Keyfactor ACME API

The Keyfactor ACME APIClosed An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. provides a comprehensive set of administrative and configuration endpoints that allow you to manage user accounts, claims-based access control, application settings, ACME identifiers, and external account bindings (EABs). These endpoints support both day-to-day operations—such as account revocation and claim creation—and lifecycle tasks like identifier definition and EAB key rotation. Use these APIs to automate Keyfactor ACME server configuration and ensure consistent, policy-aligned management of clients and access.

Table 16: Keyfactor ACME API Endpoints

Endpoint Method Description Link
/Admin/Accounts/List GET Returns all accounts registered with the Keyfactor ACME server. GET Admin Accounts List
/Admin/Accounts/Revoke POST Revokes the account that has been registered from an account that has been registered from an ACME client. POST Admin Accounts Revoke
/AppSettings/{id} PUT Updates the application setting with the specified ID. PUT AppSettings ID
/AppSettings GET Returns a list of all the application settings configured in Keyfactor ACME. GET AppSettings
/Claims GET Returns a list of all the claims configured in Keyfactor ACME. GET Claims
/Claims POST Creates a new claim for an entity (user or group). POST Claims
/Claims/{id} DELETE Deletes the claim with the specified ID DELETE Claims ID
/Claims/{id} GET Returns the claim with the specified ID. GET Claims ID
/Claims/{id} PUT Updates the claim with the specified ID. PUT Claims ID
/Claims/AvailableRoles GET Returns a list of the possible user roles for Keyfactor ACME. GET Claims Available Roles
/Identifiers GET Returns a list of all the identifiers defined in Keyfactor ACME. GET Identifiers
/Identifiers POST Creates new identifiers of type FQDN, RegEx, subnet, or wildcard. POST Identifiers
/Identifiers/{id} DELETE Deletes the identifier with the specified ID. DELETE Identifiers ID
/Identifiers/Types GET Returns a list of all the supported types of identifiers. GET Identifiers Types
/KeyManagement GET Returns the external account binding (EAB) key for the user and generates a new EAB key for authorized users without a pre-existing key. GET KeyManagement
/KeyManagement POST Renews the user’s external account binding (EAB) key. POST KeyManagement
/Revoke POST Revokes the specified certificate. POST Revoke
/Status GET Check whether a connection can be made to the Keyfactor ACME database. GET Status
Endpoint Common Features

By default, all Keyfactor ACME API methods start with a base path, which corresponds to an application under the web server; this path is configurable at install time. The default base path is ACME. The API component name and method name then comprise the parts of the URL, each separated by a forward slash. For example, /ACME/KeyManagement would be the URL format for the key management methods.

The Keyfactor ACME API uses the following common request headers:

  • Content-Type: application/json

  • Authorization: Bearer <your OAuth token>

HTTP Statuses

The following HTTP Statuses may be returned by Keyfactor ACME API requests:

  • 200 OK: Request successful; results, if applicable, in response body.

  • 204 No Content: Request successful; results in no response.

  • 400 Bad Request: Malformed or invalid data; additional information may be available in the response body and/or Keyfactor ACME server logs.

  • 401 Unauthorized: Invalid credentials (user unauthenticated).

  • 403 Forbidden: Can often indicate that the user does not have the appropriate permissions for this action in Keyfactor ACME (user unauthorized).

  • 404 Page not Found: Invalid request path.

  • 405 Method Not Allowed: Invalid request; check the requested method (POST vs GET), the authentication credentials, and the endpointClosed An endpoint is a URL that enables the API to gain access to resources on a server. path.

  • 500 Internal Server Error: Keyfactor ACME encountered an unexpected error attempting to handle the request. See response body and Keyfactor ACME server logs for details.

  • 502 Bad Gateway: Keyfactor ACME attempted to contact Keyfactor Command or other upstream server to process the request, but was unable to. See Keyfactor ACME server logs for details.