Using the APIs
This guide provides an introduction to using the Thales Data Protection on Demand APIs. It provides guidelines for authenticating and example commands for common DPoD API requests. DPoD provides multiple APIs, refer to the appropriate DPoD API for more information about available endpoints, parameters and requests.
Authorization
All DPoD API requests require a JSON Web Token (JWT) for authorization. DPoD Credentials are used to Generate a JWT. The JWT is required for authenticating requests over the API.
Credentials
Platform or service credentials are a clientId
and clientSecret
generated through the DPoD user interface. Endpoint availability is limited to the scope of your credentials. Refer to the Security section of the Data Protection on Demand DPoD public API for more information.
Platform credentials are generated through the DPoD user interface. Platform credentials allow:
- Service Provider Administrators to access and manage tenants, users, and reports.
- Tenant Administrators and Application Owners to manage Luna Cloud HSM Services, Luna Cloud HSM Service Clients, service credentials, and subscriber groups.
Generating Platform Credentials
Generate a set of platform credentials for authenticating to the DPoD API.
Select the Credentials tab and click on Create Platform Credentials. The Generate Platform Credentials window displays.
On the Review Permissions page, verify the entitlements for the credentials you are about to create, and enter a name in the Credentials Name field. Click Next.
On the Summary page, click the Copy to Clipboard icon and paste the Client Secret in a .txt file. Click Close.
Copy and save your Client Secret in a secure location. DPoD does not maintain a record or copy of the Client Secret. Treat your copy of the Client Secret with all the precautions you would normally take to protect a password. You can reset the platform credentials client secret in the Credentials Table.
Resetting/Deleting Platform Credentials
Reset the platform credentials client secret or delete the platform credentials set through the Credentials Table.
Select the Credentials tab and scroll down to the Credentials Table. In the Credentials Table, identify the platform credential you would like to manage and open the drop-down menu in the Actions column. From this menu you can:
- Reset Secret: Resets the Client Secret and provides the user with a new Client Secret.
- Delete: Deletes the credentials from DPoD, the credentials are no longer usable.
Copy and save your Client Secret in a secure location. DPoD does not maintain a record or copy of the Client Secret. Treat your copy of the Client Secret with all the precautions you would normally take to protect a password.
Service credentials are generated through the DPoD user interface. Service credentials allow Tenant Administrators, and Application Owners to access and consume services using the DPoD API.
Generating Service Credentials
For more information about the requests and endpoints listed here, please refer to the relevant use case based API documentation or download and refer to the API YAMLs.
Generate a set of platform credentials for authenticating to the DPoD API.
Select the Services tab and click on My Services. Identify the service that you would like to generate service credentials for and click on the services name in the Name column. Click the Credentials tab in the sub-menu.
Click on Create Service Credentials. The Generate Service Credentials window displays.
On the Review Permissions page, verify the entitlements for the credentials you are about to create, and enter a name in the Credentials Name field. Click Next.
On the Summary page, click the Copy to Clipboard icon and paste the Client Secret in a .txt file. Close the wizard.
Copy and save your Client Secret in a secure location. DPoD does not maintain a record or copy of the Client Secret. Treat your copy of the Client Secret with all the precautions you would normally take to protect a password.
Deleting Service Credentials
Select the Services tab and click on My Services. Click the Credentials sub-menu. In the Credentials Table, identify the service credential you would like to remove and click the Trash can icon in the Actions column.
Generate a JWT
To generate a JWT you authenticate to your tenant log in URL Oauth2 endpoint using the Credentials clientId
and clientSecret
. This endpoint implements an OAuth2 client credentials grant, returning a JWT in the response body. The JWT takes the format "access_token":"<bearer_access_token>"
. Insert the <bearer_access_token>
value into the "Authorization: Bearer <bearer_access_token>"
header when making requests to the API endpoint. The JWT expires after 1 hour. If the JWT expires, you need to generate a new JWT to continue executing commands over the API.
To determine your authentication domain, access your DPoD tenant log in screen and copy the URL. Remove /login
and append /oauth/token
.
Region | Authentication Domain |
---|---|
https://<tenant>.na.market.dpondemand.io/ | https://<tenant>.uaa.system.snakefly.dpsas.io/oauth/token |
https://<tenant>.eu.market.dpondemand.io/ | https://<tenant>.uaa.system.pegasus.dpsas.io/oauth/token |
URL Endpoint | /oauth/token |
Method | POST |
Content-Type | application/x-www-form-urlencoded |
Body | grant_type=client_credentials client_id=<insert_clientId> client_secret=<client_secret> |
Examples
curl -X POST https://<tenant>.uaa.system.snakefly.dpsas.io/oauth/token \
-H "Content-Type: application/x-www-form-urlencoded"
-d "grant_type=client_credentials&client_id=<insert_clientId>&client_secret=<insert_client_secret>"
curl -X POST https://<tenant>.uaa.system.pegasus.dpsas.io/oauth/token \
-H "Content-Type: application/x-www-form-urlencoded"
-d "grant_type=client_credentials&client_id=<insert_clientId>&client_secret=<insert_client_secret>"
curl -X POST https://<tenant>.uaa.system.snakefly.dpsas.io/oauth/token -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=client_credentials&client_id=<insert_clientId>&client_secret=<insert_client_secret>"
curl -X POST https://<tenant>.uaa.system.pegasus.dpsas.io/oauth/token -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=client_credentials&client_id=<insert_clientId>&client_secret=<insert_client_secret>"
The contents of the output "access_token":"<bearer_access_token>"
is your JWT. Insert the <bearer_access_token>
value into the "Authorization: Bearer <bearer_access_token>"
header to authenticate requests to the API endpoint.
Example requests
API requests are made to the tenant URL/hostname endpoint. Use the "<bearer_access_token>"
value, the output of Generating a JWT, in the "Authorization: Bearer <bearer_access_token>"
header to authenticate requests to the API endpoint.
List tile IDs
Query the tile list and return the available tiles for the tenant. The command returns the list of available tiles in the tenant. If there is a service you would like to use that is unavailable from the list of available tiles, contact your tenant administrator and request they enable the tile.
URL Endpoint | /v1/tiles |
Method | GET |
Authorization | Authorization: Bearer <bearer_access_token> |
Sample
curl -X GET https://<tenant>.<region>.market.dpondemand.io/v1/tiles \
-H "Authorization: Bearer $<bearer_access_token>"
curl -X GET https://<tenant>.<region>.market.dpondemand.io/v1/tiles -H "Authorization: Bearer <bearer_access_token>"
Output
{
"number":0,
"size":17,
"totalElements":17,
"totalPages":1,
"content":[
{
"id":"<tileId>",
"name":"<:tile_name>",
"description":"<tile_description>",
"shortCode":"<tile_shortcode>",
"enabled": true,
"serviceBrokerUrl": "serviceBrokerUrl",
"helpURL": "Link to help and documentation",
"categoryName": "Service Category",
"imageUrl":
}
]
}
Create service
Post a service request to deploy a service using the DPoD api. Use the <tileId>
output from List Tile IDs, to specify the type of service to be deployed. Alternatively, you can use the serviceType
field to identify the tile by its shortcode
.
URL Endpoint | /v1/service_instances |
Method | POST |
Authorization | Authorization: Bearer <bearer_access_token> |
Content_Type | application/json |
Body | You must provide the createParams , a name , the servicePlan , and a tileId or serviceType . tileId takes precedence over serviceType if both are provided.{ "createParams": {deviceType: "cryptovisor_fips"}, "name": "CyberArk Service", "servicePlan": "single_hsm", "tileId":"2d942df2-d189-45ae-a929-ef068b456af9", "serviceType": "cyberark_digital_vault" } |
Certain service types require additional parameters be provided in the request body. Refer to the DPoD APIs for additional details.
Sample
curl -X POST https://<tenant>.<region>.market.dpondemand.io/v1/service_instances \
-H "Authorization: Bearer $<bearer_access_token>" \
-H "Content-Type: application/json" \
-d '{
"createParams": {deviceType: "cryptovisor_fips"}
"name": "<provide_name_for_service>",
"servicePlan": "single_hsm"
"tileId": "<tileId>"
}'
curl -X POST https://<tenant>.<region>.market.dpondemand.io/v1/service_instances -H "Authorization: Bearer < bearer_access_token>" -H "Content-Type: application/json" -d '{"createParams": {deviceType: "cryptovisor_fips"}, "name": "<provide_name_for_service>", "servicePlan": "single_hsm", "tileId": "<tileId>"}'
List provisioned services
Query the /v1/service_instances
endpoint and return the quantity of existing services, the service id, the service name, and the service type.
You can query a specific service for its details. Maintain the same structure of the List provisioned services request, but add the <serviceId>
to the URL endpoint: /v1/service_instances/<serviceId>
.
URL Endpoint | /v1/service_instances |
Method | GET |
Authorization | Authorization: Bearer <bearer_access_token> |
Sample
curl -X GET https://<tenant>.<region>.market.dpondemand.io/v1/service_instances \
-H "Authorization: Bearer $<bearer_access_token>"
curl -X GET https://<tenant>.<region>.market.dpondemand.io/v1/service_instances -H "Authorization: Bearer <bearer_access_token>"
Generate service client
Generate a set of client bindings to an existing Luna Cloud HSM Service. The command returns a set of credentials which can be used to access the service. The returned AuthTokenClientID
and AuthTokenClientSecret
can be used by an application owner to access the service.
Generating a Luna Cloud HSM Service Client requires access to the relevant <service_id_string>
that you would like to generate the Luna Cloud HSM Service Client for. See List provisioned services for more information about acquiring the <service_id_string>
.
URL Endpoint | /v1/service_instances/{service_id}/bindings |
Method | PUT |
Authorization | Authorization: Bearer <bearer_access_token> |
Content-Type | application/json |
Body | Provide a name for the Luna Cloud HSM Service Client in the request body.{"name":"<service_client_name>"} |
Sample
curl -X PUT https://<tenant>.<region>.market.dpondemand.io/v1/service_instances/<serviceId>/bindings \
-H "Authorization: Bearer $<bearer_access_token>" \
-H "Content-Type: application/json" \
-d '{
"name":"<service_client_name>"
}' \
curl -X PUT https://<tenant>.<region>.market.dpondemand.io/v1/service_instances/<serviceId>/bindings -H "Authorization: Bearer < bearer_access_token>" -H "Content-Type: application/json" -d '{"name":"<service_client_name>"}'
Delete service
Delete a service from DPoD. Include the <serviceId>
in the path when executing operations on a specific service. See List provisioned services for more information about acquiring the <serviceId>
.
URL Endpoint | /v1/service_instances/{service_id} |
Method | PUT |
Authorization | Authorization: Bearer <bearer_access_token> |
Sample
curl -X DELETE https://<tenant>.<region>.market.dpondemand.io/v1/service_instances/<serviceId> \
-H "Authorization: Bearer $<bearer_access_token>"
curl -X DELETE https://<tenant>.<region>.market.dpondemand.io/v1/service_instances/<serviceId> -H "Authorization: Bearer <bearer_access_token>"