Endpoints

Skip to section
GET/v1/encryption/keyproviders
POST/v1/encryption/keyproviders
GET/v1/encryption/keyproviders/{arnFingerPrint}
PATCH/v1/encryption/keyproviders/{arnFingerPrint}
DELETE/v1/encryption/keyproviders/{arnFingerPrint}
POST/v1/encryption/keyproviders/{arnFingerPrint}/actions/migrate
POST/v1/encryption/keyproviders/{arnFingerPrint}/actions/test
GET/v1/encryption/keyproviders/actions/list
POST/v1/encryption/keyproviders/actions/reset-to-default-provider
GET/v1/encryption/keyproviders/migration/actions/details

Lists keyproviders registered for the tenant

manage

Facts GET /v1/encryption/keyproviders

Rate limit
required
Tier 1 (1000 requests per minute)

Header Parameters GET /v1/encryption/keyproviders

Authorization
required
string

The JWT used for authentication. Send the JWT in the AuthRequest header using the Bearer schema.

Responses GET /v1/encryption/keyproviders

200
application/json

Successfully retrieved list of key providers

400
application/json

Bad Request

417
application/json

Failed to load key providers from the registry

GET/v1/encryption/keyproviders

curl "https://your-tenant.us.qlikcloud.com/api/v1/encryption/keyproviders" \
 -H "Authorization: Bearer <API-key>"

Response GET /v1/encryption/keyproviders

[
  {
    "arn": "arn:aws:kms:us-east-1:857519135519:key/ee358547-5716-4e66-9524-1618716e221a",
    "qcg": false,
    "name": "test name",
    "current": true,
    "description": "test description",
    "keyprovider": "AWS-KMS",
    "multiRegion": true,
    "replicaKeys": [
      {
        "arn": "arn:aws:kms:us-east-2:857519135519:key/ee358547-5716-4e66-9524-1618716e221a",
        "region": "us-east-2"
      }
    ]
  }
]

Registers an AWS-KMS key for the specific tenant

manage

Facts POST /v1/encryption/keyproviders

Rate limit
required
Tier 2 (100 requests per minute)

Header Parameters POST /v1/encryption/keyproviders

Authorization
required
string

The JWT used for authentication. Send the JWT in the AuthRequest header using the Bearer schema.

Request Body POST /v1/encryption/keyproviders

application/json

No description

Responses POST /v1/encryption/keyproviders

201
application/json

Successfully registered the AWS-KMS key

400
application/json

Bad Request

401
application/json

Unauthorized, Invalid JWT

403
application/json

Provided AWS-KMS key access forbidden. Check if key policy allows access from Qlik Cloud.

406
application/json

Failed to register key

408
application/json

Failed to return a response within the timeout window. The key provider (QlikVault, AWS-KMS) might be unavailable.

409
application/json

The specified key is already registered

417
application/json

Failed to validate AWS-KMS ARN structure

POST/v1/encryption/keyproviders

curl "https://your-tenant.us.qlikcloud.com/api/v1/encryption/keyproviders" \
 -X POST \
 -H "Authorization: Bearer <API-key>" \
 -H "Content-type: application/json" \
 -d '{"arn":"arn:aws:kms:us-east-1:857519135519:key/ee358547-5716-4e66-9524-1618716e221a","qcg":false,"name":"test name","current":false,"description":"test description","keyprovider":"AWS-KMS","multiRegion":true,"replicaKeys":[{"arn":"arn:aws:kms:us-east-2:857519135519:key/ee358547-5716-4e66-9524-1618716e221a","region":"us-east-2"}]}'

Request POST /v1/encryption/keyproviders

{
  "arn": "arn:aws:kms:us-east-1:857519135519:key/ee358547-5716-4e66-9524-1618716e221a",
  "qcg": false,
  "name": "test name",
  "current": false,
  "description": "test description",
  "keyprovider": "AWS-KMS",
  "multiRegion": true,
  "replicaKeys": [
    {
      "arn": "arn:aws:kms:us-east-2:857519135519:key/ee358547-5716-4e66-9524-1618716e221a",
      "region": "us-east-2"
    }
  ]
}

Response POST /v1/encryption/keyproviders

{
  "arn": "arn:aws:kms:us-east-1:857519135519:key/ee358547-5716-4e66-9524-1618716e221a",
  "qcg": false,
  "name": "test name",
  "current": false,
  "description": "test description",
  "keyprovider": "AWS-KMS",
  "multiRegion": true,
  "replicaKeys": [
    {
      "arn": "arn:aws:kms:us-east-2:857519135519:key/ee358547-5716-4e66-9524-1618716e221a",
      "region": "us-east-2"
    }
  ]
}

Retrieves key for a given fingerprint

manage

Facts GET /v1/encryption/keyproviders/{arnFingerPrint}

Rate limit
required
Tier 1 (1000 requests per minute)

Header Parameters GET /v1/encryption/keyproviders/{arnFingerPrint}

Authorization
required
string

The JWT used for authentication. Send the JWT in the AuthRequest header using the Bearer schema.

Path Parameters GET /v1/encryption/keyproviders/{arnFingerPrint}

arnFingerPrint
required
string

The fingerprint of the requested provider key.

Responses GET /v1/encryption/keyproviders/{arnFingerPrint}

200
application/json

Successfully fetched key provider information

400
application/json

Bad Request

404
application/json

No entry match for the fingerprint was found

414
application/json

Requested fingerprint length is too large

GET/v1/encryption/keyproviders/{arnFingerPrint}

curl "https://your-tenant.us.qlikcloud.com/api/v1/encryption/keyproviders/{arnFingerPrint}" \
 -H "Authorization: Bearer <API-key>"

Response GET /v1/encryption/keyproviders/{arnFingerPrint}

{
  "arn": "arn:aws:kms:us-east-1:857519135519:key/ee358547-5716-4e66-9524-1618716e221a",
  "qcg": false,
  "name": "test name",
  "current": false,
  "description": "test description",
  "keyprovider": "AWS-KMS",
  "multiRegion": true,
  "replicaKeys": [
    {
      "arn": "arn:aws:kms:us-east-2:857519135519:key/ee358547-5716-4e66-9524-1618716e221a",
      "region": "us-east-2"
    }
  ]
}

Patches Name & Description of keyprovider information

manage

Facts PATCH /v1/encryption/keyproviders/{arnFingerPrint}

Rate limit
required
Tier 2 (100 requests per minute)

Header Parameters PATCH /v1/encryption/keyproviders/{arnFingerPrint}

Authorization
required
string

The JWT used for authentication. Send the JWT in the AuthRequest header using the Bearer schema.

Path Parameters PATCH /v1/encryption/keyproviders/{arnFingerPrint}

arnFingerPrint
required
string

The fingerprint of an existing keyprovider key.

Request Body PATCH /v1/encryption/keyproviders/{arnFingerPrint}

application/json

No description

Responses PATCH /v1/encryption/keyproviders/{arnFingerPrint}

204
object

Successfully patched key provider information

400
application/json

Failed to decode key provider patch request payload

401
application/json

Unauthorized, Invalid JWT

404
application/json

No entry match for the fingerprint was found

417
application/json

Failed to patch key provider information

PATCH/v1/encryption/keyproviders/{arnFingerPrint}

curl "https://your-tenant.us.qlikcloud.com/api/v1/encryption/keyproviders/{arnFingerPrint}" \
 -X PATCH \
 -H "Authorization: Bearer <API-key>" \
 -H "Content-type: application/json" \
 -d '{"op":"replace","path":"string","value":"string"}'

Request PATCH /v1/encryption/keyproviders/{arnFingerPrint}

{
  "op": "replace",
  "path": "string",
  "value": "string"
}

Deletes the key information

manage

Facts DELETE /v1/encryption/keyproviders/{arnFingerPrint}

Rate limit
required
Tier 2 (100 requests per minute)

Header Parameters DELETE /v1/encryption/keyproviders/{arnFingerPrint}

Authorization
required
string

The JWT used for authentication. Send the JWT in the AuthRequest header using the Bearer schema.

Path Parameters DELETE /v1/encryption/keyproviders/{arnFingerPrint}

arnFingerPrint
required
string

The fingerprint of the requested provider key.

Responses DELETE /v1/encryption/keyproviders/{arnFingerPrint}

204

Successfully deleted key

400
application/json

Bad Request

404
application/json

No entry match for the fingerprint was found

417
application/json

Failed to delete keyprovider information

424
application/json

The requested key is being used and cannot be deleted

DELETE/v1/encryption/keyproviders/{arnFingerPrint}

curl "https://your-tenant.us.qlikcloud.com/api/v1/encryption/keyproviders/{arnFingerPrint}" \
 -X DELETE \
 -H "Authorization: Bearer <API-key>"

Response DELETE /v1/encryption/keyproviders/{arnFingerPrint}

{
  "message": "Keyprovider metadata deleted successfully"
}

Migrates existing cipherkeys from current key provider to requested key provider.

manage

Facts POST /v1/encryption/keyproviders/{arnFingerPrint}/actions/migrate

Rate limit
required
Tier 2 (100 requests per minute)

Header Parameters POST /v1/encryption/keyproviders/{arnFingerPrint}/actions/migrate

Authorization
required
string

The JWT used for authentication. Send the JWT in the AuthRequest header using the Bearer schema.

Path Parameters POST /v1/encryption/keyproviders/{arnFingerPrint}/actions/migrate

arnFingerPrint
required
string

The fingerprint of an existing key provider key.

Responses POST /v1/encryption/keyproviders/{arnFingerPrint}/actions/migrate

200
application/json

Successfully initiated cipherkeys migration

400
application/json

Bad Request

401
application/json

Unauthorized, Invalid JWT

404
application/json

No entry match for the fingerprint was found

412
application/json

Failed to initiate migration

424
application/json

Failed to prepare migration

428
application/json

There is already an ongoing migration for the tenant

POST/v1/encryption/keyproviders/{arnFingerPrint}/actions/migrate

curl "https://your-tenant.us.qlikcloud.com/api/v1/encryption/keyproviders/{arnFingerPrint}/actions/migrate" \
 -X POST \
 -H "Authorization: Bearer <API-key>"

Response POST /v1/encryption/keyproviders/{arnFingerPrint}/actions/migrate

{
  "id": "string",
  "state": "New",
  "progress": 0,
  "tenantId": "string",
  "completedAt": "2023-11-29T00:09:24.599Z",
  "initiatedAt": "2023-11-29T00:09:24.599Z",
  "migratingTo": "string",
  "migratingFrom": "string",
  "migratingToPrefix": "string",
  "migratingToFingerprint": "string"
}

Validates AWS-KMS key access and usage

manage

Facts POST /v1/encryption/keyproviders/{arnFingerPrint}/actions/test

Rate limit
required
Tier 2 (100 requests per minute)

Header Parameters POST /v1/encryption/keyproviders/{arnFingerPrint}/actions/test

Authorization
required
string

The JWT used for authentication. Send the JWT in the AuthRequest header using the Bearer schema.

Path Parameters POST /v1/encryption/keyproviders/{arnFingerPrint}/actions/test

arnFingerPrint
required
string

The fingerprint of an existing keyprovider key.

Responses POST /v1/encryption/keyproviders/{arnFingerPrint}/actions/test

201
application/json

Successfully validated key

400
application/json

Bad Request

401
application/json

Unauthorized, Invalid JWT

404
application/json

No entry match for the fingerprint was found

408
application/json

Failed to return a response within the timeout window. The key provider (QlikVault, AWS-KMS) might be unavailable.

POST/v1/encryption/keyproviders/{arnFingerPrint}/actions/test

curl "https://your-tenant.us.qlikcloud.com/api/v1/encryption/keyproviders/{arnFingerPrint}/actions/test" \
 -X POST \
 -H "Authorization: Bearer <API-key>"

Response POST /v1/encryption/keyproviders/{arnFingerPrint}/actions/test

{
  "arn": "arn:aws:kms:us-east-1:857519135519:key/ee358547-5716-4e66-9524-1618716e221a",
  "qcg": false,
  "name": "test name",
  "current": false,
  "description": "test description",
  "keyprovider": "AWS-KMS",
  "multiRegion": true,
  "replicaKeys": [
    {
      "arn": "arn:aws:kms:us-east-2:857519135519:key/ee358547-5716-4e66-9524-1618716e221a",
      "region": "us-east-2"
    }
  ]
}

Lists keyproviders registered for the tenant [Qlik, AWS-KMS]

manage

Facts GET /v1/encryption/keyproviders/actions/list

Rate limit
required
Tier 1 (1000 requests per minute)

Header Parameters GET /v1/encryption/keyproviders/actions/list

Authorization
required
string

The JWT used for authentication. Send the JWT in the AuthRequest header using the Bearer schema.

Responses GET /v1/encryption/keyproviders/actions/list

200
application/json

Successfully retrieved list of key providers

400
application/json

Bad Request

417
application/json

Failed to load key providers from the registry

GET/v1/encryption/keyproviders/actions/list

curl "https://your-tenant.us.qlikcloud.com/api/v1/encryption/keyproviders/actions/list" \
 -H "Authorization: Bearer <API-key>"

Response GET /v1/encryption/keyproviders/actions/list

[
  {
    "arn": "#QLIK_MANAGED_KEY_PROVIDER#",
    "qcg": false,
    "name": "Qlik Internal Kms",
    "tenantId": "ImTRa-bkJTD-NZRYjNBa_rDhwSVA6Qo8",
    "createdAt": "Qlik managed",
    "description": "Default key management service",
    "keyprovider": "Qlik",
    "multiRegion": false,
    "replicaKeys": [],
    "arnFingerPrint": "ImTRa-bkJTD-NZRYjNBa_rDhwSVA6Qo8",
    "promotedToCurrentAt": "2023-06-21T18:45:57Z",
    "demotedFromCurrentAt": "0001-01-01T00:00:00Z"
  },
  {
    "arn": "arn:aws:kms:us-east-1:857519135519:key/e4e84fc7-7817-4121-b927-9d1d4ef03f1d",
    "qcg": false,
    "name": "CMK - 01",
    "tenantId": "ImTRa-bkJTD-NZRYjNBa_rDhwSVA6Qo8",
    "createdAt": "2023-06-21T18:43:49Z",
    "keyprovider": "AWS-KMS",
    "multiRegion": true,
    "replicaKeys": [
      {
        "arn": "arn:aws:kms:us-east-2:857519135519:key/ee358547-5716-4e66-9524-1618716e221a",
        "region": "us-east-2"
      }
    ],
    "arnFingerPrint": "9f352c5a9c1618485051892cb57467e4",
    "promotedToCurrentAt": "2023-06-21T18:43:54Z",
    "demotedFromCurrentAt": "2023-06-21T18:45:57Z"
  },
  {
    "arn": "arn:aws:kms:us-east-1:857519135519:key/b6a2a74c-fb34-464a-8ea6-d867fd3b9438",
    "qcg": false,
    "name": "CMK - 02",
    "current": true,
    "tenantId": "ImTRa-bkJTD-NZRYjNBa_rDhwSVA6Qo8",
    "createdAt": "2023-06-21T18:59:17Z",
    "description": "CMK migration test",
    "keyprovider": "AWS-KMS",
    "multiRegion": true,
    "replicaKeys": [
      {
        "arn": "arn:aws:kms:us-east-2:857519135519:key/ee358547-5716-4e66-9524-1618716e221a",
        "region": "us-east-2"
      }
    ],
    "arnFingerPrint": "b5fe2c83b25f9e39487bca28f69e4210",
    "promotedToCurrentAt": "2023-06-21T18:59:18Z",
    "demotedFromCurrentAt": "0001-01-01T00:00:00Z"
  }
]

Resets tenant key provider to Qlik managed provider

manage

Facts POST /v1/encryption/keyproviders/actions/reset-to-default-provider

Rate limit
required
Tier 2 (100 requests per minute)

Header Parameters POST /v1/encryption/keyproviders/actions/reset-to-default-provider

Authorization
required
string

The JWT used for authentication. Send the JWT in the AuthRequest header using the Bearer schema.

Responses POST /v1/encryption/keyproviders/actions/reset-to-default-provider

205
application/json

Successfully initiated key migration to Qlik managed provider

401
application/json

Unauthorized, Invalid JWT

406
application/json

There is already an ongoing migration in progress for the tenant

412
application/json

Failed to initiate migration to Qlik managed provider

424
application/json

Tenant is already using Qlik Managed provider

POST/v1/encryption/keyproviders/actions/reset-to-default-provider

curl "https://your-tenant.us.qlikcloud.com/api/v1/encryption/keyproviders/actions/reset-to-default-provider" \
 -X POST \
 -H "Authorization: Bearer <API-key>"

Response POST /v1/encryption/keyproviders/actions/reset-to-default-provider

{
  "id": "string",
  "state": "New",
  "progress": 0,
  "tenantId": "string",
  "completedAt": "2023-11-29T00:09:24.599Z",
  "initiatedAt": "2023-11-29T00:09:24.599Z",
  "migratingTo": "string",
  "migratingFrom": "string",
  "migratingToPrefix": "string",
  "migratingToFingerprint": "string"
}

Gets ongoing migration details

manage

Facts GET /v1/encryption/keyproviders/migration/actions/details

Rate limit
required
Tier 1 (1000 requests per minute)

Header Parameters GET /v1/encryption/keyproviders/migration/actions/details

Authorization
required
string

The JWT used for authentication. Send the JWT in the AuthRequest header using the Bearer schema.

Responses GET /v1/encryption/keyproviders/migration/actions/details

200
application/json

Successfully fetched migration information

400
application/json

Bad Request

401
application/json

Unauthorized, Invalid JWT

404
application/json

There is no ongoing migration for this tenant

417
application/json

Failed to get ongoing migration information

GET/v1/encryption/keyproviders/migration/actions/details

curl "https://your-tenant.us.qlikcloud.com/api/v1/encryption/keyproviders/migration/actions/details" \
 -H "Authorization: Bearer <API-key>"

Response GET /v1/encryption/keyproviders/migration/actions/details

{
  "id": "string",
  "state": "New",
  "progress": 0,
  "tenantId": "string",
  "completedAt": "2023-11-29T00:09:24.599Z",
  "initiatedAt": "2023-11-29T00:09:24.599Z",
  "migratingTo": "string",
  "migratingFrom": "string",
  "migratingToPrefix": "string",
  "migratingToFingerprint": "string"
}

KeyProvider

object

Properties

arn
required
PII data
string

The provider resource notation for the key.

name
required
string

Name of key provider entry.

current
boolean

Indicates whether the key is being used to encrypt/decrypt secrets.

tenantId
string

Tenant ID.

createdAt
string<date-time>

When key entry was created.

description
string

Description of key provider entry.

keyProvider
string

Key Provider type.

Enum:

AWS-KMS

multiRegion
boolean

Indicates whether the key has multi-region configurations and has replica key in qcs secondary region.

replicaKeys

No description

arnFingerPrint
string

The ARN fingerprint.

promotedToCurrentAt
string<date-time>

When the key was promoted to being the current active one.

demotedFromCurrentAt
string<date-time>

When the key was demoted from being current to non active.

KeyProviderPatchBase

object

A JSON Patch document as defined in https://datatracker.ietf.org/doc/html/rfc6902.

Properties

op
required
string

The operation to be performed.

Enum:

replace

path
required
string

The property path.

value
required
string

The value to be used for this operation.

KeyProviderPatchSchema

Array<KeyProviderPatchBase>

Properties

op
required
string

The operation to be performed.

Enum:

replace

path
required
string

The property path.

value
required
string

The value to be used for this operation.

KeyProviders

object

Properties

errors

No description

KeyProvidersDeleteResponseBody

object

Properties

response
string<text>

Successful response message.

ListKeyProviders

object

Properties

errors

No description

MigrationInformation

object

Properties

id
string<uid>

Migration operation ID.

state
string

Migration operation state.

Enum:

New

InProgress

Completed

progress
number

Progress in percentage.

tenantId
string<uid>

Tenant ID.

completedAt
string<date-time>

No description

initiatedAt
string<date-time>

No description

migratingTo
PII data
string

The new key ARN that keys should be migrated to.

migratingFrom
PII data
string

The key ARN being migrated from (in case of QlikVault, could be a short name only).

migratingToPrefix
string

The new key prefix (to help services know which prefix should NOT be migrated).

migratingToFingerprint
string

The new key ARN fingerprint.

StandardError

object

Properties

errors
required

No description

StandardErrorItem

object

Properties

code
required
string

The error code.

meta
object

Additional error object metadata.

title
required
string

Description of the error.

detail
string

Extra information about the error.

v0.879.8
Was this page helpful?