Developer

This section describes the Secrets Hub APIs.

In this section:

Although you can log in to the Secrets Hub APIs with your CyberArk Identity user, we recommend using a dedicated service user with the Secrets Hub role for API calls. For more information, see API Authentication for CyberArk Identity Security Platform Shared Services.

When the user logs in via CyberArk Identity, an authentication token is sent. This token must be included as the bearer token in the header of each API request sent from Secrets Hub.

Common terms used in the APIs

Term	Description
Secret store	A Secrets Hub representation of the object that stores your secrets: A secret store can be: The source of the secrets - where the secrets are syncing from Supported source secret store: PAM_PCLOUD , PAM_SELF_HOSTED The target for the secrets - where the secrets are synced to Supported target secret store: AWS_ASM (AWS Secrets Manager); AZURE_AKV (Azure Key Vault)
Secrets filter	Represents the object in the source secret store that contains the secrets that are synced. Currently, the only supported filter type is PAM_SAFE. Every sync policy should have its own secrets filter.
Sync policy	Tells Secrets Hub which secrets to sync from the source secret store to the target secret store. When you create a sync policy, you define the secrets filter that represents the Safe to be synced, and the target secret store to which the secrets are synced.
Tenant info	Returns general information about the Secrets Hub tenant Secrets Hub tenant role ARN - Use this when creating target secret stores for AWS Secrets Manager. This role ARN provides permissions to your target secret store. For more information, see Configure AWS account roles for Secrets Hub. The CyberArk PAM solution on the tenant: Privilege Cloud