{ "openapi": "3.0.1", "info": { "title": "Tracebit API", "description": "API for interacting with the Tracebit platform.", "version": "v1" }, "servers": [ { "url": "https://community.tracebit.com", "description": "Tracebit Community Edition server" } ], "paths": { "/api/v1/credentials/issue-credentials": { "post": { "tags": [ "Canary Credentials" ], "summary": "Issue credentials", "description": "Issue canary credentials of the requested types. The credentials should be confirmed via the /confirm-credentials endpoint after their appropriate deployment.\n\nRequired permission: `canary-credentials:all:create`.", "operationId": "IssueCredentials", "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/IssueCredentialsRequest" } } }, "required": true }, "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/IssueCredentialsResponse" } } } }, "400": { "description": "Bad Request", "content": { "text/plain": { "schema": { "type": "string" } } } } }, "security": [ { "TracebitApiToken": [ ] } ] } }, "/api/v1/credentials/confirm-credentials": { "post": { "tags": [ "Canary Credentials" ], "summary": "Confirm credentials deployment", "description": "Confirm the successful deployment of canary credentials. Should be called with the confirmationId of the credentials issued via the /issue-credentials endpoint.\n\nRequired permission: `canary-credentials:all:create`.", "operationId": "ConfirmCredentials", "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ConfirmCredentialsRequest" } } }, "required": true }, "responses": { "204": { "description": "No Content" }, "404": { "description": "Not Found" } }, "security": [ { "TracebitApiToken": [ ] } ] } } }, "components": { "schemas": { "AwsCanaryCredentials": { "required": [ "awsConfirmationId", "awsAccessKeyId", "awsExpiration", "awsSecretAccessKey", "awsSessionToken" ], "type": "object", "properties": { "awsConfirmationId": { "type": "string", "description": "The ID to use for confirming these credentials' deployment", "format": "uuid" }, "awsAccessKeyId": { "type": "string", "description": "The AWS access key ID" }, "awsExpiration": { "type": "string", "description": "The date when these credentials will expire", "format": "date-time" }, "awsSecretAccessKey": { "type": "string", "description": "The AWS secret access key" }, "awsSessionToken": { "type": "string", "description": "The AWS session token" } }, "nullable": true }, "ConfirmCredentialsRequest": { "required": [ "id" ], "type": "object", "properties": { "id": { "type": "string", "description": "The confirmation ID for the deployed credentials", "format": "uuid" } } }, "DecoyTokenLabel": { "required": [ "name", "value" ], "type": "object", "properties": { "name": { "type": "string" }, "value": { "type": "string" } } }, "IssueCredentialsRequest": { "required": [ "name", "source", "sourceType" ], "type": "object", "properties": { "name": { "type": "string", "description": "A name to identify the credentials" }, "types": { "type": "array", "items": { "type": "string" }, "description": "The credential types to issue. Valid values are 'aws', 'ssh', 'gitlab-cookie', 'gitlab-username-password'", "nullable": true }, "source": { "type": "string", "description": "The value for the 'source' label, representing the system used to deploy the credentials, for example 'custom' or 'script'" }, "sourceType": { "type": "string", "description": "The value for the 'source_type' label, representing the type of system in which the credentials will be deployed, for example 'endpoint', 'container', 'ci/cd'" }, "labels": { "type": "array", "items": { "$ref": "#/components/schemas/DecoyTokenLabel" }, "description": "Additional label names and values for the credentials, typically metadata about how and where the credential is being deployed" } }, "example": { "name": "home-canary", "types": [ "aws", "ssh" ], "source": "custom", "sourceType": "endpoint", "labels": [ { "name": "machine", "value": "home" } ] } }, "IssueCredentialsResponse": { "type": "object", "properties": { "aws": { "$ref": "#/components/schemas/AwsCanaryCredentials" }, "ssh": { "$ref": "#/components/schemas/SshCanaryCredentials" }, "http": { "type": "object", "anyOf": [ { "title": "gitlab-cookie", "required": [ "gitlab-cookie" ], "type": "object", "properties": { "gitlab-cookie": { "required": [ "confirmationId", "browserDeploymentId", "hostNames", "expiresAt", "credentials" ], "type": "object", "properties": { "confirmationId": { "type": "string", "description": "The ID to use for confirming these credentials' deployment", "format": "uuid" }, "browserDeploymentId": { "type": "string", "description": "The ID of the browser deployment", "format": "uuid" }, "hostNames": { "type": "array", "items": { "type": "string" }, "description": "The hostnames for which these credentials are valid" }, "expiresAt": { "type": "string", "description": "The date when these credentials will expire", "format": "date-time", "nullable": true }, "credentials": { "description": "The HTTP canary credentials" } } } } }, { "title": "gitlab-username-password", "required": [ "gitlab-username-password" ], "type": "object", "properties": { "gitlab-username-password": { "required": [ "confirmationId", "browserDeploymentId", "hostNames", "expiresAt", "credentials" ], "type": "object", "properties": { "confirmationId": { "type": "string", "description": "The ID to use for confirming these credentials' deployment", "format": "uuid" }, "browserDeploymentId": { "type": "string", "description": "The ID of the browser deployment", "format": "uuid" }, "hostNames": { "type": "array", "items": { "type": "string" }, "description": "The hostnames for which these credentials are valid" }, "expiresAt": { "type": "string", "description": "The date when these credentials will expire", "format": "date-time", "nullable": true }, "credentials": { "description": "The HTTP canary credentials" } } } } } ], "description": "An object containing the Http canary credentials where the key is the type of Http credential and the value is the HttpCanaryCredentials object. The schema of the 'credentials' value depends on the type of Http credential." } } }, "SshCanaryCredentials": { "required": [ "sshConfirmationId", "sshIp", "sshPrivateKey", "sshPublicKey", "sshExpiration" ], "type": "object", "properties": { "sshConfirmationId": { "type": "string", "description": "The ID to use for confirming these credentials' deployment", "format": "uuid" }, "sshIp": { "type": "string", "description": "The IP address of the SSH server" }, "sshPrivateKey": { "type": "string", "description": "Base64-encoded private key for connecting to the SSH server" }, "sshPublicKey": { "type": "string", "description": "Base64-encoded public key of the SSH server" }, "sshExpiration": { "type": "string", "description": "The date when these credentials will expire", "format": "date-time" } }, "nullable": true } }, "securitySchemes": { "TracebitApiToken": { "type": "http", "scheme": "bearer" } } }, "tags": [ { "name": "Canary Credentials" } ] }