API Clients
An API client is an external software component that can interact with MTG Certificate Lifecycle Manager Server via its programmatic interface. Due to the fact that it resembles an RA Operator, it can perform actions like create an End-entity and issue/revoke a Certificate. However, it contains no user credentials to access the MTG Certificate Lifecycle Manager Server UI.
An example for such an API client, is the connection of MTG Certificate Lifecycle Manager Server with other MTG products like the MTG ACME server. In this connection scenario, the MTG ACME server takes up the role of an API client and is able to issue and revoke certificates according to the ACME protocol.
API Clients are not directly bound to realms and can exist independently. Regardless, a realm must be assigned to an API client by an RA Operator with access to that realm, in order for the API client to undertake actions within that realm. API clients are mapped to Keycloak clients. As a result, all administration operations for API clients can also be executed through the Keycloak administration console. More details about Keycloak client administration can be found here.
View API Clients
Available API clients can be viewed in the Administration / API Clients / Show page, or via the Keycloak administration console.
One can also search the available API clients, either by their exact API client ID or by a subsequence of characters contained in client’s client ID or name.
Create API Client
In the Administration / API Clients / Create page, there is a top section that allows the creation of new API clients by choosing a name,
the assigned realms and a default policy to be used with this API client (when no policy is provided in API calls).
An alternative way of API client creation is via the Keycloak administration console.
In the second step of Create client procedure, the Client Authentication must be activated and the Service accounts roles from Authentication flow must be selected.
Clients created from the Keycloak administration console can be triggered manually, to be imported through the Administration / API Clients/ Sync button or automatically while searching.
The API client secret acts as the API client’s credentials and becomes visible after the creation. Alongside the API Client ID, both are required to use and authenticate an API client.