Keyfactor ACME API
The Keyfactor ACME API
An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. provides a comprehensive set of administrative and configuration endpoints that allow you to manage user accounts, claims-based access control, application settings, ACME identifiers, and external account bindings (EABs). These endpoints support both day-to-day operations—such as account revocation and claim creation—and lifecycle tasks like identifier definition and EAB key rotation. Use these APIs to automate Keyfactor ACME server configuration and ensure consistent, policy-aligned management of clients and access.
Table 16: Keyfactor ACME API Endpoints
| Endpoint | Method | Description | Link |
|---|---|---|---|
| /Admin/Accounts/List | GET | Returns all accounts registered with the Keyfactor ACME server. | GET Admin Accounts List |
| /Admin/Accounts/Revoke | POST | Revokes the account that has been registered from an account that has been registered from an ACME client. | POST Admin Accounts Revoke |
| /AppSettings/{id} | PUT | Updates the application setting with the specified ID. | PUT AppSettings ID |
| /AppSettings | GET | Returns a list of all the application settings configured in Keyfactor ACME. | GET AppSettings |
| /Claims | GET | Returns a list of all the claims configured in Keyfactor ACME. | GET Claims |
| /Claims | POST | Creates a new claim for an entity (user or group). | POST Claims |
| /Claims/{id} | DELETE | Deletes the claim with the specified ID | DELETE Claims ID |
| /Claims/{id} | GET | Returns the claim with the specified ID. | GET Claims ID |
| /Claims/{id} | PUT | Updates the claim with the specified ID. | PUT Claims ID |
| /Claims/AvailableRoles | GET | Returns a list of the possible user roles for Keyfactor ACME. | GET Claims Available Roles |
| /Identifiers | GET | Returns a list of all the identifiers defined in Keyfactor ACME. | GET Identifiers |
| /Identifiers | POST | Creates new identifiers of type FQDN, RegEx, subnet, or wildcard. | POST Identifiers |
| /Identifiers/{id} | DELETE | Deletes the identifier with the specified ID. | DELETE Identifiers ID |
| /Identifiers/Types | GET | Returns a list of all the supported types of identifiers. | GET Identifiers Types |
| /KeyManagement | GET | Returns the external account binding (EAB) key for the user and generates a new EAB key for authorized users without a pre-existing key. | GET KeyManagement |
| /KeyManagement | POST | Renews the user’s external account binding (EAB) key. | POST KeyManagement |
| /Revoke | POST | Revokes the specified certificate. | POST Revoke |
| /Status | GET | Check whether a connection can be made to the Keyfactor ACME database. | GET Status |
Endpoint Common Features
By default, all Keyfactor ACME API methods start with a base path, which corresponds to an application under the web server; this path is configurable at install time. The default base path is ACME. The API component name and method name then comprise the parts of the URL, each separated by a forward slash. For example, /ACME/KeyManagement would be the URL format for the key management methods.
The Keyfactor ACME API uses the following common request headers:
-
Content-Type: application/json
-
Authorization: Bearer <your OAuth token>
HTTP Statuses
The following HTTP Statuses may be returned by Keyfactor ACME API requests:
-
200 OK: Request successful; results, if applicable, in response body.
-
204 No Content: Request successful; results in no response.
-
400 Bad Request: Malformed or invalid data; additional information may be available in the response body and/or Keyfactor ACME server logs.
-
401 Unauthorized: Invalid credentials (user unauthenticated).
-
403 Forbidden: Can often indicate that the user does not have the appropriate permissions for this action in Keyfactor ACME (user unauthorized).
-
404 Page not Found: Invalid request path.
-
405 Method Not Allowed: Invalid request; check the requested method (POST vs GET), the authentication credentials, and the endpoint
An endpoint is a URL that enables the API to gain access to resources on a server. path. -
500 Internal Server Error: Keyfactor ACME encountered an unexpected error attempting to handle the request. See response body and Keyfactor ACME server logs for details.
-
502 Bad Gateway: Keyfactor ACME attempted to contact Keyfactor Command or other upstream server to process the request, but was unable to. See Keyfactor ACME server logs for details.
Was this page helpful? Provide Feedback