Encryption

Endpoints

Skip to section

GET	/v1/encryption/keyproviders
POST	/v1/encryption/keyproviders
GET	/v1/encryption/keyproviders/{arnFingerPrint}
PATCH	/v1/encryption/keyproviders/{arnFingerPrint}
DELETE	/v1/encryption/keyproviders/{arnFingerPrint}
POST	/v1/encryption/keyproviders/{arnFingerPrint}/actions/migrate
POST	/v1/encryption/keyproviders/{arnFingerPrint}/actions/test
GET	/v1/encryption/keyproviders/actions/list
POST	/v1/encryption/keyproviders/actions/reset-to-default-provider
GET	/v1/encryption/keyproviders/migration/actions/details

Lists keyproviders registered for the tenant

manage

Facts GET /v1/encryption/keyproviders

Rate limit

required

Tier 1 (1000 requests per minute)

Header Parameters GET /v1/encryption/keyproviders

Authorization

required

string

The JWT used for authentication. Send the JWT in the AuthRequest header using the Bearer schema.

Responses GET /v1/encryption/keyproviders

200 application/json KeyProviders	Successfully retrieved list of key providers
400 application/json StandardError	Bad Request
417 application/json StandardError	Failed to load key providers from the registry

GET/v1/encryption/keyproviders

curl "https://your-tenant.us.qlikcloud.com/api/v1/encryption/keyproviders" \
 -H "Authorization: Bearer <API-key>"

Response GET /v1/encryption/keyproviders

[
  {
    "arn": "arn:aws:kms:us-east-1:857519135519:key/ee358547-5716-4e66-9524-1618716e221a",
    "qcg": false,
    "name": "test name",
    "current": true,
    "description": "test description",
    "keyprovider": "AWS-KMS",
    "multiRegion": true,
    "replicaKeys": [
      {
        "arn": "arn:aws:kms:us-east-2:857519135519:key/ee358547-5716-4e66-9524-1618716e221a",
        "region": "us-east-2"
      }
    ]
  }
]

Registers an AWS-KMS key for the specific tenant

manage

Facts POST /v1/encryption/keyproviders

Rate limit

required

Tier 2 (100 requests per minute)

Header Parameters POST /v1/encryption/keyproviders

Authorization

required

string

The JWT used for authentication. Send the JWT in the AuthRequest header using the Bearer schema.

Request Body POST /v1/encryption/keyproviders

application/json

KeyProvider

No description

Responses POST /v1/encryption/keyproviders

201 application/json KeyProvider	Successfully registered the AWS-KMS key
400 application/json StandardError	Bad Request
401 application/json StandardError	Unauthorized, Invalid JWT
403 application/json StandardError	Provided AWS-KMS key access forbidden. Check if key policy allows access from Qlik Cloud.
406 application/json StandardError	Failed to register key
408 application/json StandardError	Failed to return a response within the timeout window. The key provider (QlikVault, AWS-KMS) might be unavailable.
409 application/json StandardError	The specified key is already registered
417 application/json StandardError	Failed to validate AWS-KMS ARN structure

POST/v1/encryption/keyproviders

curl "https://your-tenant.us.qlikcloud.com/api/v1/encryption/keyproviders" \
 -X POST \
 -H "Authorization: Bearer <API-key>" \
 -H "Content-type: application/json" \
 -d '{"arn":"arn:aws:kms:us-east-1:857519135519:key/ee358547-5716-4e66-9524-1618716e221a","qcg":false,"name":"test name","current":false,"description":"test description","keyprovider":"AWS-KMS","multiRegion":true,"replicaKeys":[{"arn":"arn:aws:kms:us-east-2:857519135519:key/ee358547-5716-4e66-9524-1618716e221a","region":"us-east-2"}]}'

Request POST /v1/encryption/keyproviders

{
  "arn": "arn:aws:kms:us-east-1:857519135519:key/ee358547-5716-4e66-9524-1618716e221a",
  "qcg": false,
  "name": "test name",
  "current": false,
  "description": "test description",
  "keyprovider": "AWS-KMS",
  "multiRegion": true,
  "replicaKeys": [
    {
      "arn": "arn:aws:kms:us-east-2:857519135519:key/ee358547-5716-4e66-9524-1618716e221a",
      "region": "us-east-2"
    }
  ]
}

Response POST /v1/encryption/keyproviders

{
  "arn": "arn:aws:kms:us-east-1:857519135519:key/ee358547-5716-4e66-9524-1618716e221a",
  "qcg": false,
  "name": "test name",
  "current": false,
  "description": "test description",
  "keyprovider": "AWS-KMS",
  "multiRegion": true,
  "replicaKeys": [
    {
      "arn": "arn:aws:kms:us-east-2:857519135519:key/ee358547-5716-4e66-9524-1618716e221a",
      "region": "us-east-2"
    }
  ]
}

Retrieves key for a given fingerprint

manage

Facts GET /v1/encryption/keyproviders/{arnFingerPrint}

Rate limit

required

Tier 1 (1000 requests per minute)

Header Parameters GET /v1/encryption/keyproviders/{arnFingerPrint}

Authorization

required

string

The JWT used for authentication. Send the JWT in the AuthRequest header using the Bearer schema.

Path Parameters GET /v1/encryption/keyproviders/{arnFingerPrint}

arnFingerPrint

required

string

The fingerprint of the requested provider key.

Responses GET /v1/encryption/keyproviders/{arnFingerPrint}

200 application/json KeyProvider	Successfully fetched key provider information
400 application/json StandardError	Bad Request
404 application/json StandardError	No entry match for the fingerprint was found
414 application/json StandardError	Requested fingerprint length is too large

GET/v1/encryption/keyproviders/{arnFingerPrint}

curl "https://your-tenant.us.qlikcloud.com/api/v1/encryption/keyproviders/{arnFingerPrint}" \
 -H "Authorization: Bearer <API-key>"

Response GET /v1/encryption/keyproviders/{arnFingerPrint}

{
  "arn": "arn:aws:kms:us-east-1:857519135519:key/ee358547-5716-4e66-9524-1618716e221a",
  "qcg": false,
  "name": "test name",
  "current": false,
  "description": "test description",
  "keyprovider": "AWS-KMS",
  "multiRegion": true,
  "replicaKeys": [
    {
      "arn": "arn:aws:kms:us-east-2:857519135519:key/ee358547-5716-4e66-9524-1618716e221a",
      "region": "us-east-2"
    }
  ]
}

Patches Name & Description of keyprovider information

manage

Facts PATCH /v1/encryption/keyproviders/{arnFingerPrint}

Rate limit

required

Tier 2 (100 requests per minute)

Header Parameters PATCH /v1/encryption/keyproviders/{arnFingerPrint}

Authorization

required

string

The JWT used for authentication. Send the JWT in the AuthRequest header using the Bearer schema.

Path Parameters PATCH /v1/encryption/keyproviders/{arnFingerPrint}

arnFingerPrint

required

string

The fingerprint of an existing keyprovider key.

Request Body PATCH /v1/encryption/keyproviders/{arnFingerPrint}

application/json

Array<KeyProviderPatchBase>

No description

Responses PATCH /v1/encryption/keyproviders/{arnFingerPrint}

204 object	Successfully patched key provider information
400 application/json StandardError	Failed to decode key provider patch request payload
401 application/json StandardError	Unauthorized, Invalid JWT
404 application/json StandardError	No entry match for the fingerprint was found
417 application/json StandardError	Failed to patch key provider information

PATCH/v1/encryption/keyproviders/{arnFingerPrint}

curl "https://your-tenant.us.qlikcloud.com/api/v1/encryption/keyproviders/{arnFingerPrint}" \
 -X PATCH \
 -H "Authorization: Bearer <API-key>" \
 -H "Content-type: application/json" \
 -d '{"op":"replace","path":"string","value":"string"}'

Request PATCH /v1/encryption/keyproviders/{arnFingerPrint}

{
  "op": "replace",
  "path": "string",
  "value": "string"
}

Deletes the key information

manage

Facts DELETE /v1/encryption/keyproviders/{arnFingerPrint}

Rate limit

required

Tier 2 (100 requests per minute)

Header Parameters DELETE /v1/encryption/keyproviders/{arnFingerPrint}

Authorization

required

string

The JWT used for authentication. Send the JWT in the AuthRequest header using the Bearer schema.

Path Parameters DELETE /v1/encryption/keyproviders/{arnFingerPrint}

arnFingerPrint

required

string

The fingerprint of the requested provider key.

Responses DELETE /v1/encryption/keyproviders/{arnFingerPrint}

204 application/json KeyProvidersDeleteResponseBody	Successfully deleted key
400 application/json StandardError	Bad Request
404 application/json StandardError	No entry match for the fingerprint was found
417 application/json StandardError	Failed to delete keyprovider information
424 application/json StandardError	The requested key is being used and cannot be deleted

DELETE/v1/encryption/keyproviders/{arnFingerPrint}

curl "https://your-tenant.us.qlikcloud.com/api/v1/encryption/keyproviders/{arnFingerPrint}" \
 -X DELETE \
 -H "Authorization: Bearer <API-key>"

Response DELETE /v1/encryption/keyproviders/{arnFingerPrint}

{
  "message": "Keyprovider metadata deleted successfully"
}

Migrates existing cipherkeys from current key provider to requested key provider.

manage

Facts POST /v1/encryption/keyproviders/{arnFingerPrint}/actions/migrate

Rate limit

required

Tier 2 (100 requests per minute)

Header Parameters POST /v1/encryption/keyproviders/{arnFingerPrint}/actions/migrate

Authorization

required

string

The JWT used for authentication. Send the JWT in the AuthRequest header using the Bearer schema.

Path Parameters POST /v1/encryption/keyproviders/{arnFingerPrint}/actions/migrate

arnFingerPrint

required

string

The fingerprint of an existing key provider key.

Responses POST /v1/encryption/keyproviders/{arnFingerPrint}/actions/migrate

200 application/json MigrationInformation	Successfully initiated cipherkeys migration
400 application/json StandardError	Bad Request
401 application/json StandardError	Unauthorized, Invalid JWT
404 application/json StandardError	No entry match for the fingerprint was found
412 application/json StandardError	Failed to initiate migration
424 application/json StandardError	Failed to prepare migration
428 application/json StandardError	There is already an ongoing migration for the tenant

POST/v1/encryption/keyproviders/{arnFingerPrint}/actions/migrate

curl "https://your-tenant.us.qlikcloud.com/api/v1/encryption/keyproviders/{arnFingerPrint}/actions/migrate" \
 -X POST \
 -H "Authorization: Bearer <API-key>"

Response POST /v1/encryption/keyproviders/{arnFingerPrint}/actions/migrate

{
  "id": "string",
  "state": "New",
  "progress": 0,
  "tenantId": "string",
  "completedAt": "2023-11-29T00:09:24.599Z",
  "initiatedAt": "2023-11-29T00:09:24.599Z",
  "migratingTo": "string",
  "migratingFrom": "string",
  "migratingToPrefix": "string",
  "migratingToFingerprint": "string"
}

Validates AWS-KMS key access and usage

manage

Facts POST /v1/encryption/keyproviders/{arnFingerPrint}/actions/test

Rate limit

required

Tier 2 (100 requests per minute)

Header Parameters POST /v1/encryption/keyproviders/{arnFingerPrint}/actions/test

Authorization

required

string

The JWT used for authentication. Send the JWT in the AuthRequest header using the Bearer schema.

Path Parameters POST /v1/encryption/keyproviders/{arnFingerPrint}/actions/test

arnFingerPrint

required

string

The fingerprint of an existing keyprovider key.

Responses POST /v1/encryption/keyproviders/{arnFingerPrint}/actions/test

201 application/json KeyProvider	Successfully validated key
400 application/json StandardError	Bad Request
401 application/json StandardError	Unauthorized, Invalid JWT
404 application/json StandardError	No entry match for the fingerprint was found
408 application/json StandardError	Failed to return a response within the timeout window. The key provider (QlikVault, AWS-KMS) might be unavailable.

POST/v1/encryption/keyproviders/{arnFingerPrint}/actions/test

curl "https://your-tenant.us.qlikcloud.com/api/v1/encryption/keyproviders/{arnFingerPrint}/actions/test" \
 -X POST \
 -H "Authorization: Bearer <API-key>"

Response POST /v1/encryption/keyproviders/{arnFingerPrint}/actions/test

{
  "arn": "arn:aws:kms:us-east-1:857519135519:key/ee358547-5716-4e66-9524-1618716e221a",
  "qcg": false,
  "name": "test name",
  "current": false,
  "description": "test description",
  "keyprovider": "AWS-KMS",
  "multiRegion": true,
  "replicaKeys": [
    {
      "arn": "arn:aws:kms:us-east-2:857519135519:key/ee358547-5716-4e66-9524-1618716e221a",
      "region": "us-east-2"
    }
  ]
}

Lists keyproviders registered for the tenant [Qlik, AWS-KMS]

manage

Facts GET /v1/encryption/keyproviders/actions/list

Rate limit

required

Tier 1 (1000 requests per minute)

Header Parameters GET /v1/encryption/keyproviders/actions/list

Authorization

required

string

The JWT used for authentication. Send the JWT in the AuthRequest header using the Bearer schema.

Responses GET /v1/encryption/keyproviders/actions/list

200 application/json ListKeyProviders	Successfully retrieved list of key providers
400 application/json StandardError	Bad Request
417 application/json StandardError	Failed to load key providers from the registry

GET/v1/encryption/keyproviders/actions/list

curl "https://your-tenant.us.qlikcloud.com/api/v1/encryption/keyproviders/actions/list" \
 -H "Authorization: Bearer <API-key>"

Response GET /v1/encryption/keyproviders/actions/list

[
  {
    "arn": "#QLIK_MANAGED_KEY_PROVIDER#",
    "qcg": false,
    "name": "Qlik Internal Kms",
    "tenantId": "ImTRa-bkJTD-NZRYjNBa_rDhwSVA6Qo8",
    "createdAt": "Qlik managed",
    "description": "Default key management service",
    "keyprovider": "Qlik",
    "multiRegion": false,
    "replicaKeys": [],
    "arnFingerPrint": "ImTRa-bkJTD-NZRYjNBa_rDhwSVA6Qo8",
    "promotedToCurrentAt": "2023-06-21T18:45:57Z",
    "demotedFromCurrentAt": "0001-01-01T00:00:00Z"
  },
  {
    "arn": "arn:aws:kms:us-east-1:857519135519:key/e4e84fc7-7817-4121-b927-9d1d4ef03f1d",
    "qcg": false,
    "name": "CMK - 01",
    "tenantId": "ImTRa-bkJTD-NZRYjNBa_rDhwSVA6Qo8",
    "createdAt": "2023-06-21T18:43:49Z",
    "keyprovider": "AWS-KMS",
    "multiRegion": true,
    "replicaKeys": [
      {
        "arn": "arn:aws:kms:us-east-2:857519135519:key/ee358547-5716-4e66-9524-1618716e221a",
        "region": "us-east-2"
      }
    ],
    "arnFingerPrint": "9f352c5a9c1618485051892cb57467e4",
    "promotedToCurrentAt": "2023-06-21T18:43:54Z",
    "demotedFromCurrentAt": "2023-06-21T18:45:57Z"
  },
  {
    "arn": "arn:aws:kms:us-east-1:857519135519:key/b6a2a74c-fb34-464a-8ea6-d867fd3b9438",
    "qcg": false,
    "name": "CMK - 02",
    "current": true,
    "tenantId": "ImTRa-bkJTD-NZRYjNBa_rDhwSVA6Qo8",
    "createdAt": "2023-06-21T18:59:17Z",
    "description": "CMK migration test",
    "keyprovider": "AWS-KMS",
    "multiRegion": true,
    "replicaKeys": [
      {
        "arn": "arn:aws:kms:us-east-2:857519135519:key/ee358547-5716-4e66-9524-1618716e221a",
        "region": "us-east-2"
      }
    ],
    "arnFingerPrint": "b5fe2c83b25f9e39487bca28f69e4210",
    "promotedToCurrentAt": "2023-06-21T18:59:18Z",
    "demotedFromCurrentAt": "0001-01-01T00:00:00Z"
  }
]

Resets tenant key provider to Qlik managed provider

manage

Facts POST /v1/encryption/keyproviders/actions/reset-to-default-provider

Rate limit

required

Tier 2 (100 requests per minute)

Header Parameters POST /v1/encryption/keyproviders/actions/reset-to-default-provider

Authorization

required

string

The JWT used for authentication. Send the JWT in the AuthRequest header using the Bearer schema.

Responses POST /v1/encryption/keyproviders/actions/reset-to-default-provider

205 application/json MigrationInformation	Successfully initiated key migration to Qlik managed provider
401 application/json StandardError	Unauthorized, Invalid JWT
406 application/json StandardError	There is already an ongoing migration in progress for the tenant
412 application/json StandardError	Failed to initiate migration to Qlik managed provider
424 application/json StandardError	Tenant is already using Qlik Managed provider

POST/v1/encryption/keyproviders/actions/reset-to-default-provider

curl "https://your-tenant.us.qlikcloud.com/api/v1/encryption/keyproviders/actions/reset-to-default-provider" \
 -X POST \
 -H "Authorization: Bearer <API-key>"

Response POST /v1/encryption/keyproviders/actions/reset-to-default-provider

{
  "id": "string",
  "state": "New",
  "progress": 0,
  "tenantId": "string",
  "completedAt": "2023-11-29T00:09:24.599Z",
  "initiatedAt": "2023-11-29T00:09:24.599Z",
  "migratingTo": "string",
  "migratingFrom": "string",
  "migratingToPrefix": "string",
  "migratingToFingerprint": "string"
}

Gets ongoing migration details

manage

Facts GET /v1/encryption/keyproviders/migration/actions/details

Rate limit

required

Tier 1 (1000 requests per minute)

Header Parameters GET /v1/encryption/keyproviders/migration/actions/details

Authorization

required

string

The JWT used for authentication. Send the JWT in the AuthRequest header using the Bearer schema.

Responses GET /v1/encryption/keyproviders/migration/actions/details

200 application/json MigrationInformation	Successfully fetched migration information
400 application/json StandardError	Bad Request
401 application/json StandardError	Unauthorized, Invalid JWT
404 application/json StandardError	There is no ongoing migration for this tenant
417 application/json StandardError	Failed to get ongoing migration information

GET/v1/encryption/keyproviders/migration/actions/details

curl "https://your-tenant.us.qlikcloud.com/api/v1/encryption/keyproviders/migration/actions/details" \
 -H "Authorization: Bearer <API-key>"

Response GET /v1/encryption/keyproviders/migration/actions/details

{
  "id": "string",
  "state": "New",
  "progress": 0,
  "tenantId": "string",
  "completedAt": "2023-11-29T00:09:24.599Z",
  "initiatedAt": "2023-11-29T00:09:24.599Z",
  "migratingTo": "string",
  "migratingFrom": "string",
  "migratingToPrefix": "string",
  "migratingToFingerprint": "string"
}

KeyProvider

object

Properties

arn required PII data string	The provider resource notation for the key.
name required string	Name of key provider entry.
current boolean	Indicates whether the key is being used to encrypt/decrypt secrets.
tenantId string	Tenant ID.
createdAt string<date-time>	When key entry was created.
description string	Description of key provider entry.
keyProvider string	Key Provider type. Enum: AWS-KMS
multiRegion boolean	Indicates whether the key has multi-region configurations and has replica key in qcs secondary region.
replicaKeys Array<arn,region>	No description
arnFingerPrint string	The ARN fingerprint.
promotedToCurrentAt string<date-time>	When the key was promoted to being the current active one.
demotedFromCurrentAt string<date-time>	When the key was demoted from being current to non active.

KeyProviderPatchBase

object

A JSON Patch document as defined in https://datatracker.ietf.org/doc/html/rfc6902.

Properties

op required string	The operation to be performed. Enum: replace
path required string	The property path.
value required string	The value to be used for this operation.

KeyProviderPatchSchema

Array<KeyProviderPatchBase>

Properties

op required string	The operation to be performed. Enum: replace
path required string	The property path.
value required string	The value to be used for this operation.

KeyProviders

object

Properties

errors

Array<KeyProvider>

No description

KeyProvidersDeleteResponseBody

object

Properties

response

string<text>

Successful response message.

ListKeyProviders

object

Properties

errors

Array<KeyProvider>

No description

MigrationInformation

object

Properties

id string<uid>	Migration operation ID.
state string	Migration operation state. Enum: New InProgress Completed
progress number	Progress in percentage.
tenantId string<uid>	Tenant ID.
completedAt string<date-time>	No description
initiatedAt string<date-time>	No description
migratingTo PII data string	The new key ARN that keys should be migrated to.
migratingFrom PII data string	The key ARN being migrated from (in case of QlikVault, could be a short name only).
migratingToPrefix string	The new key prefix (to help services know which prefix should NOT be migrated).
migratingToFingerprint string	The new key ARN fingerprint.

StandardError

object

Properties

errors

required

Array<StandardErrorItem>

No description

StandardErrorItem

object

Properties

code required string	The error code.
meta object	Additional error object metadata.
title required string	Description of the error.
detail string	Extra information about the error.

v0.879.8