options = new SecretsManagerOptions(storage); //get secrets var secrets = (await SecretsManagerClient.GetSecrets(options)).Records; // get TOTP url from a record var url = Notation.GetValue(secrets, "BediNKCMG21ztm5xGYgNww/field/OneTimeCode"); // get TOTP code var totp = CryptoUtils.GetTotpCode(url); Console.WriteLine(totp.Code); ``` {% endtab %} {% endtabs %}

Parameter	Type	Required	Default	Description
Parameter	Type	Required	Default	Description
`url`	`string`	Yes		TOTP Url

### Update Values in a Secret {% hint style="warning" %} Record update commands don't update local record data on success *(esp. updated record revision)* so any consecutive updates to an already updated record will fail due to **revision** mismatch. Make sure to reload all updated records after each update batch. {% endhint %} #### Save Changes to a Secret {% tabs %} {% tab title="Update Secret" %} ```csharp UpdateSecret(options: SecretsManagerOptions, record: KeeperRecord, transactionType: UpdateTransactionType? = null); ``` {% endtab %} {% tab title="Example Usage" %} ```csharp var options = new SecretsManagerOptions(storage, testPostFunction); await SecretsManagerClient.UpdateSecret(options, secret); ``` {% endtab %} {% tab title="Transactional updates" %} ```csharp var storage = new LocalConfigStorage(configName); var options = new SecretsManagerOptions(storage); //get secrets var secrets = (await SecretsManagerClient.GetSecrets(options)).Records; // get the first secret var secret = secrets[0]; // rotate password on the record secret.UpdateFieldValue("password", "MyNewPassword"); //start a transaction await SecretsManagerClient.UpdateSecret(options, secret, UpdateTransactionType.Rotation); // rotate password on remote host success = rotateRemoteSshPassword("MyNewPassword"); // complete the transaction - commit or rollback await SecretsManagerClient.CompleteTransaction(options, secret.RecordUid, rollback: !success); ``` {% endtab %} {% endtabs %}

Parameter	Type	Required	Default	Description
Parameter	Type	Required	Default	Description
`options`	`SecretsManagerOptions`	Yes		Storage and query configuration
`record`	`KeeperRecord`	Yes		The record with updated field values
`transactionType`	`UpdateTransactionType?`	Optional	null	Set to `Rotation` for transactional (two-phase) updates

Use UpdateSecret to save changes made to a secret record. Changes will not be reflected in the Keeper Vault until UpdateSecret is performed. **Update a Field Value** {% tabs %} {% tab title="Update Field Value" %} ```csharp UpdateFieldValue(string fieldType, object value) ``` {% endtab %} {% tab title="Example Usage" %} ```csharp var storage = new LocalConfigStorage(configName); Console.WriteLine($"Local Config Storage opened from the file {configName}"); if (clientKey != null) SecretsManagerClient.InitializeStorage(storage, ""); var options = new SecretsManagerOptions(storage); //get secrets var secrets= (await SecretsManagerClient.GetSecrets(options)).Records; // get the password from the first secret var firstSecret= secrets[0]; // update the login field firstSecret.UpdateFieldValue("login", "My New Login"); // update title and notes firstSecret.Data.title = "New Title"; firstSecret.Data.notes = "New Notes"; // save changes await SecretsManagerClient.UpdateSecret(options, firstSecret); ``` {% endtab %} {% endtabs %} | Parameter | Type | Required | Default | Description | | ----------- | -------- | -------- | ------- | ------------------------- | | `fieldType` | `string` | Yes | | The field to update | | `value` | `object` | Yes | | Value to set the field to | #### Generate a Random Password {% tabs %} {% tab title="Generate Password" %} ```csharp CryptoUtils.GeneratePassword( int minLength = 32, int? lowercase = null, int? uppercase = null, int? digits = null, int? specialCharacters = null, string specialCharacterSet = AsciiSpecialCharacters ) ``` {% endtab %} {% tab title="Example Usage" %} ```csharp // generate a 32-character password with balanced character distribution var password = CryptoUtils.GeneratePassword(); // generate a 64-character password with at least 10 digits and 5 special characters var strongPassword = CryptoUtils.GeneratePassword(minLength: 64, digits: 10, specialCharacters: 5); // generate a 16-character password using only alphanumeric characters (no special chars) var alphanumeric = CryptoUtils.GeneratePassword(minLength: 16, specialCharacters: 0); // update a record with the new password firstRecord.UpdateFieldValue("password", password); await SecretsManagerClient.UpdateSecret(options, firstRecord); ``` {% endtab %} {% endtabs %}

Parameter	Type	Required	Default
minLength	`int`	Optional	32
lowercase	`int?`	Optional	null
uppercase	`int?`	Optional	null
digits	`int?`	Optional	null
specialCharacters	`int?`	Optional	null
specialCharacterSet	`string`	Optional	`"!@#$%()+;<>=?[]{}^.,`

Each parameter indicates the minimum number of that character type to include. When `null`, the generator uses a balanced distribution across all character categories. The `specialCharacterSet` parameter controls which special characters are eligible for inclusion. ### Download a File ```csharp DownloadFile(file: KeeperFile): ByteArray ``` | Parameter | Type | Required | Default | Description | | --------- | ------------ | -------- | ------- | ---------------- | | `file` | `KeeperFile` | Yes | | File to download | **Response** Type: `ByteArray` ByteArray of file for download ### Download a **Thumbnail** ```csharp DownloadThumbnail(file: KeeperFile): ByteArray ``` | Parameter | Type | Required | Default | Description | | --------- | ------------ | -------- | ------- | ------------------------------- | | `file` | `KeeperFile` | Yes | | File with thumbnail to download | **Response** Type: `ByteArray` ByteArray of thumbnail for download ### Upload a File Upload File: ```csharp UploadFile(SecretsManagerOptions options, KeeperRecord ownerRecord, KeeperFileUpload file) ```

Parameter	Type	Required	Description
`options`	SecretsManagerOptions	Yes	Storage and query configuration
`ownerRecord`	KeeperRecord	Yes	The record to attach the uploaded file to
`file`	KeeperFileUpload	Yes	The File to upload

Creating the Keeper File Upload Object: ```csharp KeeperFileUpload(string name, string title, string type, byte[] data) ```

Parameter	Type	Required	Description
`name`	string	Yes	What the name of the file will be in Keeper once uploaded
`title`	string	Yes	What the title of the file will be in Keeper once uploaded
`type`	string	Yes	The mime type of data in the file. 'application/octet-stream' for example
`data`	byte[]	Yes	File data as bytes

**Example Usage** ```csharp using System; using System.Threading.Tasks; using SecretsManager; private static async Task uploadFile() { // initalize storage and options var storage = new LocalConfigStorage("ksm-config.json"); var options = new SecretsManagerOptions(storage); // get a record to attach the file to var records = (await SecretsManagerClient.GetSecrets( options, new[] { "XXX" }) ).Records; var ownerRecord = records[0]; // get file data to upload var bytes = await File.ReadAllBytesAsync("my-file.json"); var myFile = new KeeperFileUpload( "my-file1.json", "My File", null, bytes ); // upload file to selected record await SecretsManagerClient.UploadFile(options, ownerRecord, myFile); } ``` ### Create a Secret #### Prerequisites: * Shared folder UID * Shared folder must be accessible by the Secrets Manager Application * You and the Secrets Manager application must have edit permission * There must be at least one record in the shared folder * Created records and record fields must be formatted correctly * See the [documentation](/en/enterprise-guide/record-types.md) for expected field formats for each record type * TOTP fields accept only URL generated outside of the KSM SDK * After record creation, you can upload file attachments using [UploadFile](#upload-a-file) {% tabs %} {% tab title="Create a Record" %} ```csharp SecretsManagerClient.CreateSecret(options, folderUid, record) ```

Parameter	Type	Required
`options`	`SecretsManagerOptions`	Yes
`folderUid`	`string`	Yes
`record`	`KeeperRecordData`	Yes

{% endtab %} {% tab title="Create Record in Sub-folder" %} ```csharp SecretsManagerClient.CreateSecret2(options, createOptions, record, folders) ```

Parameter	Type	Required
`options`	`SecretsManagerOptions`	Yes
`createOptions`	`CreateOptions`	Yes
`record`	`KeeperRecordData`	Yes
`folders`	`KeeperFolder[]`	No

{% endtab %} {% tab title="Login Record Example" %} This example creates a login type record with a login value and a generated password. {% hint style="info" %} Replace '`[FOLDER UID]`' in the example with the UID of a shared folder that your Secrets Manager has access to. {% endhint %} ```csharp var newRecord = new KeeperRecordData{type = "login", title = "Sample KSM Record: C#"}; newRecord.fields = new[] { new KeeperRecordField { type = "login", value = new[] { "My Username" } }, new KeeperRecordField { type = "password", value = new[] { CryptoUtils.GeneratePassword() } }, }; newRecord.notes = "This is a C# record creation example"; var recordUid = await SecretsManagerClient.CreateSecret(options, folderUid, newRecord); ``` {% endtab %} {% tab title="Custom Type Example" %} This example creates a record with a custom record type. {% hint style="info" %} Replace '`[FOLDER UID]`' in the example with the UID of a shared folder that your Secrets Manager has access to. {% endhint %} ```csharp var newRecord = new KeeperRecordData(); newRecord.type = "Custom Login"; newRecord.title = "Sample Custom Type KSM Record: C#"; newRecord.fields = new[] { new KeeperRecordField { type = "host", value = new[] { new Dictionary { { "hostName", "127.0.0.1"}, { "port", "8080"} } }, label = "My Custom Host lbl", required = true }, new KeeperRecordField { type = "login", value = new[] { "login@email.com" }, required = true, label = "My Custom Login lbl" }, new KeeperRecordField { type = "password", value = new[] { CryptoUtils.GeneratePassword() }, required = true, label = "My Custom Password lbl" }, new KeeperRecordField { type = "url", value = new[] { "http://localhost:8080/login" }, label = "My Login Page", required = true }, new KeeperRecordField { type = "securityQuestion", value = new[] { new Dictionary { {"question", "What is one plus one (write just a number)"}, { "answer", "2" } } }, label = "My Question 1", required = true }, new KeeperRecordField { type = "phone", value = new[] { new Dictionary { { "region", "US" }, { "number", "510-444-3333" }, { "ext", "2345" }, { "type", "Mobile" } } }, label = "My Private Phone", privacyScreen = true }, new KeeperRecordField { type = "date", value = new[] {(object) 1641934793000 }, label = "My Date Lbl" }, new KeeperRecordField { type = "name", value = new[] { new Dictionary { {"first", "John"}, {"middle", "Patrick"}, {"last", "Smith"} } }, required = true }, new KeeperRecordField { type = "oneTimeCode", value = new[] { "otpauth://totp/Example:alice@google.com?secret=JBSWY3DPEHPK3PXP&issuer=Example" }, label = "My TOTP", required = true } }; newRecord.notes = "\tThis custom type record was created\n\tvia .NET SDK copied from https://docs.keeper.io/secrets-manager/secrets-manager/developer-sdk-library/.net-sdk"; var recordUid = await SecretsManagerClient.CreateSecret(options, "[FOLDER_UID]", newRecord); ``` {% endtab %} {% endtabs %} ### Delete a Secret The .Net KSM SDK can delete records in the Keeper Vault. {% tabs %} {% tab title="Delete Secret" %} ```csharp DeleteSecret(smOptions, recordsUids); ```

Parameter	Type	Required
`smOptions`	`SecretsManagerOptions`	Yes
`recordsUids`	`string[]`	Yes

{% endtab %} {% tab title="Example" %}

using SecretsManager;

// setup secrets manager
var storage = new LocalConfigStorage("ksm-config.json");
//SecretsManagerClient.InitializeStorage(storage, "<One Time Access Token>");
var smOptions = new SecretsManagerOptions(storage);

// delete a specific secret by record UID
await SecretsManagerClient.DeleteSecret(smOptions, new string[] {"EG6KdJaaLG7esRZbMnfbFA"});

{% endtab %} {% endtabs %} ### Caching To protect against losing access to your secrets when network access is lost, the .Net SDK allows caching of secrets to the local machine in an encrypted file. **Setup and Configure Cache** In order to setup caching in the .Net SDK, include a caching post function as the second argument when instantiating a`SecretsManagerOptions` object. The .Net SDK includes a default caching function `cachingPostFunction` which stores cached queries to a file. ```csharp var options = new SecretsManagerOptions(storage, SecretsManagerClient.CachingPostFunction); var secrets = await SecretsManagerClient.GetSecrets(options); ``` ### Folders Folders have full CRUD support - create, read, update and delete operations. ### Read Folders Downloads full folder hierarchy. ```csharp Task GetFolders(SecretsManagerOptions options) ``` **Response** Type: `KeeperFolder[]` **Example Usage** ```csharp using SecretsManager; var options = new SecretsManagerOptions(new LocalConfigStorage("ksm-config.json")); var folders = await SecretsManagerClient.GetFolders(options); ``` ### Create a Folder Requires `CreateOptions` and folder name to be provided. The folder UID parameter in `CreateOptions` is required - UID of a shared folder, while sub-folder UID is optional and if missing, a new regular folder is created directly under the parent (shared folder). There's no requirement for the sub-folder to be a direct descendant of the parent shared folder - it could be many levels deep. ```csharp Task CreateFolder(SecretsManagerOptions options, CreateOptions createOptions, string folderName, KeeperFolder[] folders = null) ```

Parameter	Type	Required	Default	Description
`options`	`SecretsManagerOptions`	Yes		Preconfigured options
`createOptions`	`CreateOptions`	Yes		The parent and sub-folder UIDs
`folderName`	`string`	Yes		The Folder name
`folders`	`KeeperFolder[]`	No	`null`	List of folders to use in the search for parent and sub-folder from CreateOptions

```csharp public class CreateOptions { public string FolderUid { get; } public string SubFolderUid { get; } } ``` ```csharp public class KeeperFolder { public byte[] FolderKey { get; } public string FolderUid { get; } public string ParentUid { get; } public string Name { get; } } ``` **Example Usage** ```csharp using SecretsManager; var options = new SecretsManagerOptions(new LocalConfigStorage("ksm-config.json")); var co = new CreateOptions("[PARENT_SHARED_FOLDER_UID]"); var folderUid = await SecretsManagerClient.CreateFolder(options, co, "new_folder"); ``` ### Update a Folder Updates the folder metadata - currently folder name only. ```csharp Task UpdateFolder(SecretsManagerOptions options, string folderUid, string folderName, KeeperFolder[] folders = null) ```

Parameter	Type	Required	Default	Description
`options`	`SecretsManagerOptions`	Yes		Preconfigured options
`folderUid`	`string`	Yes		The folder UID
`folderName`	`string`	Yes		The new folder name
`folders`	`KeeperFolder[]`	No	`null`	List of folders to use in the search for parent folder

**Example Usage** ```csharp using SecretsManager; var options = new SecretsManagerOptions(new LocalConfigStorage("ksm-config.json")); await SecretsManagerClient.UpdateFolder(options, "[FOLDER_UID]", "new_folder_name"); ``` ### Delete Folders Removes a list of folders. Use `forceDeletion` flag to remove non-empty folders. {% hint style="info" %} When using forceDeletion avoid sending parent with its children folder UIDs. Depending on the delete order you may get an error - *ex.* if parent force-deleted child first. There's no guarantee that list will always be processed in FIFO order. {% endhint %} {% hint style="info" %} Any folders UIDs missing from the vault or not shared to the KSM Application will not result in error. {% endhint %} ```csharp Task DeleteFolder(SecretsManagerOptions options, string[] folderUids, bool forceDeletion = false) ```

Parameter	Type	Required	Default	Description
`options`	`SecretsManagerOptions`	Yes		Preconfigured options
`folderUids`	`string[]`	Yes		The folder UID list
`forceDeletion`	`bool`	No	`false`	Force deletion of non-empty folders

**Example Usage** ```csharp using SecretsManager; var options = new SecretsManagerOptions(new LocalConfigStorage("ksm-config.json")); await SecretsManagerClient.DeleteFolder(options, new string[]{"[FOLDER_UID1]", "[FOLDER_UID2]"}, true); ``` ### Proxy support .NET SDK supports setting proxy through environment variables and passing proxy url to `SecretsManagerOptions` directly {% hint style="info" %} Keeper recommends using **environment variables** for proxy settings. This approach keeps configuration details out of code, ensures consistency across tools and environments, and simplifies deployment and maintenance {% endhint %} **Example usage through environment variables** ``` HTTPS_PROXY=http://user:password@127.0.0.1:3128 dotnet run ``` Example usage passing url to `SecretsManagerOptions` ```csharp var options = new SecretsManagerOptions(storage, null, false, "http://user:password@127.0.0.1:3128"); ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.keeper.io/en/keeperpam/secrets-manager/developer-sdk-library/.net-sdk.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.