Encryption
Endpoints
Skip to sectionGET | /v1/encryption/keyproviders |
POST | /v1/encryption/keyproviders |
GET | /v1/encryption/keyproviders/{arnFingerPrint} |
PATCH | /v1/encryption/keyproviders/{arnFingerPrint} |
DELETE | /v1/encryption/keyproviders/{arnFingerPrint} |
POST | /v1/encryption/keyproviders/{arnFingerPrint}/actions/migrate |
POST | /v1/encryption/keyproviders/{arnFingerPrint}/actions/test |
GET | /v1/encryption/keyproviders/actions/list |
POST | /v1/encryption/keyproviders/actions/reset-to-default-provider |
GET | /v1/encryption/keyproviders/migration/actions/details |
Lists keyproviders registered for the tenant
Facts GET /v1/encryption/keyproviders
Rate limit required | Tier 1 (1000 requests per minute) |
Header Parameters GET /v1/encryption/keyproviders
Authorization required string | The JWT used for authentication. Send the JWT in the AuthRequest header using the Bearer schema. |
Responses GET /v1/encryption/keyproviders
200 application/json | Successfully retrieved list of key providers |
400 application/json | Bad Request |
417 application/json | Failed to load key providers from the registry |
GET/v1/encryption/keyproviders
curl "https://your-tenant.us.qlikcloud.com/api/v1/encryption/keyproviders" \
-H "Authorization: Bearer <API-key>"
Response GET /v1/encryption/keyproviders
[
{
"arn": "arn:aws:kms:us-east-1:857519135519:key/ee358547-5716-4e66-9524-1618716e221a",
"qcg": false,
"name": "test name",
"current": true,
"description": "test description",
"keyprovider": "AWS-KMS",
"multiRegion": true,
"replicaKeys": [
{
"arn": "arn:aws:kms:us-east-2:857519135519:key/ee358547-5716-4e66-9524-1618716e221a",
"region": "us-east-2"
}
]
}
]
Registers an AWS-KMS key for the specific tenant
Facts POST /v1/encryption/keyproviders
Rate limit required | Tier 2 (100 requests per minute) |
Header Parameters POST /v1/encryption/keyproviders
Authorization required string | The JWT used for authentication. Send the JWT in the AuthRequest header using the Bearer schema. |
Request Body POST /v1/encryption/keyproviders
application/json | No description |
Responses POST /v1/encryption/keyproviders
201 application/json | Successfully registered the AWS-KMS key |
400 application/json | Bad Request |
401 application/json | Unauthorized, Invalid JWT |
403 application/json | Provided AWS-KMS key access forbidden. Check if key policy allows access from Qlik Cloud. |
406 application/json | Failed to register key |
408 application/json | Failed to return a response within the timeout window. The key provider (QlikVault, AWS-KMS) might be unavailable. |
409 application/json | The specified key is already registered |
417 application/json | Failed to validate AWS-KMS ARN structure |
POST/v1/encryption/keyproviders
curl "https://your-tenant.us.qlikcloud.com/api/v1/encryption/keyproviders" \
-X POST \
-H "Authorization: Bearer <API-key>" \
-H "Content-type: application/json" \
-d '{"arn":"arn:aws:kms:us-east-1:857519135519:key/ee358547-5716-4e66-9524-1618716e221a","qcg":false,"name":"test name","current":false,"description":"test description","keyprovider":"AWS-KMS","multiRegion":true,"replicaKeys":[{"arn":"arn:aws:kms:us-east-2:857519135519:key/ee358547-5716-4e66-9524-1618716e221a","region":"us-east-2"}]}'
Request POST /v1/encryption/keyproviders
{
"arn": "arn:aws:kms:us-east-1:857519135519:key/ee358547-5716-4e66-9524-1618716e221a",
"qcg": false,
"name": "test name",
"current": false,
"description": "test description",
"keyprovider": "AWS-KMS",
"multiRegion": true,
"replicaKeys": [
{
"arn": "arn:aws:kms:us-east-2:857519135519:key/ee358547-5716-4e66-9524-1618716e221a",
"region": "us-east-2"
}
]
}
Response POST /v1/encryption/keyproviders
{
"arn": "arn:aws:kms:us-east-1:857519135519:key/ee358547-5716-4e66-9524-1618716e221a",
"qcg": false,
"name": "test name",
"current": false,
"description": "test description",
"keyprovider": "AWS-KMS",
"multiRegion": true,
"replicaKeys": [
{
"arn": "arn:aws:kms:us-east-2:857519135519:key/ee358547-5716-4e66-9524-1618716e221a",
"region": "us-east-2"
}
]
}
Retrieves key for a given fingerprint
Facts GET /v1/encryption/keyproviders/{arnFingerPrint}
Rate limit required | Tier 1 (1000 requests per minute) |
Header Parameters GET /v1/encryption/keyproviders/{arnFingerPrint}
Authorization required string | The JWT used for authentication. Send the JWT in the AuthRequest header using the Bearer schema. |
Path Parameters GET /v1/encryption/keyproviders/{arnFingerPrint}
arnFingerPrint required string | The fingerprint of the requested provider key. |
Responses GET /v1/encryption/keyproviders/{arnFingerPrint}
200 application/json | Successfully fetched key provider information |
400 application/json | Bad Request |
404 application/json | No entry match for the fingerprint was found |
414 application/json | Requested fingerprint length is too large |
GET/v1/encryption/keyproviders/{arnFingerPrint}
curl "https://your-tenant.us.qlikcloud.com/api/v1/encryption/keyproviders/{arnFingerPrint}" \
-H "Authorization: Bearer <API-key>"
Response GET /v1/encryption/keyproviders/{arnFingerPrint}
{
"arn": "arn:aws:kms:us-east-1:857519135519:key/ee358547-5716-4e66-9524-1618716e221a",
"qcg": false,
"name": "test name",
"current": false,
"description": "test description",
"keyprovider": "AWS-KMS",
"multiRegion": true,
"replicaKeys": [
{
"arn": "arn:aws:kms:us-east-2:857519135519:key/ee358547-5716-4e66-9524-1618716e221a",
"region": "us-east-2"
}
]
}
Patches Name & Description of keyprovider information
Facts PATCH /v1/encryption/keyproviders/{arnFingerPrint}
Rate limit required | Tier 2 (100 requests per minute) |
Header Parameters PATCH /v1/encryption/keyproviders/{arnFingerPrint}
Authorization required string | The JWT used for authentication. Send the JWT in the AuthRequest header using the Bearer schema. |
Path Parameters PATCH /v1/encryption/keyproviders/{arnFingerPrint}
arnFingerPrint required string | The fingerprint of an existing keyprovider key. |
Request Body PATCH /v1/encryption/keyproviders/{arnFingerPrint}
application/json | No description |
Responses PATCH /v1/encryption/keyproviders/{arnFingerPrint}
204 object | Successfully patched key provider information |
400 application/json | Failed to decode key provider patch request payload |
401 application/json | Unauthorized, Invalid JWT |
404 application/json | No entry match for the fingerprint was found |
417 application/json | Failed to patch key provider information |
PATCH/v1/encryption/keyproviders/{arnFingerPrint}
curl "https://your-tenant.us.qlikcloud.com/api/v1/encryption/keyproviders/{arnFingerPrint}" \
-X PATCH \
-H "Authorization: Bearer <API-key>" \
-H "Content-type: application/json" \
-d '{"op":"replace","path":"string","value":"string"}'
Request PATCH /v1/encryption/keyproviders/{arnFingerPrint}
{
"op": "replace",
"path": "string",
"value": "string"
}
Deletes the key information
Facts DELETE /v1/encryption/keyproviders/{arnFingerPrint}
Rate limit required | Tier 2 (100 requests per minute) |
Header Parameters DELETE /v1/encryption/keyproviders/{arnFingerPrint}
Authorization required string | The JWT used for authentication. Send the JWT in the AuthRequest header using the Bearer schema. |
Path Parameters DELETE /v1/encryption/keyproviders/{arnFingerPrint}
arnFingerPrint required string | The fingerprint of the requested provider key. |
Responses DELETE /v1/encryption/keyproviders/{arnFingerPrint}
204 application/json | Successfully deleted key |
400 application/json | Bad Request |
404 application/json | No entry match for the fingerprint was found |
417 application/json | Failed to delete keyprovider information |
424 application/json | The requested key is being used and cannot be deleted |
DELETE/v1/encryption/keyproviders/{arnFingerPrint}
curl "https://your-tenant.us.qlikcloud.com/api/v1/encryption/keyproviders/{arnFingerPrint}" \
-X DELETE \
-H "Authorization: Bearer <API-key>"
Response DELETE /v1/encryption/keyproviders/{arnFingerPrint}
{
"message": "Keyprovider metadata deleted successfully"
}
Migrates existing cipherkeys from current key provider to requested key provider.
Facts POST /v1/encryption/keyproviders/{arnFingerPrint}/actions/migrate
Rate limit required | Tier 2 (100 requests per minute) |
Header Parameters POST /v1/encryption/keyproviders/{arnFingerPrint}/actions/migrate
Authorization required string | The JWT used for authentication. Send the JWT in the AuthRequest header using the Bearer schema. |
Path Parameters POST /v1/encryption/keyproviders/{arnFingerPrint}/actions/migrate
arnFingerPrint required string | The fingerprint of an existing key provider key. |
Responses POST /v1/encryption/keyproviders/{arnFingerPrint}/actions/migrate
200 application/json | Successfully initiated cipherkeys migration |
400 application/json | Bad Request |
401 application/json | Unauthorized, Invalid JWT |
404 application/json | No entry match for the fingerprint was found |
412 application/json | Failed to initiate migration |
424 application/json | Failed to prepare migration |
428 application/json | There is already an ongoing migration for the tenant |
POST/v1/encryption/keyproviders/{arnFingerPrint}/actions/migrate
curl "https://your-tenant.us.qlikcloud.com/api/v1/encryption/keyproviders/{arnFingerPrint}/actions/migrate" \
-X POST \
-H "Authorization: Bearer <API-key>"
Response POST /v1/encryption/keyproviders/{arnFingerPrint}/actions/migrate
{
"id": "string",
"state": "New",
"progress": 0,
"tenantId": "string",
"completedAt": "2023-11-29T00:09:24.599Z",
"initiatedAt": "2023-11-29T00:09:24.599Z",
"migratingTo": "string",
"migratingFrom": "string",
"migratingToPrefix": "string",
"migratingToFingerprint": "string"
}
Validates AWS-KMS key access and usage
Facts POST /v1/encryption/keyproviders/{arnFingerPrint}/actions/test
Rate limit required | Tier 2 (100 requests per minute) |
Header Parameters POST /v1/encryption/keyproviders/{arnFingerPrint}/actions/test
Authorization required string | The JWT used for authentication. Send the JWT in the AuthRequest header using the Bearer schema. |
Path Parameters POST /v1/encryption/keyproviders/{arnFingerPrint}/actions/test
arnFingerPrint required string | The fingerprint of an existing keyprovider key. |
Responses POST /v1/encryption/keyproviders/{arnFingerPrint}/actions/test
201 application/json | Successfully validated key |
400 application/json | Bad Request |
401 application/json | Unauthorized, Invalid JWT |
404 application/json | No entry match for the fingerprint was found |
408 application/json | Failed to return a response within the timeout window. The key provider (QlikVault, AWS-KMS) might be unavailable. |
POST/v1/encryption/keyproviders/{arnFingerPrint}/actions/test
curl "https://your-tenant.us.qlikcloud.com/api/v1/encryption/keyproviders/{arnFingerPrint}/actions/test" \
-X POST \
-H "Authorization: Bearer <API-key>"
Response POST /v1/encryption/keyproviders/{arnFingerPrint}/actions/test
{
"arn": "arn:aws:kms:us-east-1:857519135519:key/ee358547-5716-4e66-9524-1618716e221a",
"qcg": false,
"name": "test name",
"current": false,
"description": "test description",
"keyprovider": "AWS-KMS",
"multiRegion": true,
"replicaKeys": [
{
"arn": "arn:aws:kms:us-east-2:857519135519:key/ee358547-5716-4e66-9524-1618716e221a",
"region": "us-east-2"
}
]
}
Lists keyproviders registered for the tenant [Qlik, AWS-KMS]
Facts GET /v1/encryption/keyproviders/actions/list
Rate limit required | Tier 1 (1000 requests per minute) |
Header Parameters GET /v1/encryption/keyproviders/actions/list
Authorization required string | The JWT used for authentication. Send the JWT in the AuthRequest header using the Bearer schema. |
Responses GET /v1/encryption/keyproviders/actions/list
200 application/json | Successfully retrieved list of key providers |
400 application/json | Bad Request |
417 application/json | Failed to load key providers from the registry |
GET/v1/encryption/keyproviders/actions/list
curl "https://your-tenant.us.qlikcloud.com/api/v1/encryption/keyproviders/actions/list" \
-H "Authorization: Bearer <API-key>"
Response GET /v1/encryption/keyproviders/actions/list
[
{
"arn": "#QLIK_MANAGED_KEY_PROVIDER#",
"qcg": false,
"name": "Qlik Internal Kms",
"tenantId": "ImTRa-bkJTD-NZRYjNBa_rDhwSVA6Qo8",
"createdAt": "Qlik managed",
"description": "Default key management service",
"keyprovider": "Qlik",
"multiRegion": false,
"replicaKeys": [],
"arnFingerPrint": "ImTRa-bkJTD-NZRYjNBa_rDhwSVA6Qo8",
"promotedToCurrentAt": "2023-06-21T18:45:57Z",
"demotedFromCurrentAt": "0001-01-01T00:00:00Z"
},
{
"arn": "arn:aws:kms:us-east-1:857519135519:key/e4e84fc7-7817-4121-b927-9d1d4ef03f1d",
"qcg": false,
"name": "CMK - 01",
"tenantId": "ImTRa-bkJTD-NZRYjNBa_rDhwSVA6Qo8",
"createdAt": "2023-06-21T18:43:49Z",
"keyprovider": "AWS-KMS",
"multiRegion": true,
"replicaKeys": [
{
"arn": "arn:aws:kms:us-east-2:857519135519:key/ee358547-5716-4e66-9524-1618716e221a",
"region": "us-east-2"
}
],
"arnFingerPrint": "9f352c5a9c1618485051892cb57467e4",
"promotedToCurrentAt": "2023-06-21T18:43:54Z",
"demotedFromCurrentAt": "2023-06-21T18:45:57Z"
},
{
"arn": "arn:aws:kms:us-east-1:857519135519:key/b6a2a74c-fb34-464a-8ea6-d867fd3b9438",
"qcg": false,
"name": "CMK - 02",
"current": true,
"tenantId": "ImTRa-bkJTD-NZRYjNBa_rDhwSVA6Qo8",
"createdAt": "2023-06-21T18:59:17Z",
"description": "CMK migration test",
"keyprovider": "AWS-KMS",
"multiRegion": true,
"replicaKeys": [
{
"arn": "arn:aws:kms:us-east-2:857519135519:key/ee358547-5716-4e66-9524-1618716e221a",
"region": "us-east-2"
}
],
"arnFingerPrint": "b5fe2c83b25f9e39487bca28f69e4210",
"promotedToCurrentAt": "2023-06-21T18:59:18Z",
"demotedFromCurrentAt": "0001-01-01T00:00:00Z"
}
]
Resets tenant key provider to Qlik managed provider
Facts POST /v1/encryption/keyproviders/actions/reset-to-default-provider
Rate limit required | Tier 2 (100 requests per minute) |
Header Parameters POST /v1/encryption/keyproviders/actions/reset-to-default-provider
Authorization required string | The JWT used for authentication. Send the JWT in the AuthRequest header using the Bearer schema. |
Responses POST /v1/encryption/keyproviders/actions/reset-to-default-provider
205 application/json | Successfully initiated key migration to Qlik managed provider |
401 application/json | Unauthorized, Invalid JWT |
406 application/json | There is already an ongoing migration in progress for the tenant |
412 application/json | Failed to initiate migration to Qlik managed provider |
424 application/json | Tenant is already using Qlik Managed provider |
POST/v1/encryption/keyproviders/actions/reset-to-default-provider
curl "https://your-tenant.us.qlikcloud.com/api/v1/encryption/keyproviders/actions/reset-to-default-provider" \
-X POST \
-H "Authorization: Bearer <API-key>"
Response POST /v1/encryption/keyproviders/actions/reset-to-default-provider
{
"id": "string",
"state": "New",
"progress": 0,
"tenantId": "string",
"completedAt": "2023-11-29T00:09:24.599Z",
"initiatedAt": "2023-11-29T00:09:24.599Z",
"migratingTo": "string",
"migratingFrom": "string",
"migratingToPrefix": "string",
"migratingToFingerprint": "string"
}
Gets ongoing migration details
Facts GET /v1/encryption/keyproviders/migration/actions/details
Rate limit required | Tier 1 (1000 requests per minute) |
Header Parameters GET /v1/encryption/keyproviders/migration/actions/details
Authorization required string | The JWT used for authentication. Send the JWT in the AuthRequest header using the Bearer schema. |
Responses GET /v1/encryption/keyproviders/migration/actions/details
200 application/json | Successfully fetched migration information |
400 application/json | Bad Request |
401 application/json | Unauthorized, Invalid JWT |
404 application/json | There is no ongoing migration for this tenant |
417 application/json | Failed to get ongoing migration information |
GET/v1/encryption/keyproviders/migration/actions/details
curl "https://your-tenant.us.qlikcloud.com/api/v1/encryption/keyproviders/migration/actions/details" \
-H "Authorization: Bearer <API-key>"
Response GET /v1/encryption/keyproviders/migration/actions/details
{
"id": "string",
"state": "New",
"progress": 0,
"tenantId": "string",
"completedAt": "2023-11-29T00:09:24.599Z",
"initiatedAt": "2023-11-29T00:09:24.599Z",
"migratingTo": "string",
"migratingFrom": "string",
"migratingToPrefix": "string",
"migratingToFingerprint": "string"
}
KeyProvider
objectProperties
arn required PII data string | The provider resource notation for the key. |
name required string | Name of key provider entry. |
current boolean | Indicates whether the key is being used to encrypt/decrypt secrets. |
tenantId string | Tenant ID. |
createdAt string<date-time> | When key entry was created. |
description string | Description of key provider entry. |
keyProvider string | Key Provider type. Enum: AWS-KMS |
multiRegion boolean | Indicates whether the key has multi-region configurations and has replica key in qcs secondary region. |
replicaKeys | No description |
arnFingerPrint string | The ARN fingerprint. |
promotedToCurrentAt string<date-time> | When the key was promoted to being the current active one. |
demotedFromCurrentAt string<date-time> | When the key was demoted from being current to non active. |
KeyProviderPatchBase
objectA JSON Patch document as defined in https://datatracker.ietf.org/doc/html/rfc6902.
Properties
op required string | The operation to be performed. Enum: replace |
path required string | The property path. |
value required string | The value to be used for this operation. |
KeyProviderPatchSchema
Array<KeyProviderPatchBase>Properties
op required string | The operation to be performed. Enum: replace |
path required string | The property path. |
value required string | The value to be used for this operation. |
KeyProviders
objectProperties
errors | No description |
KeyProvidersDeleteResponseBody
objectProperties
response string<text> | Successful response message. |
ListKeyProviders
objectProperties
errors | No description |
MigrationInformation
objectProperties
id string<uid> | Migration operation ID. |
state string | Migration operation state. Enum: New InProgress Completed |
progress number | Progress in percentage. |
tenantId string<uid> | Tenant ID. |
completedAt string<date-time> | No description |
initiatedAt string<date-time> | No description |
migratingTo PII data string | The new key ARN that keys should be migrated to. |
migratingFrom PII data string | The key ARN being migrated from (in case of QlikVault, could be a short name only). |
migratingToPrefix string | The new key prefix (to help services know which prefix should NOT be migrated). |
migratingToFingerprint string | The new key ARN fingerprint. |
StandardError
objectProperties
errors required | No description |
StandardErrorItem
objectProperties
code required string | The error code. |
meta object | Additional error object metadata. |
title required string | Description of the error. |
detail string | Extra information about the error. |