# Rust SDK
### Download and Installation #### Requirements {% hint style="info" %} **Rust 1.87 or later** is required to use this SDK. This minimum version ensures compatibility with Edition 2024 dependencies and recent security patches. {% endhint %} #### Adding as Package using Cargo ``` cargo add keeper-secrets-manager-core ``` For more information, see #### Source Code Find the Rust source code in the [GitHub repository](https://github.com/Keeper-Security/secrets-manager/tree/master/sdk/rust) ### Using the SDK ### Initialise {% hint style="info" %} Using token only to generate a new config (for later usage) requires at least one read operation to bind the token and fully populate `config.json` {% endhint %} {% tabs %} {% tab title="Secrets Manager" %} ```rust SecretsManager::new(client_options)? ``` {% endtab %} {% tab title="Example Usage" %} ```rust use keeper_secrets_manager_core::{ core::{ClientOptions, SecretsManager}, storage::FileKeyValueStorage, custom_error::KSMRError }; fn main()-> Result<(), KSMRError>{ let token = "".to_string(); let config = FileKeyValueStorage::new_config_storage("test.json".to_string())?; let client_options = ClientOptions::new_client_options_with_token(token, config); let mut secrets_manager = SecretsManager::new(client_options)?; Ok(()) } ``` {% endtab %} {% endtabs %}
ParameterRequiredDescriptionType
ParameterRequiredDescriptionType
tokenYesOne Time Access TokenString
configYesStorage ConfigurationKeyValueStorage
### Proxy Configuration To route all SDK traffic through an HTTP or HTTPS proxy, set `proxy_url` on `ClientOptions` or use environment variables. The proxy applies to all SDK operations: API calls, file uploads, file downloads, thumbnail downloads, and caching requests. {% tabs %} {% tab title="Proxy via ClientOptions" %} ```rust let mut client_options = ClientOptions::new_client_options(config); client_options.proxy_url = Some("http://proxy.example.com:8080".to_string()); let mut secrets_manager = SecretsManager::new(client_options)?; ``` {% endtab %} {% tab title="Authenticated Proxy Example" %} ```rust use keeper_secrets_manager_core::{ core::{ClientOptions, SecretsManager}, storage::InMemoryKeyValueStorage, custom_error::KSMRError }; fn main() -> Result<(), KSMRError> { let config_string = "your_base64_goes_here".to_string(); let config = InMemoryKeyValueStorage::new_config_storage(Some(config_string))?; let mut client_options = ClientOptions::new_client_options(config); // Authenticated proxy: http://user:pass@host:port client_options.proxy_url = Some("http://user:pass@proxy.example.com:8080".to_string()); let mut secrets_manager = SecretsManager::new(client_options)?; let secrets = secrets_manager.get_secrets(Vec::new())?; Ok(()) } ``` {% endtab %} {% endtabs %} | Option | Description | | ---------------------------- | --------------------------------------------------------------------------------------------- | | `ClientOptions.proxy_url` | Set proxy programmatically. Takes precedence over environment variables. | | `HTTP_PROXY` / `HTTPS_PROXY` | Standard proxy environment variables. Used when `proxy_url` is not set. | | `KSM_PROXY_URL` | Used by the caching module (`caching_post_function`) when proxy is needed for cache requests. | ### Retrieve Secrets {% tabs %} {% tab title="Get Secrets" %} ```rust let records_filter = Vec::new(); // add record filters of needed based on UID let secrets = secrets_manager.get_secrets(records_filter)?; ``` {% endtab %} {% tab title="Example: Get All Secrets" %} ```rust use keeper_secrets_manager_core::{ core::{ClientOptions, SecretsManager}, custom_error::KSMRError, storage::FileKeyValueStorage }; fn main()-> Result<(), KSMRError>{ let token = "".to_string(); let file_name = FileKeyValueStorage::new_config_storage("test.json".to_string())?; let client_options = ClientOptions::new_client_options_with_token(token, file_name); let mut secrets_manager = SecretsManager::new(client_options)?; let secrets = secrets_manager.get_secrets(Vec::new())?; for secret in secrets { secret.print(); println!("---"); } Ok(()) } ``` {% endtab %} {% tab title="Example: Get Secrets With a Filter" %} ```rust use keeper_secrets_manager_core::{ core::{ClientOptions, SecretsManager}, custom_error::KSMRError, storage::FileKeyValueStorage }; fn main()-> Result<(), KSMRError>{ let token = "".to_string(); let file_name = FileKeyValueStorage::new_config_storage("test.json".to_string())?; let client_options = ClientOptions::new_client_options_with_token(token, file_name); let mut secrets_manager = SecretsManager::new(client_options)?; let records_filter = vec!["record_uid1","record_uid2"]; // add record filters of needed based on UID let secrets = secrets_manager.get_secrets(records_filter)?; for secret in secrets { secret.print(); println!("---"); } Ok(()) } ``` {% endtab %} {% endtabs %}
ParameterTypeRequiredDefaultDescription
ParameterTypeRequiredDefaultDescription
uidsVec<String>OptionalNoneRecord UIDs to fetch
**Response** Type: `Vec` All Keeper records, or records with the given UIDs > default - we will get all records which the token given has access to #### Get Secrets with Options Use `get_secrets_with_options()` to request additional data such as GraphSync linked records. {% tabs %} {% tab title="Get Secrets with Options" %} ```rust let query_options = QueryOptions::with_links(Vec::new(), Vec::new(), true); let secrets = secrets_manager.get_secrets_with_options(query_options)?; ``` {% endtab %} {% tab title="Example: Fetch Linked Records" %} ```rust use keeper_secrets_manager_core::{ core::{ClientOptions, SecretsManager}, dto::payload::QueryOptions, storage::InMemoryKeyValueStorage, custom_error::KSMRError }; fn main() -> Result<(), KSMRError> { let config_string = "your_base64_goes_here".to_string(); let config = InMemoryKeyValueStorage::new_config_storage(Some(config_string))?; let client_options = ClientOptions::new_client_options(config); let mut secrets_manager = SecretsManager::new(client_options)?; // Request linked records alongside the primary secrets // Vec::new() means no UID or folder filter — fetch all secrets let query_options = QueryOptions::with_links(Vec::new(), Vec::new(), true); let secrets = secrets_manager.get_secrets_with_options(query_options)?; for secret in &secrets { println!("Secret: {}", secret.title); if !secret.links.is_empty() { println!(" Linked records: {}", secret.links.len()); } } Ok(()) } ``` {% endtab %} {% endtabs %} | Parameter | Type | Required | Description | | --------------- | -------------- | -------- | ----------------------- | | `query_options` | `QueryOptions` | Yes | Options for the request | **QueryOptions Fields:** | Field | Type | Description | | --------------- | -------------- | ------------------------------------------------------------------------------------------------------------------ | | `request_links` | `Option` | Set to `true` to include GraphSync linked records in the response. Linked records are available on `Record.links`. | ### Retrieve Values from Secret #### Retrieve a password This shortcut gets the password of a secret once that secret has been retrieved from Keeper Secrets Manager. {% tabs %} {% tab title="Get Password" %} ```rust secret.get_standard_field_value("password", true); ``` {% endtab %} {% tab title="Example" %} ```rust use keeper_secrets_manager_core::{ core::{ClientOptions, SecretsManager}, storage::InMemoryKeyValueStorage, custom_error::KSMRError }; fn main()-> Result<(), KSMRError>{ // setup secrets manager let config_string = "your_base64_goes_here".to_string(); let config = InMemoryKeyValueStorage::new_config_storage(Some(config_string))?; let client_options = ClientOptions::new_client_options(config); let mut secrets_manager = SecretsManager::new(client_options)?; // get a specific secret by record UID let secrets = secrets_manager.get_secrets(vec!["record_uid".to_string()])?; let secret = match secrets.len(){ 0 => return Err(KSMRError::CustomError("no secret with given uid is found".to_string())), _ => &secrets[0], }; // get password from record let my_secret_password = secret.get_standard_field_value("password", true); Ok(()) } ``` {% endtab %} {% endtabs %} #### Retrieve Standard Fields {% tabs %} {% tab title="Standard Field" %} ```rust secret.get_standard_field_value(“FIELD_TYPE”.to_string(), true); ``` {% endtab %} {% tab title="Standard Field Example" %} ```rust use keeper_secrets_manager_core::{ core::{ClientOptions, SecretsManager}, storage::FileKeyValueStorage, custom_error::KSMRError, enums::StandardFieldTypeEnum }; fn main()-> Result<(), KSMRError>{ // setup secrets manager let token = "your_token_goes_here".to_string(); let config = FileKeyValueStorage::new_config_storage("test.json".to_string())?; let client_options = ClientOptions::new_client_options_with_token(token, config); let mut secrets_manager = SecretsManager::new(client_options)?; // get a specific secret by record UID let secrets = secrets_manager.get_secrets(vec!["record_uid".to_string()])?; let secret = match secrets.len(){ 0 => return Err(KSMRError::CustomError("no secret with given uid is found".to_string())), _ => &secrets[0], }; // use StandardFieldTypeEnum for getting accurate type for standard field without any typographic errors let login_field = StandardFieldTypeEnum::LOGIN.get_type().to_string(); // get login field from the secret let my_secret_login = secret.get_standard_field_value(login_field, true) Ok(()) } ``` {% endtab %} {% endtabs %} | Parameter | Type | Required | Default | Description | | ------------ | --------- | -------- | ------- | --------------------------- | | `field_type` | `String` | Yes | None | Field type to get | | `single` | `boolean` | Optional | False | Return only the first value | Field types are based on the Keeper [Record Type](https://app.gitbook.com/s/-LO5CAzpxoaEquZJBpYz/record-types). For a detailed list of available fields based on the Keeper Record Type, see the [record-type-info](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/record-commands/record-type-commands#record-type-info-command) command in Keeper Commander. #### Retrieve Custom Fields {% tabs %} {% tab title="Custom Field" %} ```rust secret.get_custom_field_value(“FIELD_TYPE”, true); ``` {% endtab %} {% tab title="Custom Field Example" %} ```rust use keeper_secrets_manager_core::{ core::{ClientOptions, SecretsManager}, storage::InMemoryKeyValueStorage, custom_error::KSMRError }; fn main()-> Result<(), KSMRError>{ // setup secrets manager let config_string = "your_base64_goes_here".to_string(); let config = InMemoryKeyValueStorage::new_config_storage(Some(config_string))?; let client_options = ClientOptions::new_client_options(config); let mut secrets_manager = SecretsManager::new(client_options)?; // get a specific secret by record UID let secrets = secrets_manager.get_secrets(vec!["record_uid".to_string()])?; let secret = match secrets.len(){ 0 => return Err(KSMRError::CustomError("no secret with given uid is found".to_string())), _ => &secrets[0], }; // Get a custom field, e.g. API Key let api_key = secret.get_custom_field_value(“API Key”, true) Ok(()) } ``` {% endtab %} {% endtabs %} | Parameter | Type | Required | Default | Description | | ------------ | --------- | -------- | ------- | --------------------------- | | `field_type` | `String` | Yes | - | Field type to get | | `single` | `boolean` | Optional | False | Return only the first value | Custom fields are any field that is not part of the record type definition but can be added by users. **Response** > Type: `String` or `Vec` the value or values of the field. It will be a single value only if the `single=true` option is passed. #### Search Secrets by Title Search for secrets using their title instead of UID. The SDK provides two methods: * `get_secrets_by_title()` - Returns all secrets matching the exact title * `get_secret_by_title()` - Returns the first secret matching the exact title {% tabs %} {% tab title="Get All Secrets by Title" %} ```rust secrets_manager.get_secrets_by_title(record_title) ``` {% endtab %} {% tab title="Get All Secrets by Title Example" %} ```rust use keeper_secrets_manager_core::{ core::{ClientOptions, SecretsManager}, storage::InMemoryKeyValueStorage, custom_error::KSMRError }; fn main()-> Result<(), KSMRError>{ // setup secrets manager let config_string = "your_base64_goes_here".to_string(); let config = InMemoryKeyValueStorage::new_config_storage(Some(config_string))?; let client_options = ClientOptions::new_client_options(config); let mut secrets_manager = SecretsManager::new(client_options)?; // get all secrets matching the record title let matching_secrets = secrets_manager.get_secrets_by_title("My Credentials")?; println!("Found {} matching secrets", matching_secrets.len()); Ok(()) } ``` {% endtab %} {% tab title="Get First Secret by Title" %} ```rust secrets_manager.get_secret_by_title(record_title) ``` {% endtab %} {% tab title="Get First Secret by Title Example" %} ```rust use keeper_secrets_manager_core::{ core::{ClientOptions, SecretsManager}, storage::InMemoryKeyValueStorage, custom_error::KSMRError }; fn main()-> Result<(), KSMRError>{ // setup secrets manager let config_string = "your_base64_goes_here".to_string(); let config = InMemoryKeyValueStorage::new_config_storage(Some(config_string))?; let client_options = ClientOptions::new_client_options(config); let mut secrets_manager = SecretsManager::new(client_options)?; // get first secret matching the record title if let Some(secret) = secrets_manager.get_secret_by_title("My Credentials")? { println!("Found secret: {}", secret.uid); } else { println!("No secret found with that title"); } Ok(()) } ``` {% endtab %} {% endtabs %} **Response** | Method | Return Type | Description | | ------------------------ | ------------------------ | -------------------------------------- | | `get_secrets_by_title()` | `Result>` | All secrets matching the exact title | | `get_secret_by_title()` | `Result>` | First secret matching title, or `None` | | Parameter | Type | Required | Description | | -------------- | ------ | -------- | --------------------------------- | | `record_title` | `&str` | Yes | Exact title of the record to find | {% hint style="info" %} Title matching is **case-sensitive** and requires an **exact match**. For partial or case-insensitive searching, retrieve all secrets and filter client-side. {% endhint %} #### Retrieve Values using Keeper Notation {% tabs %} {% tab title="get Notation" %} ```rust secrets_manager.get_notation(query) ``` {% endtab %} {% tab title="Notation Example" %} 
use keeper_secrets_manager_core::{
    core::{ClientOptions, SecretsManager},
    storage::InMemoryKeyValueStorage,
    custom_error::KSMRError
};
fn main()-> Result<(), KSMRError>{
    // setup secrets manager
    let config_string = "your_base64_goes_here".to_string();
    let config = InMemoryKeyValueStorage::new_config_storage(Some(config_string))?;
    let client_options = ClientOptions::new_client_options(config);
    let mut secrets_manager = SecretsManager::new(client_options)?;

    // get all secrets matching the notation
    let mut notation = "HDQTnxkTcPSOsHNAlbI4aQ/field/login".to_string();
    let mut result = secrets_manager.get_notation(notation)?;
    Ok(())
}
{% endtab %} {% endtabs %} See [Keeper Notation documentation](https://docs.keeper.io/en/keeperpam/secrets-manager/about/keeper-notation) to learn about Keeper Notation format and capabilities | Parameter | Type | Required | Default | Description | | --------- | -------- | -------- | ------- | ---------------------------------------------------------------- | | `query` | `String` | Yes | - | Keeper Notation query for getting a value from a specified field | **Returns** The value of the queried field Type: String or `Vec` #### Retrieve a TOTP Code {% tabs %} {% tab title="Get TOTP Code" %} ```rust get_totp_code(&url) ``` {% endtab %} {% tab title="Example Usage" %} ```rust use keeper_secrets_manager_core::{ core::{ClientOptions, SecretsManager}, storage::InMemoryKeyValueStorage, custom_error::KSMRError, enums::StandardFieldTypeEnum, utils }; fn main()-> Result<(), KSMRError>{ // setup secrets manager let config_string = "your_base64_goes_here".to_string(); let config = InMemoryKeyValueStorage::new_config_storage(Some(config_string))?; let client_options = ClientOptions::new_client_options(config); let mut secrets_manager = SecretsManager::new(client_options)?; // get a specific secret by UID let secrets = secrets_manager.get_secrets(vec!["".to_string()])?; let record = &secrets[0]; // get TOTP url value from a record let value = record.get_standard_field_value(StandardFieldTypeEnum::ONETIMECODE.get_type(), false)?; let url: String = utils::get_otp_url_from_value_obj(value)?; // get code from TOTP url let totp = utils::get_totp_code(&url)?; println!("{}", totp.get_code()); Ok(()) } ``` {% endtab %} {% endtabs %} **Returns** > Type: `Result` | Parameter | Type | Required | Description | | --------- | -------- | -------- | ----------- | | `url` | `String` | Yes | TOTP Url | ### Update a Secret {% hint style="warning" %} Record update commands don't update local record data on success *(esp. updated record revision)* so any consecutive updates to an already updated record will fail due to **revision** mismatch. Make sure to reload all updated records after each update batch. {% endhint %} #### **Update Secret** The `update_secret()` method is the standard way to update records. {% tabs %} {% tab title="Update Secret" %} ```rust secrets_manager.update_secret(record) ``` {% endtab %} {% tab title="Update Secret Example" %} ```rust use keeper_secrets_manager_core::{ core::{ClientOptions, SecretsManager}, storage::InMemoryKeyValueStorage, custom_error::KSMRError, enums::StandardFieldTypeEnum }; fn main()-> Result<(), KSMRError>{ // setup secrets manager let config_string = "your_base64_goes_here".to_string(); let config = InMemoryKeyValueStorage::new_config_storage(Some(config_string))?; let client_options = ClientOptions::new_client_options(config); let mut secrets_manager = SecretsManager::new(client_options)?; // get a specific secret by UID let mut secrets = secrets_manager.get_secrets(vec!["".to_string()])?; let mut secret_to_update = secrets.into_iter().next().unwrap(); // update a field value let field_type = StandardFieldTypeEnum::LOGIN.get_type(); secret_to_update.set_standard_field_value_mut(field_type, "sample@ks.com".into())?; // save the changes secrets_manager.update_secret(secret_to_update)?; Ok(()) } ``` {% endtab %} {% endtabs %} | Parameter | Type | Required | Default | Description | | --------- | -------- | -------- | ------- | -------------------------------- | | `record` | `Record` | Yes | | Record with updated field values | **Response** Returns `Result<(), KSMRError>` - success or error #### **Password Rotation with Transactions** The `update_secret_with_transaction()` method enables password rotation workflows where you can test the new password before committing the change. {% tabs %} {% tab title="Password Rotation" %} ```rust secrets_manager.update_secret_with_transaction(record, UpdateTransactionType::Rotation)?; // Test the new password... secrets_manager.complete_transaction(record_uid, false)?; // false = commit, true = rollback ``` {% endtab %} {% tab title="Password Rotation Example" %} ```rust use keeper_secrets_manager_core::{ core::{ClientOptions, SecretsManager}, storage::InMemoryKeyValueStorage, custom_error::KSMRError, enums::StandardFieldTypeEnum, dto::payload::UpdateTransactionType }; fn main()-> Result<(), KSMRError>{ // setup secrets manager let config_string = "your_base64_goes_here".to_string(); let config = InMemoryKeyValueStorage::new_config_storage(Some(config_string))?; let client_options = ClientOptions::new_client_options(config); let mut secrets_manager = SecretsManager::new(client_options)?; // get a specific secret by UID let mut secrets = secrets_manager.get_secrets(vec!["".to_string()])?; let mut secret_to_update = secrets.into_iter().next().unwrap(); let record_uid = secret_to_update.uid.clone(); // update password field let field_type = StandardFieldTypeEnum::PASSWORD.get_type(); secret_to_update.set_standard_field_value_mut(field_type, "NewRotatedPassword123!".into())?; // start rotation transaction secrets_manager.update_secret_with_transaction(secret_to_update, UpdateTransactionType::Rotation)?; // Test the new password in your application... // If successful: secrets_manager.complete_transaction(record_uid, false)?; // commit // If testing failed: // secrets_manager.complete_transaction(record_uid, true)?; // rollback Ok(()) } ``` {% endtab %} {% endtabs %}
ParameterTypeRequiredDescription
recordRecordYesRecord with updated field values
transaction_typeUpdateTransactionTypeYesGeneral or Rotation
record_uidStringYesUID of the record to finalize transaction for
rollbackboolYesfalse to commit, true to rollback
#### **Remove File Links** The `update_secret_with_options()` method provides fine-grained control over updates, including the ability to remove file links. {% tabs %} {% tab title="Update with Options" %} ```rust let update_options = UpdateOptions::new( UpdateTransactionType::General, vec!["file-uid-to-remove".to_string()] ); secrets_manager.update_secret_with_options(record, update_options)?; ``` {% endtab %} {% tab title="Update with Options Example" %} ```rust use keeper_secrets_manager_core::{ core::{ClientOptions, SecretsManager}, storage::InMemoryKeyValueStorage, custom_error::KSMRError, dto::payload::{UpdateOptions, UpdateTransactionType} }; fn main()-> Result<(), KSMRError>{ // setup secrets manager let config_string = "your_base64_goes_here".to_string(); let config = InMemoryKeyValueStorage::new_config_storage(Some(config_string))?; let client_options = ClientOptions::new_client_options(config); let mut secrets_manager = SecretsManager::new(client_options)?; // get a specific secret by UID let secrets = secrets_manager.get_secrets(vec!["".to_string()])?; let secret_to_update = secrets.into_iter().next().unwrap(); // Modify fields as needed... // Create update options to remove file links let update_options = UpdateOptions::new( UpdateTransactionType::General, vec!["file-uid-to-remove-1".to_string(), "file-uid-to-remove-2".to_string()] ); // Update the record and remove specified file links secrets_manager.update_secret_with_options(secret_to_update, update_options)?; Ok(()) } ``` {% endtab %} {% endtabs %} | Parameter | Type | Required | Default | Description | | ---------------- | --------------- | -------- | ------- | ------------------------------------------ | | `record` | `Record` | Yes | | Record with updated field values | | `update_options` | `UpdateOptions` | Yes | | Configuration for advanced update behavior | **UpdateOptions Fields:** | Field | Type | Description | | ------------------ | ----------------------- | ---------------------------------- | | `transaction_type` | `UpdateTransactionType` | `General` or `Rotation` | | `links_to_remove` | `Vec` | UIDs of file attachments to remove | Set field values using the `set_standard_field_value_mut` or the `set_custom_field_value_mut` method. Fields are found by type. For a list of field types, see the [Record Types](https://app.gitbook.com/s/-LO5CAzpxoaEquZJBpYz/record-types) documentation. Some fields have multiple values in these cases, the value can be set to a list. #### Generate a Random Password {% tabs %} {% tab title="Generate Password" %} ```rust generate_password_with_options(password_options); ``` {% endtab %} {% tab title="Generate Password Example" %} ```rust use keeper_secrets_manager_core::{ core::{ClientOptions, SecretsManager}, storage::InMemoryKeyValueStorage, custom_error::KSMRError, enums::StandardFieldTypeEnum, utils::{generate_password_with_options, PasswordOptions} }; fn main()-> Result<(), KSMRError>{ // setup secrets manager let config_string = "your_base64_goes_here".to_string(); let config = InMemoryKeyValueStorage::new_config_storage(Some(config_string))?; let client_options = ClientOptions::new_client_options(config); let mut secrets_manager = SecretsManager::new(client_options)?; // get a specific secret by UID let secrets = secrets_manager.get_secrets(vec!["".to_string()])?; let mut secret = secrets.into_iter().next().unwrap(); // generate a random password let charset: String = "$_!?#".to_string(); let length = 32; let digits = 2; let lowercase = 2; let uppercase = 2; let special_characters = 2; let password_options = PasswordOptions::new() .length(length) .digits(digits) .lowercase(lowercase) .uppercase(uppercase) .special_characters(special_characters) .special_characterset(charset); let password = generate_password_with_options(password_options)?; // update record with new password let field_type = StandardFieldTypeEnum::PASSWORD.get_type(); secret.set_standard_field_value_mut(field_type, password.into())?; // Save changes to the secret secrets_manager.update_secret(secret)?; Ok(()) } ``` {% endtab %} {% endtabs %}
ParameterTypeRequiredDefaultDescription
password_optionsPasswordOptionsYesConfiguration for the password
charsetStringOptional"""!@#$%()+;<>=?[]{}^.,"""Set of special characters to be included in the password
lengthi32Optional32Length of password
lowercasei32OptionalNoneCount of lowercase characters in the password
uppercasei32OptionalNoneCount of uppercase characters in the password
digitsi32OptionalNoneCount of digits in the password
special_charactersi32OptionalNoneCount of special characters in the password
By default, each count parameter specifies the **minimum** number of that character type. Pass a negative value to specify an **exact** count instead — for example, `.lowercase(-8)` produces exactly 8 lowercase characters. When all count parameters are negative or zero (exact mode), the `length` parameter is ignored and the total password length is derived from the sum of the absolute values. ### Download a File {% tabs %} {% tab title="Download File" %} ```rust secret.download_file(file_name, path); ``` {% endtab %} {% tab title="Download File example" %} ```rust use keeper_secrets_manager_core::{ core::{ClientOptions, SecretsManager}, storage::InMemoryKeyValueStorage, custom_error::KSMRError }; fn main()-> Result<(), KSMRError>{ // setup secrets manager let config_string = "your_base64_goes_here".to_string(); let config = InMemoryKeyValueStorage::new_config_storage(Some(config_string))?; let client_options = ClientOptions::new_client_options(config); let mut secrets_manager = SecretsManager::new(client_options)?; // get a specific secret by UID let secrets = secrets_manager.get_secrets(vec!["".to_string()])?; let secret = &secrets[0]; // Download file to a specific path let path = format!("./temp/demo_{}.txt", secret.title); secret.download_file("uploaded_file.txt", &path)?; Ok(()) } ``` {% endtab %} {% endtabs %}
ParameterTypeRequiredDefaultDescription
file_name&strYesName of the file to be downloaded
path&strYesPath to download file
#### Download File by Title Downloads a file attachment by record title and filename. The SDK searches all accessible records for one matching `record_title`, then retrieves the file named `file_name` from that record. {% tabs %} {% tab title="Download File by Title" %} ```rust secrets_manager.download_file_by_title(record_title, file_name) ``` {% endtab %} {% tab title="Example" %} ```rust use keeper_secrets_manager_core::{ core::{ClientOptions, SecretsManager}, storage::InMemoryKeyValueStorage, custom_error::KSMRError }; fn main() -> Result<(), KSMRError> { let config_string = "your_base64_goes_here".to_string(); let config = InMemoryKeyValueStorage::new_config_storage(Some(config_string))?; let client_options = ClientOptions::new_client_options(config); let mut secrets_manager = SecretsManager::new(client_options)?; // Download a file by record title and file name if let Some(file_data) = secrets_manager.download_file_by_title("My Record Title", "report.pdf")? { std::fs::write("./report.pdf", &file_data) .map_err(|e| KSMRError::CustomError(e.to_string()))?; println!("File downloaded successfully"); } else { println!("Record or file not found"); } Ok(()) } ``` {% endtab %} {% endtabs %} | Parameter | Type | Required | Description | | -------------- | ------ | -------- | --------------------------------------- | | `record_title` | `&str` | Yes | Title of the record containing the file | | `file_name` | `&str` | Yes | Name of the file attachment to download | **Returns** > Type: `Result>, KSMRError>` * `Ok(Some(bytes))` — decrypted file data as raw bytes * `Ok(None)` — no record with that title, or no file with that name was found * `Err(...)` — error during download or decryption #### Download File Thumbnail Some file attachments (especially images) have thumbnail previews. You can download these thumbnails separately from the full file. {% tabs %} {% tab title="Download Thumbnail" %} ```rust file.get_thumbnail_data() ``` {% endtab %} {% tab title="Download Thumbnail Example" %} ```rust use keeper_secrets_manager_core::{ core::{ClientOptions, SecretsManager}, storage::InMemoryKeyValueStorage, custom_error::KSMRError }; fn main()-> Result<(), KSMRError>{ // setup secrets manager let config_string = "your_base64_goes_here".to_string(); let config = InMemoryKeyValueStorage::new_config_storage(Some(config_string))?; let client_options = ClientOptions::new_client_options(config); let mut secrets_manager = SecretsManager::new(client_options)?; // get a specific secret by UID let secrets = secrets_manager.get_secrets(vec!["".to_string()])?; let secret = &secrets[0]; // Download thumbnails for all files for mut file in secret.files.clone() { if let Some(thumbnail_data) = file.get_thumbnail_data()? { let thumbnail_path = format!("./temp/{}_thumb.jpg", file.name); std::fs::write(&thumbnail_path, &thumbnail_data) .map_err(|e| KSMRError::FileWriteError(thumbnail_path.clone(), e))?; println!("Downloaded thumbnail: {}", thumbnail_path); } else { println!("No thumbnail available for {}", file.name); } } Ok(()) } ``` {% endtab %} {% endtabs %} **Returns** > Type: `Result>, KSMRError>` * `Ok(Some(bytes))` - Thumbnail data (typically JPEG) * `Ok(None)` - No thumbnail available for this file * `Err(...)` - Error downloading or decrypting thumbnail {% hint style="info" %} Thumbnails are typically available for image files (PNG, JPEG, etc.). Document files and other non-image types usually do not have thumbnails. {% endhint %} ### Upload File {% tabs %} {% tab title="Upload File" %} ```rust upload_file(owner_record, keeper_file); ``` {% endtab %} {% tab title="Upload File Example" %} ```rust use keeper_secrets_manager_core::{ core::{ClientOptions, SecretsManager}, storage::InMemoryKeyValueStorage, custom_error::KSMRError, dto::file::KeeperFileUpload }; fn main()-> Result<(), KSMRError>{ // setup secrets manager let config_string = "your_base64_goes_here".to_string(); let config = InMemoryKeyValueStorage::new_config_storage(Some(config_string))?; let client_options = ClientOptions::new_client_options(config); let mut secrets_manager = SecretsManager::new(client_options)?; // get a specific secret by UID let secrets = secrets_manager.get_secrets(vec!["".to_string()])?; let owner_record = &secrets[0]; // Prepare file data for upload let file_path = "./local_file.txt"; let file_name = Some("uploaded_file.txt"); let file_title = Some("My File"); let mime_type = Some("text/plain"); let keeper_file = KeeperFileUpload::get_file_for_upload( file_path, file_name, file_title, mime_type )?; // Upload file attached to the owner record and get the file UID let file_uid = secrets_manager.upload_file(owner_record, keeper_file)?; println!("Uploaded file UID: {}", file_uid); Ok(()) } ``` {% endtab %} {% endtabs %} **Upload File Parameters**
ParameterTypeRequiredDefaultDescription
owner_recordRecordYesNoneThe record in which the file has to be uploaded
keeper_fileKeeperFileUploadYesThe file to be uploaded
**File Parameters** | Parameter | Type | Required | Default | Description | | ------------ | -------------- | -------- | ------- | ------------------------------------------------------------------------------------------ | | `file_path` | `&str` | Yes | | Path to upload file | | `file_name` | `Option<&str>` | Yes | | Name of the file to be uploaded | | `file_title` | `Option<&str>` | Yes | | Title of the file to be uploaded | | `mime_type` | `Option<&str>` | Yes | None | The type of data in the file. If none is provided, 'application/octet-stream' will be used | **Returns** > Type: `String` The file UID of the attached file ### Create a Secret **Prerequisites:** * Shared folder UID * The shared folder must be accessible by the Secrets Manager Application * You and the Secrets Manager application must have edit permission * There must be at least one record in the shared folder * Created records and record fields must be formatted correctly * See the [documentation](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/record-commands/creating-and-updating-records#record-types) for expected field formats for each record type * TOTP fields accept only URL generated outside of the KSM SDK * After record creation, you can upload file attachments using [upload\_file](https://docs.keeper.io/en/keeperpam/secrets-manager/python-sdk#upload-a-file) {% tabs %} {% tab title="Create Record" %} ```rust secrets_manager.create_secret(folder_uid, record); ``` {% endtab %} {% tab title="Login record Example" %} ```rust use keeper_secrets_manager_core::{ core::{ClientOptions, SecretsManager}, storage::InMemoryKeyValueStorage, custom_error::KSMRError, dto::{dtos::RecordCreate, field_structs::RecordField}, utils }; use serde_json::{self, json, Number, Value}; fn main()-> Result<(), KSMRError>{ // setup secrets manager let config_string = "your_base64_goes_here".to_string(); let config = InMemoryKeyValueStorage::new_config_storage(Some(config_string))?; let client_options = ClientOptions::new_client_options(config); let mut secrets_manager = SecretsManager::new(client_options)?; // This is how we create a Record let mut created_record = RecordCreate::new("login".to_string(), "Login Record RUST_LOG_TEST".to_string(), Some("Dummy Notes".to_string())); // This is how we create a single field let password_field = RecordField::new_record_field_with_options("password".to_string(), Value::String(utils::generate_password()?), Some("Random password label".to_string()), false, true); //This is one way to create all fields directly in a vector let fields = vec![ RecordField::new_record_field("login".to_string(), Value::String("login@email.com".to_string()), Some("My Custom Login lbl".to_string())), password_field, ]; created_record.fields = Some(fields); // Make the API call let _ = secrets_manager.create_secret("Shared_folder_uid".to_string(), created_record)?; Ok(()) } ``` {% endtab %} {% tab title="Custom Type example" %} ```rust use keeper_secrets_manager_core::{ core::{ClientOptions, SecretsManager}, storage::InMemoryKeyValueStorage, custom_error::KSMRError, dto::{dtos::RecordCreate, field_structs::RecordField}, utils }; use serde_json::{self, json, Number, Value}; fn main()-> Result<(), KSMRError>{ // setup secrets manager let config_string = "your_base64_goes_here".to_string(); let config = InMemoryKeyValueStorage::new_config_storage(Some(config_string))?; let client_options = ClientOptions::new_client_options(config); let mut secrets_manager = SecretsManager::new(client_options)?; // This is how we create a Record let mut created_record = RecordCreate::new("login".to_string(), "Login Record RUST_LOG_TEST".to_string(), Some("Dummy Notes".to_string())); // This is how we create a single field let password_field = RecordField::new_record_field_with_options("password".to_string(), Value::String(utils::generate_password()?), Some("Random password label".to_string()), false, true); // This is one of the ways to create a value object from JSON String let security_question_value = Value::from_str("{\"question\": \"What is the question?\", \"answer\": \"This is the answer!\"}")?; //This is one way to create all fields directly in a vector let fields = vec![ RecordField::new_record_field("login".to_string(), Value::String("login@email.com".to_string()), Some("My Custom Login lbl".to_string())), RecordField::new_record_field("login".to_string(), Value::String("login@email.com".to_string()), Some("My Label".to_string())), password_field, RecordField::new_record_field("securityQuestion".to_string(),security_question_value , Some("My Label".to_string())), RecordField::new_record_field("multiline".to_string(),Value::String("This\nIs a multiline\nnote".to_string()) , Some("My Multiline lbl".to_string())), RecordField::new_record_field("secret".to_string(),Value::String("SecretText".to_string()) , Some("My Hidden Field lbl".to_string())), RecordField::new_record_field("pinCode".to_string(),Value::String("1234567890".to_string()) , Some("My Pin Code Field Lbl".to_string())), RecordField::new_record_field("addressRef".to_string(),Value::String("some_UID".to_string()) , Some("My Address Reference".to_string())), RecordField::new_record_field("phone".to_string(),json!({"region": "US", "number": "510-444-3333"}) , Some("My Phone Number".to_string())), RecordField::new_record_field("date".to_string(),Value::Number(Number::from(1641934793000i64)) , Some("My date".to_string())), RecordField::new_record_field("date".to_string(),Value::String("September eleventh two thousand and eleven".to_string()) , Some("Bad day in history of humanity".to_string())), RecordField::new_record_field("name".to_string(),json!({"first": "Lincoln", "last": "Adams"}) , Some("His Name".to_string())), ]; // Here we are adding fields object to standard fields created_record.fields = Some(fields); created_record.custom = Some( vec![ RecordField::new_record_field("phone".to_string(),json!({"region": "US", "number": "510-222-5555", "ext": "99887", "type": "Mobile"}) , Some("My Custom Phone Lbl".to_string())), ] ); // Make the API call let _ = secrets_manager.create_secret("Shared_folder_uid".to_string(), created_record)?; Ok(()) } ``` {% endtab %} {% endtabs %} | Parameter | Type | Required | Default | Description | | ---------------- | ------------------- | -------- | ------- | ------------------------------------------- | | `record_type` | `DefaultRecordType` | Yes | None | Type of record to be created | | `title` | `String` | Yes | | The title of the created record | | `note` | `String` | Yes | None | The note to be made in the created record | | `value` | `String` | Yes | | Value for the field | | `label` | `String` | Yes | None | Label for the field | | `required` | `bool` | Yes | false | Defines if the field is required | | `privacy_screen` | `bool` | Yes | false | Defines if the field value should be hidden | **Returns** > Type: `String` The record UID of the new record ### Delete A Secret The Rust KSM SDK can delete records in the Keeper Vault. {% tabs %} {% tab title="Delete Secret" %} ```rust secrets_manager.delete_secret(vec![record_uid]); ``` {% endtab %} {% tab title="Delete Secret Example" %} ```rust use keeper_secrets_manager_core::{ core::{ClientOptions, SecretsManager}, storage::InMemoryKeyValueStorage, custom_error::KSMRError }; fn main()-> Result<(), KSMRError>{ // setup secrets manager let config_string = "your_base64_goes_here".to_string(); let config = InMemoryKeyValueStorage::new_config_storage(Some(config_string))?; let client_options = ClientOptions::new_client_options(config); let mut secrets_manager = SecretsManager::new(client_options)?; // delete a specific secret by UID let secret_to_delete = secrets_manager.delete_secret(["".to_string()])?; Ok(()) } ``` {% endtab %} {% endtabs %}
ParameterTypeRequiredDefaultDescription
record_uidStringYesNoneThe uid of the record to be deleted
### Caching To protect against losing access to your secrets when network access is lost, the Rust SDK allows caching of secrets to the local machine in an encrypted file. #### Setup and Configure Cache The Rust SDK includes a default caching function `caching_post_function` which stores cached queries to a local file, serving as a disaster recovery function. As long as there's network connectivity, it always prefers network over cached data and will use cache only if the web vault is inaccessible. {% tabs %} {% tab title="Setup Caching" %} ```rust use keeper_secrets_manager_core::caching; let mut client_options = ClientOptions::new_client_options_with_token(token, config); client_options.set_custom_post_function(caching::caching_post_function); let mut secrets_manager = SecretsManager::new(client_options)?; ``` {% endtab %} {% tab title="Caching Example" %} ```rust use keeper_secrets_manager_core::{ core::{ClientOptions, SecretsManager}, storage::FileKeyValueStorage, custom_error::KSMRError, caching }; fn main()-> Result<(), KSMRError>{ let token = "".to_string(); let file_name = FileKeyValueStorage::new_config_storage("test.json".to_string())?; let mut client_options = ClientOptions::new_client_options_with_token(token, file_name); // Enable disaster recovery caching client_options.set_custom_post_function(caching::caching_post_function); let mut secrets_manager = SecretsManager::new(client_options)?; // First successful call saves to cache (default: KSM_CACHE_DIR/ksm_cache.bin) let secrets = secrets_manager.get_secrets(Vec::new())?; // Subsequent calls automatically fall back to cache if network fails println!("Retrieved {} secrets (with automatic cache fallback)", secrets.len()); Ok(()) } ``` {% endtab %} {% endtabs %} **Cache Location:** * Default: `$KSM_CACHE_DIR/ksm_cache.bin` * If `KSM_CACHE_DIR` not set, uses system temp directory * Override with environment variable: `export KSM_CACHE_DIR=/path/to/cache` {% hint style="danger" %} The default caching function stores only the **last successful request**. For example, if the first request (R1) successfully retrieves UID1 and updates the cache, but a subsequent request (R2) for UID2 fails, the cache will not include UID2. As a result, any later operations involving UID2 will return an empty response if network is down, since it was never added to the cache. {% endhint %} {% hint style="warning" %} Updating a record from cache (or creating new record) invalidates cached record data and consecutive updates of the same record will fail. Batch updates work as long as they modify different records. Always follow up cached record updates with a call to `get_secrets()` to refresh cache (and pull updated metadata from vault like the new record revision). {% endhint %} #### Custom Cache Implementations For advanced use cases requiring custom cache management (e.g., preferring local cache over network, custom refresh intervals), you can implement your own caching logic using the `KSMRCache` class as a starting point. {% tabs %} {% tab title="Custom Cache Setup" %} ```rust use keeper_secrets_manager_core::cache::KSMRCache; let cache = KSMRCache::new_file_cache(Some("./cache.bin"))?; let mut client_options = ClientOptions::new_client_options_with_token(token, config); client_options.set_cache(cache.into()); let mut secrets_manager = SecretsManager::new(client_options)?; ``` {% endtab %} {% tab title="Custom Cache Example" %} ```rust use keeper_secrets_manager_core::{ core::{ClientOptions, SecretsManager}, custom_error::KSMRError, storage::FileKeyValueStorage, cache::KSMRCache }; fn main()-> Result<(), KSMRError>{ let cache = KSMRCache::new_file_cache(Some("./cache.bin"))?; let token = "".to_string(); let file_name = FileKeyValueStorage::new_config_storage("test.json".to_string())?; let mut client_options = ClientOptions::new_client_options_with_token(token, file_name); client_options.set_cache(cache.into()); let mut secrets_manager = SecretsManager::new(client_options)?; let secrets = secrets_manager.get_secrets(Vec::new())?; for secret in secrets { println!("Secret: {}", secret.title); } Ok(()) } ``` {% endtab %} {% endtabs %} ### Folders Folders have full CRUD support—create, read, update, and delete operations. ### Read Folders Downloads full folder hierarchy. {% tabs %} {% tab title="Read Folders" %} ```rust secrets_manager.get_folders() ``` {% endtab %} {% tab title="Read Folders Example" %} ```rust use keeper_secrets_manager_core::{ core::{ClientOptions, SecretsManager}, storage::InMemoryKeyValueStorage, custom_error::KSMRError }; fn main()-> Result<(), KSMRError>{ // setup secrets manager let config_string = "your_base64_goes_here".to_string(); let config = InMemoryKeyValueStorage::new_config_storage(Some(config_string))?; let client_options = ClientOptions::new_client_options(config); let mut secrets_manager = SecretsManager::new(client_options)?; // get all folder let folders = secrets_manager.get_folders()?; Ok(()) } ``` {% endtab %} {% endtabs %} **Returns** > Type: `Vec` ### Create Folder Requires `CreateOptions` and folder name to be provided. The folder UID parameter in `CreateOptions` is required—the UID of a shared folder, while sub-folder UID is optional, and if missing, a new regular folder is created directly under the parent (shared folder). There's no requirement for the sub-folder to be a direct descendant of the parent shared folder - it could be many levels deep. {% tabs %} {% tab title="Create Folder" %} ```rust secrets_manager.create_folder(create_options, folder_name, folders) ``` {% endtab %} {% tab title="Create Folder Under Shared Folder" %} ```rust use keeper_secrets_manager_core::{ core::{ClientOptions, SecretsManager}, storage::InMemoryKeyValueStorage, custom_error::KSMRError, dto::payload::CreateOptions }; fn main()-> Result<(), KSMRError>{ // setup secrets manager let config_string = "your_base64_goes_here".to_string(); let config = InMemoryKeyValueStorage::new_config_storage(Some(config_string))?; let client_options = ClientOptions::new_client_options(config); let mut secrets_manager = SecretsManager::new(client_options)?; // Create a folder directly under the shared folder let parent_folder_uid = "".to_string(); let create_options = CreateOptions::new(parent_folder_uid, None); let new_folder_name = "My New Folder".to_string(); let folder_uid = secrets_manager.create_folder(create_options, new_folder_name, Vec::new())?; println!("Created folder UID: {}", folder_uid); Ok(()) } ``` {% endtab %} {% tab title="Create Nested Subfolder" %} ```rust use keeper_secrets_manager_core::{ core::{ClientOptions, SecretsManager}, storage::InMemoryKeyValueStorage, custom_error::KSMRError, dto::payload::CreateOptions }; fn main()-> Result<(), KSMRError>{ // setup secrets manager let config_string = "your_base64_goes_here".to_string(); let config = InMemoryKeyValueStorage::new_config_storage(Some(config_string))?; let client_options = ClientOptions::new_client_options(config); let mut secrets_manager = SecretsManager::new(client_options)?; // Create a subfolder within an existing folder let parent_folder_uid = "".to_string(); let sub_folder_uid = Some("".to_string()); let create_options = CreateOptions::new(parent_folder_uid, sub_folder_uid); let new_folder_name = "Nested Subfolder".to_string(); let folder_uid = secrets_manager.create_folder(create_options, new_folder_name, Vec::new())?; println!("Created subfolder UID: {}", folder_uid); Ok(()) } ``` {% endtab %} {% endtabs %}
ParameterTypeRequiredDefaultDescription
create_optionsCreateOptionsYesNoneThe parent and sub-folder UIDs
folder_namestrYesThe folder name
foldersVec<KeeperFolder>NoNoneList of folders to use in the search for parent and sub-folder from CreateOptions
### Update Folder Updates the folder metadata—currently folder name only. {% tabs %} {% tab title="Update Folder" %} ```rust secrets_manager.update_folder(folder_uid, folder_name, folders) ``` {% endtab %} {% tab title="Update Folder Example" %} ```rust use keeper_secrets_manager_core::{ core::{ClientOptions, SecretsManager}, storage::InMemoryKeyValueStorage, custom_error::KSMRError }; fn main()-> Result<(), KSMRError>{ // setup secrets manager let config_string = "your_base64_goes_here".to_string(); let config = InMemoryKeyValueStorage::new_config_storage(Some(config_string))?; let client_options = ClientOptions::new_client_options(config); let mut secrets_manager = SecretsManager::new(client_options)?; let update_folder = secrets_manager.update_folder("".to_string(),"dummy_updated_API_RUST".to_string(),Vec::new())?; println!("{}",(serde_json::to_string_pretty(&update_folder)?)); Ok(()) } ``` {% endtab %} {% endtabs %} | Parameter | Type | Required | Default | Description | | ------------- | ------------------- | -------- | ------- | ------------------------------------------------------ | | `folder_uid` | `str` | Yes | | The folder uid | | `folder_name` | `str` | Yes | | The new folder name | | `folders` | `Vec` | No | None | List of folders to use in the search for parent folder | ### Delete Folders Removes a list of folders. Use the `force_deletion` flag to remove non-empty folders. {% hint style="info" %} Any folders UIDs missing from the vault or not shared to the KSM Application will not result in error. {% endhint %} {% hint style="info" %} When using `force_deletion` avoid sending parent with its children folder UIDs. Depending on the delete order you may get an error - *ex.* if parent force-deleted child first. There's no guarantee that list will always be processed in FIFO order. {% endhint %} {% tabs %} {% tab title="Delete Folder" %} ```rust delete_folder(vec![“”.to_string()], false); ``` {% endtab %} {% tab title="Delete Folder Example" %} ```rust use keeper_secrets_manager_core::{ core::{ClientOptions, SecretsManager}, storage::InMemoryKeyValueStorage, custom_error::KSMRError }; fn main()-> Result<(), KSMRError>{ // setup secrets manager let config_string = "your_base64_goes_here".to_string(); let config = InMemoryKeyValueStorage::new_config_storage(Some(config_string))?; let client_options = ClientOptions::new_client_options(config); let mut secrets_manager = SecretsManager::new(client_options)?; let folder_uids = vec!["folder1_uid".to_string(),"folder_2_uid".to_string()]; secrets_manager.delete_folder(folder_uids, true)?; Ok(()) } ``` {% endtab %} {% endtabs %} | Parameter | Type | Required | Default | Description | | ---------------- | ------------- | -------- | ------- | ----------------------------------- | | `folder_uids` | `Vec` | Yes | | The folder UID list | | `force_deletion` | `boolean` | No | false | Force deletion of non-empty folders |