| Steps | An array of objects indicating the steps in the workflow definition. The contents of each step will vary depending on the type of workflow and the type of step. For a newly created workflow, there will be no data in this value.  Show step details. 
                                                                             
                                                                                
                                                                                
                                                                                
                                                                                    
                                                                                
                                                                                
                                                                                    
                                                                                        | Id | A string indicating the Keyfactor Command reference GUID of the workflow definition step. |  
                                                                                        | Display Name | A string indicating the display name for the step. |  
                                                                                        | Unique Name | A string indicating the unique name for the step. This value must be unique among the steps in the particular workflow definition. It is intended to be used as a user-friendly reference ID. |  
                                                                                        | Extension Name | A string indicating the type of step. The currently supported types are: 
                                                                                                
                                                                                                    
                                                                                                        AwsLambda
                                                                                                        
                                                                                                     Invoke an AWS Lambda function using IAM credentials or an assumed role. You can call the function directly using an AWS access key and secret, or optionally assume an IAM role using a Role ARN. The Lambda response is saved to a specified property for use in later workflow steps.
                                                                                                    
                                                                                                        AzureFunction
                                                                                                        
                                                                                                     Run a REST (API) request against an Azure Function supporting either anonymous or function key authentication. The REST request contents are embedded within the step and do not reference an external file. The function can be accessed anonymously if no key is provided or secured by supplying a function access key.
                                                                                                    
                                                                                                        AzureFunctionOAuth
                                                                                                        
                                                                                                     Run a REST (API) request against an Azure Function protected by OAuth authentication. The request includes OAuth tokens to authenticate the caller. The REST request contents are embedded within the step and do not reference an external file. A function access key is required. The key serves as a shared secret to verify that the request comes from a trusted system, adding an extra layer of security.
                                                                                                    
                                                                                                        RESTRequest
                                                                                                        
                                                                                                     Run a REST (API) request using Active Directory as an identity provider and Basic or Windows authentication. The REST request contents are embedded within the step and do not reference an external file.
                                                                                                    
                                                                                                        OAuthRESTRequest
                                                                                                        
                                                                                                     Run a REST (API) request using an OAuth identity provider and Token authentication. The REST request contents are embedded within the step and do not reference an external file.
                                                                                                    EnrollStep  (Enrollment Only) Enroll for a certificate through Keyfactor Command. The enroll step may occur at any point during the workflow, but only one enroll step may be included in a given workflow. Conditions are not supported on an enroll step. If an enroll step is not added to an Enrollment workflow, one will be included automatically at the end of the workflow. No configuration parameters are required for this step type.
                                                                                                    ExpirationRenewal  (Expiration Only) Renew an expired certificate through Keyfactor Command as part of an expiration alert workflow. A separate enrollment workflow is automatically initiated to enroll for the renewed certificate, and the renewal workflow will only be considered complete and successful if that enrollment step completes successfully. Tip:  The Keyfactor Command Service (timer service) needs permissions to enroll on the CA and template used for renewal when this step is used.
                                                                                                    RevokeStep (Revocation Only) Revoke a certificate through Keyfactor Command. The revoke step may occur at any point during the workflow, but only one revoke step may be included in a given workflow. Conditions are not supported on a revoke step. If a revoke step is not added to a Revocation workflow, one will be included automatically at the end of the workflow. No configuration parameters are required for this step type.
                                                                                                    
                                                                                                        RequireApproval
                                                                                                        
                                                                                                     Require approval for a workflow step before the step can be completed. The require approval step can require approval from just one approver or multiple approvers. The workflow will be suspended at this point until the correct number of approvals from users with the correct security roles is received or until one deny is received before continuing to the next step. As part of this step, an email message is sent indicating whether the step was approved or denied—typically to the requester. This step does not include logic to send an email initiating the approval process (letting users know something needs approval). Use an Email type step for this. Important:  Workflows are not supported with CA delegation when they contain steps that require approval. For more information, see the CA configuration Delegation Section . Note:  The users that you send email to initiating the approval process must be members of a security role that is allowed to submit signals (approve/deny) for the workflow in order to approve or deny the request.
                                                                                                    Email
                                                                                                     Send an email message. This is a separate email message from those typically sent as part of a Require Approval step. You might send an email message as part of an enrollment request to notify approvers that a new request needs approval. The email messages can be customized to provide detailed information about, for example, the certificate request.
                                                                                                    
                                                                                                        PowerShell
                                                                                                        
                                                                                                     Run PowerShell commands within the confines of the workflow to populate variables with information to pass back to the workflow. The PowerShell script contents are embedded within the step. This step does not call out to an external script stored in the database. This provides a high level of security by greatly limiting the number of standard PowerShell cmdlets that can be executed by the workflow step. A small number of PowerShell cmdlets have been white listed to allow them to be included in workflow steps of this type, including: 
                                                                                                        
                                                                                                            ConvertFrom-Csv
                                                                                                            ConvertFrom-Json
                                                                                                            ConvertFrom-Markdown
                                                                                                            ConvertFrom-SddlString
                                                                                                            ConvertFrom-StringData
                                                                                                            ConvertTo-Csv
                                                                                                            ConvertTo-Html
                                                                                                            ConvertTo-Json
                                                                                                            ConvertTo-XmlForEach-Object
                                                                                                            Get-CommandWhere-Object Important:  This step uses PowerShell 7 to run.
                                                                                                    EnrollmentAgent (Enrollment Only)
                                                                                                     On an enrollment (either CSR or PFX), create a resigned CSR to prepare an updated enrollment request for delivery to a Microsoft CA after a previous step in the workflow has been used to update either the SANs in the initial request, subject (DN) in the initial request or both. This step must be placed later in the workflow than the step(s) to modify the SANs and/or subject. The SANs and subject may be modified with either of the PowerShell step types or a custom step type. The step creates a new CSR using the same public key as the original CSR using the updated SAN and/or subject values. It signs the new CSR with the certificate provided in the step's configuration. For this type of step you will need an enrollment agent certificate available as a PKCS#12 (.PFX) file with included private key to import into Keyfactor Command. This can be a user certificate or a computer certificate (e.g., generated from a copy of the Enrollment Agent template or the Enrollment Agent (Computer) template) and must have a Certificate Request Agent EKU. Note that the built-in Enrollment Agent and Enrollment Agent (Computer) templates do not allow private keys to be exported by default. You will need a template that allows private key export or will need to manually override private key export to create a certificate with an exportable private key in order to create a PKCS#12 (.PFX) file. Important:  This step applies to Microsoft CAs only. If this step is added to workflow for requests directed to an EJBCA CA, it will fail on enrollment. Note that EJBCA supports submission of updated SAN or subject details as part of standard functionality.
                                                                                                    
                                                                                                        UpdateMetadata
                                                                                                        
                                                                                                     Update a metadata field in Keyfactor Command with either a static value or a value from a token from the worklow (see Substitutable Text Tokens for Workflow). If you use a token, it needs to be populated before the Update Metadata step runs.
                                                                                                    
                                                                                                        CustomPowerShell
                                                                                                        
                                                                                                     Run a PowerShell script that has been imported into the Keyfactor Command database. All scripts in the database that have been configured with the workflow category will be available for use. Important:  This step uses PowerShell 7 to run by default. Some cmdlets that run in earlier versions of PowerShell are not compatible with PowerShell 7. If you need to use a PowerShell cmdlet that is not compatible with PowerShell 7, you may need to enable the PowerShell 5.1 option. PowerShell 5.1 is not supported on Keyfactor Command servers running in a non-Windows environment. Important:  This step type is not supported when running Keyfactor Command in containers under Kubernetes. Use step type Set Variable Data instead.
                                                                                                    
                                                                                                        SubjectFormatter
                                                                                                         (Enrollment Only)
                                                                                                     On an enrollment done through the Keyfactor Windows Enrollment Gateway using a client-side template configured with the Build from this Active Directory information option on the template, this workflow step handles formatting the incoming subject, SANs, and/or SID in the certificate request appropriately such that the enrollment will complete successfully with the target CA and Keyfactor Command template, which is not configured to build from AD. Any Keyfactor Windows Enrollment Gateway using a client-side template configured with the subject as Build from this Active Directory information must be configured with a workflow step of this type on the Keyfactor Command template that has been mapped in the gateway to that template in order to complete an enrollment through the gateway. There are no configuration parameters for the step. Important:  The template in Keyfactor Command that is mapped to the client-side template configured to build the subject from Active Directory also needs to be configured with three enrollment fields to support handling the incoming subject, SANs, and/or SID. For more information about configuring this, see the Keyfactor Windows Enrollment Gateway Installation and Configuration Guide.
                                                                                                    NOOPStep
                                                                                                     An entry or exit step in which no operation occurs. Steps of this type indicate the start and end of the workflow. Tip:  For steps that send email messages, the SMTP settings and sender information come from the standard Keyfactor Command  SMTP configuration (see SMTP ) and are not configured individually in the workflow steps. |  
                                                                                        | Enabled | A Boolean indicating whether the step is enabled to run (true) or not (false). |  
                                                                                        | Configuration Parameters | An object containing the configuration parameters for the workflow definition step. These will vary depending on the type of workflow and the type of step (see ExtensionName). Show parameter details for: Note:  There are no ConfigurationParameters for steps of type SubjectFormatter, EnrollStep, RevokeStep, or NOOPStep. 
                                                                                                
                                                                                                 Table 912: AwsLambda 
                                                                                                    
                                                                                                    
                                                                                                    
                                                                                                        
                                                                                                    
                                                                                                    
                                                                                                        
                                                                                                            | Access Key | An object indicating the AWS Access Key ID. This is a unique identifier (similar to a client ID) for the IAM user or role that will authenticate the request. You can generate this key from the AWS IAM console when creating or managing IAM users.  Show access key details. 
                                                                                                                 Supported methods to store secret information are: 
                                                                                                                    
                                                                                                                        Keyfactor: Store the secret information in the Keyfactor secrets table. A Keyfactor secret is a user-defined username or password that is encrypted and stored securely in the Keyfactor Command database.
                                                                                                                        PAM Provider: Load the secret information from a PAM provider. See Privileged Access Management (PAM) for more information. 
                                                                                                                    
                                                                                                                    
                                                                                                                    
                                                                                                                        
                                                                                                                    
                                                                                                                    
                                                                                                                        
                                                                                                                            | Secret Value | A string containing the secret. This parameter is used when PAM is not used as the storage location. |  
                                                                                                                            | Parameters | An object indicating the parameters to supply for PAM authentication. These will vary depending on the PAM provider. |  
                                                                                                                            | Provider | An integer indicating the ID of the PAM provider. Use the GET /PamProviders method (see GET PAM Providers) to retrieve a list of all the PAM providers to determine the ID. |  For example, an access key stored as a Keyfactor secret will look like: Copy
                                                                                                                    {"SecretValue": "AbCdEfGhIjKlMnOpQrStUvWxYz1234567890"
 }
 A secret stored as a CyberArk PAM secret will look like (where the Provider value—1 in this example—is the Id value from GET PAM Providers and the Safe, Folder, and Object reference the information in the CyberArk safe needed for this record): Copy
                                                                                                                    {"Provider": "1",
 "Parameters":{
 "Safe":"MySafeName",
 "Folder":"MyFolderName",
 "Object":"MyObjectName"
 }
 }
 A secret stored as a Delinea PAM secret will look like (where the Provider value—2 in this example—is the Id value from GET PAM Providers and the SecretId and SecretFieldName contain the information created in the Delinea secret server for this purpose): Copy
                                                                                                                    {"Provider": "2",
 "Parameters":{
 "SecretId":"MyId"
 "SecretFieldName":"MyReferenceName"
 }
 }
 Due to its sensitive nature, this value is not returned in responses. |  
                                                                                                            | Access Key Secret | An object indicating the AWS Access Key Secret. This is the secret key (similar to a client secret) paired with the Access Key ID to securely sign requests to AWS services. Keep this value confidential to prevent unauthorized access.  Show access key secret details. 
                                                                                                                 Supported methods to store secret information are: 
                                                                                                                    
                                                                                                                        Keyfactor: Store the secret information in the Keyfactor secrets table. A Keyfactor secret is a user-defined username or password that is encrypted and stored securely in the Keyfactor Command database.
                                                                                                                        PAM Provider: Load the secret information from a PAM provider. See Privileged Access Management (PAM) for more information. 
                                                                                                                    
                                                                                                                    
                                                                                                                    
                                                                                                                        
                                                                                                                    
                                                                                                                    
                                                                                                                        
                                                                                                                            | Secret Value | A string containing the secret. This parameter is used when PAM is not used as the storage location. |  
                                                                                                                            | Parameters | An object indicating the parameters to supply for PAM authentication. These will vary depending on the PAM provider. |  
                                                                                                                            | Provider | An integer indicating the ID of the PAM provider. Use the GET /PamProviders method (see GET PAM Providers) to retrieve a list of all the PAM providers to determine the ID. |  For example, a secret stored as a Keyfactor secret will look like: Copy
                                                                                                                    {"SecretValue": "AbCdEfGhIjKlMnOpQrStUvWxYz1234567890"
 }
 A secret stored as a CyberArk PAM secret will look like (where the Provider value—1 in this example—is the Id value from GET PAM Providers and the Safe, Folder, and Object reference the information in the CyberArk safe needed for this record): Copy
                                                                                                                    {"Provider": "1",
 "Parameters":{
 "Safe":"MySafeName",
 "Folder":"MyFolderName",
 "Object":"MyObjectName"
 }
 }
 A secret stored as a Delinea PAM secret will look like (where the Provider value—2 in this example—is the Id value from GET PAM Providers and the SecretId and SecretFieldName contain the information created in the Delinea secret server for this purpose): Copy
                                                                                                                    {"Provider": "2",
 "Parameters":{
 "SecretId":"MyId"
 "SecretFieldName":"MyReferenceName"
 }
 }
 Due to its sensitive nature, this value is not returned in responses. |  
                                                                                                            | Assume Role | A Boolean that indicates whether to assume an IAM role before invoking the Lambda function (true) or not (false). When true, the step uses the provided access key and secret to request temporary credentials for the specified role. This is useful for cross-account access or when enforcing more granular permissions.
										 |  
                                                                                                            | Data Bucket Property | A string containing the property that the response from the request will be returned in, if any. You can then reference this parameter from subsequent steps in the workflow. Tip:  The response is stored as a serialized JObject. If the function returns structured JSON (such as a list or an object), you can extract specific values using JSON path syntax. For example, imagine your function returns a response like: Copy[{
 "name": "Martha",
 "role": "IT",
 "region": "US-West"
 },
 {
 "name": "John",
 "role": "Sales",
 "region": "US-East"
 }
 ]
 
 You store this response in a variable named MyResponse. You could then reference the region value for the first result like this: $(MyResponse.[0].region) If your function returns a single object (rather than an array), omit the index. For example: Copy{"message": "Here is the result of your request.",
 "timestamp": "2025-08-13T10:30:00Z"
 }
 You would then use: $(MyResponse.message) |  
                                                                                                            | Function Name | A string indicating the name of the AWS Lambda function you want to invoke. This should match the exact name configured in your AWS account and is case-sensitive. |  
                                                                                                            | Payload | An object containing the JSON-formatted payload to send with the Lambda request. This field is optional, but if provided, the content must be valid JSON. Tokens are supported. For example: Copy
                                                                                                                    {"action": "revoke",
 "certificateId": "$(certid)",
 "revocationComment": "$(cmnt)",
 "owner": "$(metadata:AppOwnerFirstName) $(metadata:AppOwnerLastName)"
 }
 
 Note:  This example assumes you have metadata fields as shown. |  
                                                                                                            | Region | A string indicating the AWS region where your Lambda function is deployed (e.g., us-east-1, eu-west-2). This determines the regional endpoint used to send the request and must match the region of the target Lambda function. |  
                                                                                                            | RoleArn | A string containing the Amazon Resource Name (ARN) of the IAM role to assume when Assume Role is enabled. The ARN must be in the format: arn:aws:iam::123456789012:role/YourLambdaRole |  
                                                                                                            | Tags | An object containing the optional key-value pairs to include when assuming a role. These tags are passed to AWS STS during the AssumeRole request and can be used for access control, auditing, or session identification. Each tag must be specified as a key-value pair. For example: Copy
                                                                                                                    {"Project": "KeyfactorWorkflow",
 "Environment": "Production"
 }
 |  Tip:  Tokens (a.k.a. substitutable special text) may be used in the URL and request content fields. Tokens use a variable in the workflow definition that is replaced by data from the certificate request, certificate, or certificate metadata at processing time.  
                                                                                                
                                                                                                 Table 913: AzureFunction 
                                                                                                    
                                                                                                    
                                                                                                    
                                                                                                        
                                                                                                    
                                                                                                    
                                                                                                        
                                                                                                            | Content Type | A string indicating the content type for the request. Supported values are: |  
                                                                                                            | Data Bucket Property | A string containing the variable that the response from the request will be returned in, if any. You can then reference this parameter from subsequent steps in the workflow. Tip:  The response is stored as a serialized JObject. If the function returns structured JSON (such as a list or an object), you can extract specific values using JSON path syntax. For example, imagine your function returns a response like: Copy[{
 "name": "Martha",
 "role": "IT",
 "region": "US-West"
 },
 {
 "name": "John",
 "role": "Sales",
 "region": "US-East"
 }
 ]
 
 You store this response in a variable named MyResponse. You could then reference the region value for the first result like this: $(MyResponse.[0].region) If your function returns a single object (rather than an array), omit the index. For example: Copy{"message": "Here is the result of your request.",
 "timestamp": "2025-08-13T10:30:00Z"
 }
 You would then use: $(MyResponse.message) |  
                                                                                                            | Function Access Key | An object indicating the function access key. The function access key is used to authorize calls to the Azure Function. This key is required if either the function or its parent function app enforces function-level authorization. If the function is configured for anonymous access and the function app does not enforce additional authentication, the key may not be necessary.  Show function access key details. 
                                                                                                                 Supported methods to store secret information are: 
                                                                                                                    
                                                                                                                        Keyfactor: Store the secret information in the Keyfactor secrets table. A Keyfactor secret is a user-defined username or password that is encrypted and stored securely in the Keyfactor Command database.
                                                                                                                        PAM Provider: Load the secret information from a PAM provider. See Privileged Access Management (PAM) for more information. 
                                                                                                                    
                                                                                                                    
                                                                                                                    
                                                                                                                        
                                                                                                                    
                                                                                                                    
                                                                                                                        
                                                                                                                            | Secret Value | A string containing the secret. This parameter is used when PAM is not used as the storage location. |  
                                                                                                                            | Parameters | An object indicating the parameters to supply for PAM authentication. These will vary depending on the PAM provider. |  
                                                                                                                            | Provider | An integer indicating the ID of the PAM provider. Use the GET /PamProviders method (see GET PAM Providers) to retrieve a list of all the PAM providers to determine the ID. |  For example, an access key stored as a Keyfactor secret will look like: Copy
                                                                                                                    {"SecretValue": "AbCdEfGhIjKlMnOpQrStUvWxYz1234567890"
 }
 A secret stored as a CyberArk PAM secret will look like (where the Provider value—1 in this example—is the Id value from GET PAM Providers and the Safe, Folder, and Object reference the information in the CyberArk safe needed for this record): Copy
                                                                                                                    {"Provider": "1",
 "Parameters":{
 "Safe":"MySafeName",
 "Folder":"MyFolderName",
 "Object":"MyObjectName"
 }
 }
 A secret stored as a Delinea PAM secret will look like (where the Provider value—2 in this example—is the Id value from GET PAM Providers and the SecretId and SecretFieldName contain the information created in the Delinea secret server for this purpose): Copy
                                                                                                                    {"Provider": "2",
 "Parameters":{
 "SecretId":"MyId"
 "SecretFieldName":"MyReferenceName"
 }
 }
 Due to its sensitive nature, this value is not returned in responses. |  
                                                                                                            | Headers | An object containing the header information for the request. The key is the name of the specific request header and the value is the value that should be set for that header. For example: Copy
                                                                                                                    "Headers": {"User-Agent": [
 "KeyfactorCommand/25.3 (CommandWorkflow)"
 ]
 }
 |  
                                                                                                            | Request Content | A string containing the body of the REST request, if needed, with tokens, if desired. For example:
										 Copy
                                                                                                                    {"CertificateId": "$(certid)",
 "SubjectName": "$(cn)",
 "Thumbprint": "$(thumbprint)",
 "Requester": "$(requester)",
 "RevocationDetails": {
 "Comment": "$(cmnt)",
 "Reason": "$(code)",
 "RevokedBy": "$(revoker)",
 "RevocationDate": "$(effdate)"
 },
 "ApplicationOwner": {
 "FirstName": "$(metadata:AppOwnerFirstName)",
 "LastName": "$(metadata:AppOwnerLastName)",
 "Email": "$(metadata:AppOwnerEmailAddress)"
 },
 "Environment": "$(metadata:Environment)",
 "Metadata": {
 "BusinessUnit": "$(metadata:BusinessUnit)",
 "CostCenter": "$(metadata:CostCenter)",
 "CustomTags": "$(metadata:CustomTags)"
 }
 }
 Note:  This example assumes you have metadata fields as shown. |  
                                                                                                            | URL | A string containing the full request URL for your Azure Function, including the HTTP method and any required query parameters (such as tokens) if they are not passed in headers. For example: Copy
                                                                                                                    https://my-function-app-name.azurewebsites.net/api/MyExampleFunction
 Or, with a Keyfactor Command workflow variable in the query string: Copy
                                                                                                                    https://my-function-app-name.azurewebsites.net/api/UpdateMetadata?certId=$(certid)
 Tip:  The Function Access Key is passed in the x-functions-key header and does not need to be included in the URL. |  
                                                                                                            | Verb | A string indicating the HTTP verb for the type of request to perform. Supported values are: 
                                                                                                                    
                                                                                                                        DELETE
                                                                                                                        GET
                                                                                                                        HEAD
                                                                                                                        OPTIONS
                                                                                                                        POST
                                                                                                                        PUT
                                                                                                                        TRACE |  Tip:  Tokens (a.k.a. substitutable special text) may be used in the URL and request content fields. Tokens use a variable in the workflow definition that is replaced by data from the certificate request, certificate, or certificate metadata at processing time.  
                                                                                                
                                                                                                 Table 914: AzureFunctionOAuth 
                                                                                                    
                                                                                                    
                                                                                                    
                                                                                                        
                                                                                                    
                                                                                                    
                                                                                                        
                                                                                                            | Audience | A string containing the expected audience value (aud claim) for the token. In most Azure Function apps secured with Azure AD, this is typically the same as the Application ID URI used in the scope. For example: api://{application-id} |  
                                                                                                            | client_id | A string indicating the Application (client) ID from the Azure App Registration associated with the identity provider. This value identifies the client application that will authenticate with the function app. |  
                                                                                                            | client_ secret | An object indicating the client secret generated in the Azure App Registration. This secret authenticates the client when requesting tokens from Azure Active Directory. Show client secret details. 
                                                                                                                 Supported methods to store secret information are: 
                                                                                                                    
                                                                                                                        Keyfactor: Store the secret information in the Keyfactor secrets table. A Keyfactor secret is a user-defined username or password that is encrypted and stored securely in the Keyfactor Command database.
                                                                                                                        PAM Provider: Load the secret information from a PAM provider. See Privileged Access Management (PAM) for more information. 
                                                                                                                    
                                                                                                                    
                                                                                                                    
                                                                                                                        
                                                                                                                    
                                                                                                                    
                                                                                                                        
                                                                                                                            | Secret Value | A string containing the secret. This parameter is used when PAM is not used as the storage location. |  
                                                                                                                            | Parameters | An object indicating the parameters to supply for PAM authentication. These will vary depending on the PAM provider. |  
                                                                                                                            | Provider | An integer indicating the ID of the PAM provider. Use the GET /PamProviders method (see GET PAM Providers) to retrieve a list of all the PAM providers to determine the ID. |  For example, a secret stored as a Keyfactor secret will look like: Copy
                                                                                                                    {"SecretValue": "AbCdEfGhIjKlMnOpQrStUvWxYz1234567890"
 }
 A secret stored as a CyberArk PAM secret will look like (where the Provider value—1 in this example—is the Id value from GET PAM Providers and the Safe, Folder, and Object reference the information in the CyberArk safe needed for this record): Copy
                                                                                                                    {"Provider": "1",
 "Parameters":{
 "Safe":"MySafeName",
 "Folder":"MyFolderName",
 "Object":"MyObjectName"
 }
 }
 A secret stored as a Delinea PAM secret will look like (where the Provider value—2 in this example—is the Id value from GET PAM Providers and the SecretId and SecretFieldName contain the information created in the Delinea secret server for this purpose): Copy
                                                                                                                    {"Provider": "2",
 "Parameters":{
 "SecretId":"MyId"
 "SecretFieldName":"MyReferenceName"
 }
 }
 Due to its sensitive nature, this value is not returned in responses. |  
                                                                                                            | Content Type | A string indicating the content type for the request. Supported values are: |  
                                                                                                            | Data Bucket Property | A string containing the variable that the response from the request will be returned in, if any. You can then reference this parameter from subsequent steps in the workflow. Tip:  The response is stored as a serialized JObject. If the function returns structured JSON (such as a list or an object), you can extract specific values using JSON path syntax. For example, imagine your function returns a response like: Copy[{
 "name": "Martha",
 "role": "IT",
 "region": "US-West"
 },
 {
 "name": "John",
 "role": "Sales",
 "region": "US-East"
 }
 ]
 
 You store this response in a variable named MyResponse. You could then reference the region value for the first result like this: $(MyResponse.[0].region) If your function returns a single object (rather than an array), omit the index. For example: Copy{"message": "Here is the result of your request.",
 "timestamp": "2025-08-13T10:30:00Z"
 }
 You would then use: $(MyResponse.message) |  
                                                                                                            | Function Access Key | An object indicating the function access key. The function access key is used to authorize calls to an Azure Function and is required. While OAuth handles user authentication, the function access key acts as a shared secret to validate the request against the Azure Function endpoint. Even if the function itself allows anonymous access, under OAuth Azure’s security model typically requires the key to invoke the function successfully from external systems like Keyfactor Command.  Show function access key details. 
                                                                                                                 Supported methods to store secret information are: 
                                                                                                                    
                                                                                                                        Keyfactor: Store the secret information in the Keyfactor secrets table. A Keyfactor secret is a user-defined username or password that is encrypted and stored securely in the Keyfactor Command database.
                                                                                                                        PAM Provider: Load the secret information from a PAM provider. See Privileged Access Management (PAM) for more information. 
                                                                                                                    
                                                                                                                    
                                                                                                                    
                                                                                                                        
                                                                                                                    
                                                                                                                    
                                                                                                                        
                                                                                                                            | Secret Value | A string containing the secret. This parameter is used when PAM is not used as the storage location. |  
                                                                                                                            | Parameters | An object indicating the parameters to supply for PAM authentication. These will vary depending on the PAM provider. |  
                                                                                                                            | Provider | An integer indicating the ID of the PAM provider. Use the GET /PamProviders method (see GET PAM Providers) to retrieve a list of all the PAM providers to determine the ID. |  For example, an access key stored as a Keyfactor secret will look like: Copy
                                                                                                                    {"SecretValue": "AbCdEfGhIjKlMnOpQrStUvWxYz1234567890"
 }
 A secret stored as a CyberArk PAM secret will look like (where the Provider value—1 in this example—is the Id value from GET PAM Providers and the Safe, Folder, and Object reference the information in the CyberArk safe needed for this record): Copy
                                                                                                                    {"Provider": "1",
 "Parameters":{
 "Safe":"MySafeName",
 "Folder":"MyFolderName",
 "Object":"MyObjectName"
 }
 }
 A secret stored as a Delinea PAM secret will look like (where the Provider value—2 in this example—is the Id value from GET PAM Providers and the SecretId and SecretFieldName contain the information created in the Delinea secret server for this purpose): Copy
                                                                                                                    {"Provider": "2",
 "Parameters":{
 "SecretId":"MyId"
 "SecretFieldName":"MyReferenceName"
 }
 }
 Due to its sensitive nature, this value is not returned in responses. |  
                                                                                                            | Headers | An object containing the header information for the request. The key is the name of the specific request header and the value is the value that should be set for that header. For example: Copy
                                                                                                                    "Headers": {"User-Agent": [
 "KeyfactorCommand/25.3 (CommandWorkflow)"
 ]
 }
 |  
                                                                                                            | Request Content | A string containing the body of the REST request, if needed, with tokens, if desired. For example:
										 Copy
                                                                                                                    {"CertificateId": "$(certid)",
 "SubjectName": "$(cn)",
 "Thumbprint": "$(thumbprint)",
 "Requester": "$(requester)",
 "RevocationDetails": {
 "Comment": "$(cmnt)",
 "Reason": "$(code)",
 "RevokedBy": "$(revoker)",
 "RevocationDate": "$(effdate)"
 },
 "ApplicationOwner": {
 "FirstName": "$(metadata:AppOwnerFirstName)",
 "LastName": "$(metadata:AppOwnerLastName)",
 "Email": "$(metadata:AppOwnerEmailAddress)"
 },
 "Environment": "$(metadata:Environment)",
 "Metadata": {
 "BusinessUnit": "$(metadata:BusinessUnit)",
 "CostCenter": "$(metadata:CostCenter)",
 "CustomTags": "$(metadata:CustomTags)"
 }
 }
 Note:  This example assumes you have metadata fields as shown. |  
                                                                                                            | Scope | A string containing the scope required to request a token for your Azure Function. For client credentials flow, the scope must be the Application ID URI of the target resource with /.default appended. For example: api://{application-id}/.default Replace {application-id} with the Application (client) ID or custom App ID URI of your Azure Function’s registered app. |  
                                                                                                            | Token Endpoint | A string containing the Azure Active Directory token endpoint for your tenant. This endpoint is used to request access tokens during client credentials authentication. For example: https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token Replace {tenant-id} with your Directory (tenant) ID from Azure. |  
                                                                                                            | URL | A string containing the full request URL for your Azure Function, including the HTTP method and any required query parameters (such as tokens) if they are not passed in headers. For example: Copy
                                                                                                                    https://my-function-app-name.azurewebsites.net/api/MyExampleFunction
 Or, with a Keyfactor Command workflow variable in the query string: Copy
                                                                                                                    https://my-function-app-name.azurewebsites.net/api/UpdateMetadata?certId=$(certid)
 Tip:  The Function Access Key is passed in the x-functions-key header and does not need to be included in the URL. |  
                                                                                                            | Verb | A string indicating the HTTP verb for the type of request to perform. Supported values are: 
                                                                                                                    
                                                                                                                        DELETE
                                                                                                                        GET
                                                                                                                        HEAD
                                                                                                                        OPTIONS
                                                                                                                        POST
                                                                                                                        PUT
                                                                                                                        TRACE |  Tip:  Tokens (a.k.a. substitutable special text) may be used in the URL and request content fields. Tokens use a variable in the workflow definition that is replaced by data from the certificate request, certificate, or certificate metadata at processing time.  
                                                                                                
                                                                                                 Table 915: CustomPowerShell 
                                                                                                    
                                                                                                    
                                                                                                    
                                                                                                        
                                                                                                    
                                                                                                    
                                                                                                        
                                                                                                            | Script Name | A string containing the Keyfactor Command reference name of the PowerShell script as stored in the Keyfactor Command database. A sample PowerShell script (CustomPowershellExample.ps1) is provided in the \ExtensionLibrary\net6.0\Workflow directory on the Keyfactor Command server under the install directory. By default, this is: C:\Program Files\Keyfactor\Keyfactor Platform \ExtensionLibrary\net6.0\Workflow |  
                                                                                                            | Script Parameters | An object defining any parameters to be used in the PowerShell script. |  
                                                                                                            | Use PowerShell 5.1 | A Boolean indicating whether PowerShell 5.1 should be used for the workflow step (true) or PowerShell 7 should be used for the workflow step (false). The default is false. PowerShell 5.1 is not supported on Keyfactor Command servers running in a non-Windows environment. |  Tip:  Tokens (a.k.a. substitutable special text) may be used in the script parameter value field. Tokens use a variable in the workflow definition that is replaced by data from the certificate request, certificate, or certificate metadata at processing time. For example, you can take the revocation comment entered when the revocation request is approved—$(cmnt)—and append additional data to it using PowerShell. 
                                                                                                
                                                                                                 Table 916:  Email 
                                                                                                    
                                                                                                    
                                                                                                    
                                                                                                        
                                                                                                    
                                                                                                    
                                                                                                        
                                                                                                            | Message | A string indicating the email message that will be delivered when the workflow definition step is executed. The email message is made up of regular text and tokens. If desired, you can format the message body using HTML. For example, for an enrollment pending request notification: Copy
                                                                                                                    "Hello, \n\nA certificate using the  $(template) template was requested by $(requester) from $(CA) on $(subdate). The certificate details include: \n\n<table> \n<tr><th>Certificate Details</th><th>Metadata</th></tr> \n<tr><td>CN: $(request:cn)</td><td>App Owner First Name: $(metadata:AppOwnerFirstName)</td></tr> \n<tr><td>DN: $(request:dn)</td><td>App Owner Last Name: $(metadata:AppOwnerLastName)</td></tr> \n<tr><td>SANs: $(sans)</td><td>App Owner Email Address: $(metadata:AppOwnerEmailAddress)</td></tr> \n<tr><td> </td><td>Business Critical: $(metadata:BusinessCritical)</td></tr> \n\nPlease review this request and issue the certificate as appropriate by going here: \n\n$(reviewlink) \n\nThanks! \n\nYour Certificate Management Tool\n"
 See Table 22: Tokens for Workflow Definitions for a complete list of available tokens. Tip:  For best results when using HTML to format an email sent from Keyfactor Command , use inline styles and do not rely on linked stylesheets or embedded <style> rules. For example:
                         Recommended: <p style="font-size:14px; color:#333; margin:0 0 12px;">Hello</p>Not Recommended: <link rel="stylesheet" href="https://cdn..."> or <style>p { color:#333; }</style>
 |  
                                                                                                            | Recipients | An array of strings containing the recipients for the alert. Each alert can have multiple recipients. You can use specific email addresses and/or use substitutable special text to replace an email address variable with actual email addresses at processing time.  When entering email addresses on the Recipients parameter, if more than one recipient is added to a string, all recipients in that string receive the same email and can see the other recipients on the email. To do this, enter email addresses separated by commas or semi-colons withing the string. To include multiple strings, separate each string by a comma within the array.
 
"Recipients": [
 "{certemail}", 
 "pkiadmins@keyexample.com,bbrown@keyexample.com"
]Available email substitutable special text strings include your custom email-based metadata field, which would be specified similarly to: {metadata:AppOwnerEmailAddress} |  
                                                                                                            | Subject | A string indicating the subject line for the email message that will be delivered when the workflow definition step is executed. |  Tip:  Tokens (a.k.a. substitutable special text) may be used in the subject line, message and email recipient fields. Tokens use a variable in the workflow definition that is replaced by data from the certificate request, certificate, or certificate metadata at processing time. For example, you can select $(requester) in the workflow definition for an enrollment request and the email message will contain the specific certificate requester name instead of the variable $(requester). 
                                                                                                
                                                                                                 Table 917: EnrollmentAgent 
                                                                                                    
                                                                                                    
                                                                                                    
                                                                                                        
                                                                                                    
                                                                                                    
                                                                                                        
                                                                                                            | Enrollment Agent Cert | A string containing the base-64-encoded representation of the enrollment agent certificate with private key (in PKCS#12 format) that will be used to sign the CSR. This can be either a user certificate or a computer certificate and must have a Certificate Request Agent EKU. |  
                                                                                                            | Enrollment Agent Cert Password | An object indicating the password information used to secure the private key of the enrollment agent certificate.  Show function access key details. 
                                                                                                                 Supported methods to store secret information are: 
                                                                                                                    
                                                                                                                        Keyfactor: Store the secret information in the Keyfactor secrets table. A Keyfactor secret is a user-defined username or password that is encrypted and stored securely in the Keyfactor Command database.
                                                                                                                        PAM Provider: Load the secret information from a PAM provider. See Privileged Access Management (PAM) for more information. 
                                                                                                                    
                                                                                                                    
                                                                                                                    
                                                                                                                        
                                                                                                                    
                                                                                                                    
                                                                                                                        
                                                                                                                            | Secret Value | A string containing the secret. This parameter is used when PAM is not used as the storage location. |  
                                                                                                                            | Parameters | An object indicating the parameters to supply for PAM authentication. These will vary depending on the PAM provider. |  
                                                                                                                            | Provider | An integer indicating the ID of the PAM provider. Use the GET /PamProviders method (see GET PAM Providers) to retrieve a list of all the PAM providers to determine the ID. |  For example, a password stored as a Keyfactor secret will look like: Copy
                                                                                                                    {"SecretValue": "AbCdEfGhIjKlMnOpQrStUvWxYz1234567890"
 }
 A secret stored as a CyberArk PAM secret will look like (where the Provider value—1 in this example—is the Id value from GET PAM Providers and the Safe, Folder, and Object reference the information in the CyberArk safe needed for this record): Copy
                                                                                                                    {"Provider": "1",
 "Parameters":{
 "Safe":"MySafeName",
 "Folder":"MyFolderName",
 "Object":"MyObjectName"
 }
 }
 A secret stored as a Delinea PAM secret will look like (where the Provider value—2 in this example—is the Id value from GET PAM Providers and the SecretId and SecretFieldName contain the information created in the Delinea secret server for this purpose): Copy
                                                                                                                    {"Provider": "2",
 "Parameters":{
 "SecretId":"MyId"
 "SecretFieldName":"MyReferenceName"
 }
 }
 Due to its sensitive nature, this value is not returned in responses. |  
                                                                                                
                                                                                                 Table 918: ExpirationRenewal 
                                                                                                    
                                                                                                    
                                                                                                    
                                                                                                        
                                                                                                    
                                                                                                    
                                                                                                        
                                                                                                            | CA | An integer indicating the Keyfactor Command reference ID of the certificate authority to use when requesting a new certificate on running expiration workflows with a renewal step. The template must be available from the selected certificate authority. |  
                                                                                                            | Curve | A string indicating the elliptic curve (as an OID) to use when requesting a new certificate on running expiration workflows with a renewal step. The curve must be available for the selected template and CA. |  
                                                                                                            | KeyAlgorithm | A string indicating the key algorithm to use when requesting a new certificate on running expiration workflows with a renewal step. The key algorithm must be available for the selected template and CA. |  
                                                                                                            | KeySize | A string indicating the key size to use when requesting a new certificate on running expiration workflows with a renewal step. The key size must be available for the selected template and CA. |  
                                                                                                            | PushTo CertStore | A Boolean indicating whether to replace the certificate in the existing certificate store(s) (true) or not (false). |  
                                                                                                            | Template | An integer  indicating the Keyfactor Command reference ID of the template to use when requesting a new certificate on running expiration workflows with a renewal step. An enrollment pattern is selected for the request as follows: 
                                                                                                                    
                                                                                                                        For certificates with an associated enrollment pattern, that enrollment pattern is used for the renewal.
                                                                                                                        For certificates without an associated enrollment pattern, the default enrollment pattern for the template is used. |  
                                                                                                
                                                                                                 Table 919: OAuthRestRequest 
                                                                                                    
                                                                                                    
                                                                                                    
                                                                                                        
                                                                                                    
                                                                                                    
                                                                                                        
                                                                                                            | Audience | An audience value that is submitted with the token request, if desired. This value is not used for Keycloak. |  
                                                                                                            | client_id | A string indicating the ID of the identity provider client that should be used to authenticate the session (see Authenticating to the Keyfactor API). |  
                                                                                                            | client_ secret | An object indicating the secret of the identity provider client that should be used to authenticate the session (see Authenticating to the Keyfactor API).  Show function access key details. 
                                                                                                                 Supported methods to store secret information are: 
                                                                                                                    
                                                                                                                        Keyfactor: Store the secret information in the Keyfactor secrets table. A Keyfactor secret is a user-defined username or password that is encrypted and stored securely in the Keyfactor Command database.
                                                                                                                        PAM Provider: Load the secret information from a PAM provider. See Privileged Access Management (PAM) for more information. 
                                                                                                                    
                                                                                                                    
                                                                                                                    
                                                                                                                        
                                                                                                                    
                                                                                                                    
                                                                                                                        
                                                                                                                            | Secret Value | A string containing the secret. This parameter is used when PAM is not used as the storage location. |  
                                                                                                                            | Parameters | An object indicating the parameters to supply for PAM authentication. These will vary depending on the PAM provider. |  
                                                                                                                            | Provider | An integer indicating the ID of the PAM provider. Use the GET /PamProviders method (see GET PAM Providers) to retrieve a list of all the PAM providers to determine the ID. |  For example, a secret stored as a Keyfactor secret will look like: Copy
                                                                                                                    {"SecretValue": "AbCdEfGhIjKlMnOpQrStUvWxYz1234567890"
 }
 A secret stored as a CyberArk PAM secret will look like (where the Provider value—1 in this example—is the Id value from GET PAM Providers and the Safe, Folder, and Object reference the information in the CyberArk safe needed for this record): Copy
                                                                                                                    {"Provider": "1",
 "Parameters":{
 "Safe":"MySafeName",
 "Folder":"MyFolderName",
 "Object":"MyObjectName"
 }
 }
 A secret stored as a Delinea PAM secret will look like (where the Provider value—2 in this example—is the Id value from GET PAM Providers and the SecretId and SecretFieldName contain the information created in the Delinea secret server for this purpose): Copy
                                                                                                                    {"Provider": "2",
 "Parameters":{
 "SecretId":"MyId"
 "SecretFieldName":"MyReferenceName"
 }
 }
 Due to its sensitive nature, this value is not returned in responses. |  
                                                                                                            | Content Type | A string indicating the content type for the request. Supported values are: |  
                                                                                                            | Data Bucket Property | A string containing the variable that the response from the request will be returned in, if any. You can then reference this parameter from subsequent steps in the workflow. Tip:  The response is stored as a serialized JObject. If the function returns structured JSON (such as a list or an object), you can extract specific values using JSON path syntax. For example, imagine you returned the data from a GET /Agents request. You store this response in a variable named MyResponse. You could then reference the ClientMachine value for the first result like this: $(MyResponse.[0].ClientMachine) If you used GET /Agents/{id} instead to return a single object (rather than an array), omit the index. You would then use: $(MyResponse.ClientMachine) |  
                                                                                                            | Headers | An object containing the header information for the request. The key is the name of the specific request header (for Keyfactor API request headers, see Table 126: Common Request Headers and the specific documentation for each endpoint) and the value is the value that should be set for that header. For a Keyfactor API request, this might look like: Copy
                                                                                                                    "Headers": {"x-keyfactor-requested-with": [
 "APIClient"
 ],
 "x-keyfactor-api-version": [
 "2"
 ]
 }
 Tip:  For a Keyfactor API request, version 1 is assumed if no version is specified. Content type and authorization headers do not need to be specified, since those are addressed elsewhere in the configuration. |  
                                                                                                            | Request Content | A string containing the body of the REST request, if needed. For a Keyfactor API request, this will vary depending on the request and might look like (for a PUT /Certificates/Metadata request):
										 Copy
                                                                                                                    {"Id": "$(certid)",
 "Metadata":{
 "RevocationComment": "$(cmnt)"
 }
 }
 Note:  This example assumes you have a metadata field called RevocationComment. |  
                                                                                                            | Scope | One or more scopes that are submitted with the token request, if desired. Multiple scopes should be separated by spaces. This value is not used for Keycloak. |  
                                                                                                            | Token Endpoint | A string containing the URL of the token endpoint for your identity provider. For example: Copy
                                                                                                                    https://my-keyidp-server.keyexample.com/realms/Keyfactor/protocol/openid-connect/token
 For Keycloak, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation). |  
                                                                                                            | URL | A string containing the URL for the request, including tokens, if desired. For a Keyfactor API request, this might look like: Copy
                                                                                                                    https://keyfactor.keyexample.com/KeyfactorAPI/Certificates?pq.queryString=CN%20-contains%20%22appsrvr14%22%20AND%20CertStorePath%20-ne%20NULL
 Or, with tokens: Copy
                                                                                                                    https://keyfactor.keyexample.com/KeyfactorAPI/Certificates/$(certid)
 Note:  To prevent REST requests from being made to inappropriate locations by malicious users, configure a system environment variable of KEYFACTOR_BLOCKED_OUTBOUND_IPS on your Keyfactor Command  server pointing to the IP address or range of addresses in CIDR format that you wish to block. Both IPv4 and IPv6 addresses are supported. More than one address or range may be specified in a comma-delimited list. For example: 192.168.12.0/24,192.168.14.22/24 When a REST request is made where the URL is either configured to a blocked IP address or resolves via DNS to a blocked IP address, the REST request will fail. |  
                                                                                                            | Verb | A string indicating the HTTP verb for the type of request to perform. Supported values are: 
                                                                                                                    
                                                                                                                        DELETE
                                                                                                                        GET
                                                                                                                        HEAD
                                                                                                                        OPTIONS
                                                                                                                        POST
                                                                                                                        PUT
                                                                                                                        TRACE |  Tip:  Tokens (a.k.a. substitutable special text) may be used in the URL and request content fields. Tokens use a variable in the workflow definition that is replaced by data from the certificate request, certificate, or certificate metadata at processing time. For example, you can take the revocation comment entered when the revocation request is approved—$(cmnt)—and insert it into a custom metadata field in the certificate by doing a PUT /Certificates/Metadata request for the $(id). 
                                                                                                
                                                                                                 Table 920: PowerShell 
                                                                                                    
                                                                                                    
                                                                                                    
                                                                                                        
                                                                                                    
                                                                                                    
                                                                                                        
                                                                                                            | Script Content | A string containing the PowerShell commands to execute. This should be the actual contents of the PowerShell script (the PowerShell commands and supporting components), not a path and filename to an external file. |  
                                                                                                            | Script Parameters | An object defining any parameters to be used in the PowerShell script. The key is the name of a custom parameter defined by you and the value is the initial value that should be set for that parameter before the PowerShell is executed, if any. Tokens are supported in the value. |  Tip:  Tokens (a.k.a. substitutable special text) may be used in the script parameter value field. Tokens use a variable in the workflow definition that is replaced by data from the certificate request, certificate, or certificate metadata at processing time. For example, you can take the revocation comment entered when the revocation request is approved—$(cmnt)—and append additional data to it using PowerShell. 
                                                                                                
                                                                                                 Table 921: RequireApproval 
                                                                                                    
                                                                                                    
                                                                                                    
                                                                                                        
                                                                                                    
                                                                                                    
                                                                                                        
                                                                                                            | Approval Email Message | A string indicating the email message that will be delivered if the request is approved. The email message is made up of regular text and tokens. If desired, you can format the message body using HTML. See Table 22: Tokens for Workflow Definitions for a complete list of available tokens. Tip:  For best results when using HTML to format an email sent from Keyfactor Command , use inline styles and do not rely on linked stylesheets or embedded <style> rules. For example:
                         Recommended: <p style="font-size:14px; color:#333; margin:0 0 12px;">Hello</p>Not Recommended: <link rel="stylesheet" href="https://cdn..."> or <style>p { color:#333; }</style>
 |  
                                                                                                            | Approval Email Recipients | An array of strings containing the recipients for the alert. Each alert can have multiple recipients. You can use specific email addresses and/or use substitutable special text to replace an email address variable with actual email addresses at processing time.  When entering email addresses on the Recipients parameter, if more than one recipient is added to a string, all recipients in that string receive the same email and can see the other recipients on the email. To do this, enter email addresses separated by commas or semi-colons withing the string. To include multiple strings, separate each string by a comma within the array.
 
"Recipients": [
 "{certemail}", 
 "pkiadmins@keyexample.com,bbrown@keyexample.com"
]Available email substitutable special text strings include your custom email-based metadata field, which would be specified similarly to: {metadata:AppOwnerEmailAddress} |  
                                                                                                            | Approval Email Subject | A string indicating the subject line for the email message that will be delivered if the request is approved. |  
                                                                                                            | Denial Email Message | A string indicating the email message that will be delivered if the request is denied. The email message is made up of regular text and tokens. If desired, you can format the message body using HTML. See Table 22: Tokens for Workflow Definitions for a complete list of available tokens. Tip:  For best results when using HTML to format an email sent from Keyfactor Command , use inline styles and do not rely on linked stylesheets or embedded <style> rules. For example:
                         Recommended: <p style="font-size:14px; color:#333; margin:0 0 12px;">Hello</p>Not Recommended: <link rel="stylesheet" href="https://cdn..."> or <style>p { color:#333; }</style>
 |  
                                                                                                            | Denial Email Recipients | An array of strings containing the recipients for the alert. Each alert can have multiple recipients. You can use specific email addresses and/or use substitutable special text to replace an email address variable with actual email addresses at processing time.  When entering email addresses on the Recipients parameter, if more than one recipient is added to a string, all recipients in that string receive the same email and can see the other recipients on the email. To do this, enter email addresses separated by commas or semi-colons withing the string. To include multiple strings, separate each string by a comma within the array.
 
"Recipients": [
 "{certemail}", 
 "pkiadmins@keyexample.com,bbrown@keyexample.com"
]Available email substitutable special text strings include your custom email-based metadata field, which would be specified similarly to: {metadata:AppOwnerEmailAddress} |  
                                                                                                            | Denial Email Subject | A string indicating the subject line for the email message that will be delivered if the request is denied. |  
                                                                                                            | Minimum Approvals | In integer indicating the minimum number of users who must approve the request to allow the request to complete. |  Tip:  Tokens (a.k.a. substitutable special text) may be used in the subject line, message and email recipient fields. Tokens use a variable in the workflow definition that is replaced by data from the certificate request, certificate, or certificate metadata at processing time. For example, you can select $(requester) in the workflow definition for an enrollment request and the email message will contain the specific certificate requester name instead of the variable $(requester). 
                                                                                                
                                                                                                 Table 922: RestRequest 
                                                                                                    
                                                                                                    
                                                                                                    
                                                                                                        
                                                                                                    
                                                                                                    
                                                                                                        
                                                                                                            | Basic Password | An object indicating the password information to use for authentication if UseBasicAuth is True.  Show password details. 
                                                                                                                 Supported methods to store secret information are: 
                                                                                                                    
                                                                                                                        Keyfactor: Store the secret information in the Keyfactor secrets table. A Keyfactor secret is a user-defined username or password that is encrypted and stored securely in the Keyfactor Command database.
                                                                                                                        PAM Provider: Load the secret information from a PAM provider. See Privileged Access Management (PAM) for more information. 
                                                                                                                    
                                                                                                                    
                                                                                                                    
                                                                                                                        
                                                                                                                    
                                                                                                                    
                                                                                                                        
                                                                                                                            | Secret Value | A string containing the secret. This parameter is used when PAM is not used as the storage location. |  
                                                                                                                            | Parameters | An object indicating the parameters to supply for PAM authentication. These will vary depending on the PAM provider. |  
                                                                                                                            | Provider | An integer indicating the ID of the PAM provider. Use the GET /PamProviders method (see GET PAM Providers) to retrieve a list of all the PAM providers to determine the ID. |  For example, a password stored as a Keyfactor secret will look like: Copy
                                                                                                                    {"SecretValue": "AbCdEfGhIjKlMnOpQrStUvWxYz1234567890"
 }
 A secret stored as a CyberArk PAM secret will look like (where the Provider value—1 in this example—is the Id value from GET PAM Providers and the Safe, Folder, and Object reference the information in the CyberArk safe needed for this record): Copy
                                                                                                                    {"Provider": "1",
 "Parameters":{
 "Safe":"MySafeName",
 "Folder":"MyFolderName",
 "Object":"MyObjectName"
 }
 }
 A secret stored as a Delinea PAM secret will look like (where the Provider value—2 in this example—is the Id value from GET PAM Providers and the SecretId and SecretFieldName contain the information created in the Delinea secret server for this purpose): Copy
                                                                                                                    {"Provider": "2",
 "Parameters":{
 "SecretId":"MyId"
 "SecretFieldName":"MyReferenceName"
 }
 }
 Due to its sensitive nature, this value is not returned in responses. |  
                                                                                                            | Basic Username | An object indicating the username information to use for authentication if UseBasicAuth is True.  Show username details. 
                                                                                                                 Supported methods to store secret information are: 
                                                                                                                    
                                                                                                                        Keyfactor: Store the secret information in the Keyfactor secrets table. A Keyfactor secret is a user-defined username or password that is encrypted and stored securely in the Keyfactor Command database.
                                                                                                                        PAM Provider: Load the secret information from a PAM provider. See Privileged Access Management (PAM) for more information. 
                                                                                                                    
                                                                                                                    
                                                                                                                    
                                                                                                                        
                                                                                                                    
                                                                                                                    
                                                                                                                        
                                                                                                                            | Secret Value | A string containing the secret. This parameter is used when PAM is not used as the storage location. |  
                                                                                                                            | Parameters | An object indicating the parameters to supply for PAM authentication. These will vary depending on the PAM provider. |  
                                                                                                                            | Provider | An integer indicating the ID of the PAM provider. Use the GET /PamProviders method (see GET PAM Providers) to retrieve a list of all the PAM providers to determine the ID. |  For example, a username stored as a Keyfactor secret will look like: Copy
                                                                                                                    {"SecretValue": "KEYEXAMPLE\\API-User"
 }
 A secret stored as a CyberArk PAM secret will look like (where the Provider value—1 in this example—is the Id value from GET PAM Providers and the Safe, Folder, and Object reference the information in the CyberArk safe needed for this record): Copy
                                                                                                                    {"Provider": "1",
 "Parameters":{
 "Safe":"MySafeName",
 "Folder":"MyFolderName",
 "Object":"MyObjectName"
 }
 }
 A secret stored as a Delinea PAM secret will look like (where the Provider value—2 in this example—is the Id value from GET PAM Providers and the SecretId and SecretFieldName contain the information created in the Delinea secret server for this purpose): Copy
                                                                                                                    {"Provider": "2",
 "Parameters":{
 "SecretId":"MyId"
 "SecretFieldName":"MyReferenceName"
 }
 }
 Due to its sensitive nature, this value is not returned in responses. |  
                                                                                                            | Content Type | A string indicating the content type for the request. Supported values are: |  
                                                                                                            | Data Bucket Property | A string containing the variable that the response from the request will be returned in, if any. You can then reference this parameter from subsequent steps in the workflow. Tip:  The response is stored as a serialized JObject. If the function returns structured JSON (such as a list or an object), you can extract specific values using JSON path syntax. For example, imagine you returned the data from a GET /Agents request. You store this response in a variable named MyResponse. You could then reference the ClientMachine value for the first result like this: $(MyResponse.[0].ClientMachine) If you used GET /Agents/{id} instead to return a single object (rather than an array), omit the index. You would then use: $(MyResponse.ClientMachine) |  
                                                                                                            | Headers | An object containing the header information for the request. The key is the name of the specific request header (for Keyfactor API request headers, see Table 126: Common Request Headers and the specific documentation for each endpoint) and the value is the value that should be set for that header. For a Keyfactor API request, this might look like: Copy
                                                                                                                    "Headers": {"x-keyfactor-requested-with": [
 "APIClient"
 ],
 "x-keyfactor-api-version": [
 "2"
 ]
 }
 Tip:  For a Keyfactor API request, version 1 is assumed if no version is specified. Content type and authorization headers do not need to be specified, since those are addressed elsewhere in the configuration. |  
                                                                                                            | Request Content | A string containing the body of the REST request, if needed. For a Keyfactor API request, this will vary depending on the request and might look like (for a PUT /Certificates/Metadata request):
										 Copy
                                                                                                                    {"Id": "$(certid)",
 "Metadata":{
 "RevocationComment": "$(cmnt)"
 }
 }
 Note:  This example assumes you have a metadata field called RevocationComment. |  
                                                                                                            | URL | A string containing the URL for the request, including tokens, if desired. For a Keyfactor API request, this might look like: Copy
                                                                                                                    https://keyfactor.keyexample.com/KeyfactorAPI/Certificates?pq.queryString=CN%20-contains%20%22appsrvr14%22%20AND%20CertStorePath%20-ne%20NULL
 Or, with tokens: Copy
                                                                                                                    https://keyfactor.keyexample.com/KeyfactorAPI/Certificates/$(certid)
 Note:  To prevent REST requests from being made to inappropriate locations by malicious users, configure a system environment variable of KEYFACTOR_BLOCKED_OUTBOUND_IPS on your Keyfactor Command  server pointing to the IP address or range of addresses in CIDR format that you wish to block. Both IPv4 and IPv6 addresses are supported. More than one address or range may be specified in a comma-delimited list. For example: 192.168.12.0/24,192.168.14.22/24 When a REST request is made where the URL is either configured to a blocked IP address or resolves via DNS to a blocked IP address, the REST request will fail. |  
                                                                                                            | Use Basic Auth | A Boolean indicating whether Basic authentication should be used for the request (True) or not (False). If UseBasicAuth is False, Windows authentication in the context of the Keyfactor Command application pool user will be used (see Grant Access and Create Service Accounts for Keyfactor Command). |  
                                                                                                            | Verb | A string indicating the HTTP verb for the type of request to perform. Supported values are: 
                                                                                                                    
                                                                                                                        DELETE
                                                                                                                        GET
                                                                                                                        HEAD
                                                                                                                        OPTIONS
                                                                                                                        POST
                                                                                                                        PUT
                                                                                                                        TRACE |  Tip:  Tokens (a.k.a. substitutable special text) may be used in the URL and request content fields. Tokens use a variable in the workflow definition that is replaced by data from the certificate request, certificate, or certificate metadata at processing time. For example, you can take the revocation comment entered when the revocation request is approved—$(cmnt)—and insert it into a custom metadata field in the certificate by doing a PUT /Certificates/Metadata request for the $(id). 
                                                                                                
                                                                                                 Table 923: UpdateMetadata 
                                                                                                    
                                                                                                    
                                                                                                    
                                                                                                        
                                                                                                    
                                                                                                    
                                                                                                        
                                                                                                            | Name | A string indicating the name of the metadata field you wish to populate with the workflow step. |  
                                                                                                            | Value | A string containing either a static value to populate into the field during the workflow step or a token to populate the metadata field with a variable value at workflow runtime. Important:  The value updated to the metadata field replaces any existing value in the field. |  Tip:  Tokens (a.k.a. substitutable special text) may be used in the metadata value field. Tokens use a variable in the workflow definition that is replaced by data from the certificate request, certificate, or certificate metadata at processing time. For example, you can take the approval comment entered when an enrollment or revocation request is approved—$(cmnt)—and place it in a metadata field for future reference. |  
                                                                                        | Signals | An array of objects containing data used at the point in the workflow step where the workflow needs to continue based on user input. These will vary depending on the type of workflow and the type of step (see ExtensionName).  Show RequireApproval signal details. 
                                                                                             
                                                                                                
                                                                                                
                                                                                                
                                                                                                    
                                                                                                
                                                                                                
                                                                                                    
                                                                                                        | RoleIds | An array of integers indicating the security roles whose members are allowed to approve the request. |  
                                                                                                        | Signal Name | A string indicating the name of the signal. This value will vary depending on the workflow step. For the built-in Require Approval step, the SignalName is ApprovalStatus. |  Important:  If all the security roles configured for a workflow step are deleted from Keyfactor Command, no users will be able to submit signals for workflow instances initiated with that workflow definition. To remedy this, update the workflow definition with one or more current security roles, re-publish it, and then restart any outstanding workflow instances. |  
                                                                                        | Conditions | An object containing conditions indicating whether the step should run (true) or not (false). Conditions may either have a static value of True or False or a token that will have a value of True or False at the time the step is run. More than one condition may be added. If multiple conditions are used in the same step, all conditions must have a value of True at the time the step is evaluated to be run in order for the step to run. If any single condition evaluates to False, the step will not run.  Show condition details. 
                                                                                             
                                                                                                
                                                                                                
                                                                                                
                                                                                                    
                                                                                                
                                                                                                
                                                                                                    
                                                                                                        | Id | A string indicating the Keyfactor Command reference GUID of the condition. |  
                                                                                                        | Value | A string indicating the value of the condition. This should be one of true, false, or a token that will be set to either true or false in an earlier step in the workflow (seeAdding, Copying or Modifying a Workflow Definition for an example). |  |  
                                                                                        | Outputs | An object indicating the next step in the workflow.  Show output details. 
                                                                                             
                                                                                                
                                                                                                
                                                                                                
                                                                                                    
                                                                                                
                                                                                                
                                                                                                    
                                                                                                        | continue | A string indicating the UniqueName of the next workflow step in the chain. This value will be null for the final step in the chain. |  |  |