This section describes the Secrets Hub APIs.

In this section:

Although you can log in to the Secrets Hub APIs with your CyberArk Identity user, we recommend using a dedicated service user with the Secrets Hub role for API calls. For more information, see API Authentication for CyberArk Identity Security Platform Shared Services.

When the user logs in via CyberArk Identity, an authentication token is sent. This token must be included as the bearer token in the header of each API request sent from Secrets Hub.

Common terms used in the APIs



Secret store

A Secrets Hub representation of the object that stores your secrets:

A secret store can be:

  • The source of the secrets - where the secrets are syncing from

    Supported source secret store: PAM_PCLOUD , PAM_SELF_HOSTED

  • The target for the secrets - where the secrets are synced to

    Supported target secret storeAWS_ASM (AWS Secrets Manager); AZURE_AKV (Azure Key Vault)

Secrets filter

Represents the object in the source secret store that contains the secrets that are synced. Currently, the only supported filter type is PAM_SAFE.

Every sync policy should have its own secrets filter.

Sync policy

Tells Secrets Hub which secrets to sync from the source secret store to the target secret store.

When you create a sync policy, you define the secrets filter that represents the Safe to be synced, and the target secret store to which the secrets are synced.

Service info

Returns general information about the Secrets Hub service

  • Secrets Hub tenant role ARN - Use this when creating target secret stores for AWS Secrets Manager. This role ARN provides permissions to your target secret store. For more information, see Configure AWS account roles for Secrets Hub.

  • The CyberArk PAM solution on the tenant: PAM - Self-Hosted