Account Manager API

  3 minute read  

DigiCert® Account Manager API lets you automate user management, control access, manage credentials, and monitor activity for your DigiCert® account.

What you can do

  • Manage users: Create and manage administrators and service users.
  • Control access: Assign roles to grant permissions.
  • Manage credentials: Generate API tokens and client authentication certificates.
  • Monitor activity: Query audit logs to track changes and user actions.
  • View resources: Access account, organization, and locale information.

Authentication

MethodBest forHow it works
API key (default)CI/CD pipelines, backend servicesAdd the service user API token in the x-api-key request header.
Mutual TLS (mTLS)High-assurance, network-restricted, or key-rotation-averse environmentsPresent a client TLS certificate and call the clientauth. hostname.

Base URL and endpoints

DigiCert® provides both production and demo environments across four geographic regions. Each API call starts with a region-specific hostname (base URL), followed by a predictable versioned path.

EnvironmentPurpose
DemoSafe testing, proof-of-concepts
ProductionLive operations
SegmentDescriptionexamples
{hostname}DigiCert ONE hostnameone.digicert.com
demo.one.digicert.com
one.digicert.co.jp
{product}DigiCert ONE product-specific path segment/account (Account Manager)
api/v{n}API version; Account Manager uses v1/api/v1
{resource}Specific endpoint path/audit-log
/user
/user/{user_id}
/organization/{organization_id}

User types: Standard vs. service users

Make sure you understand the difference between a standard user (your primary user account) and service users.

Standard userService user
PurposeUI access via web browser and user administrationAPI integration and automation
AuthenticationUsername/password; API token; client authentication certificateAPI token; client authentication certificate
Can create API tokens?Yes, with inherited permissions (assumes exact roles as the user creating the token)No, service users are the token (roles are explicitly assigned at creation)
Can manage users?Yes, depending on assigned rolesYes, depending on assigned roles
Best forManual administration; one-off tasksCI/CD pipelines; integrations

Roles and permissions

Assigned roles determine a user’s permissions. Roles are manager-specific and provide a granular permission structure.

Use the /account/api/v1/role endpoint to see available roles for Account Manager:

curl -X GET https://demo.one.digicert.com/account/api/v1/role?application_code=account_manager \
  -H "x-api-key: USER_API_TOKEN" \
  -H "Content-Type: application/json" | jq '.'

Important considerations

  • Service users are the token. Service users cannot create additional API tokens. If lost, delete the service user and create a new one.
  • User deletion is permanent. Deleting a user immediately invalidates all their credentials. This cannot be reversed.
  • Assign roles, not permissions. When creating or updating users, assign roles (such as AM_ACCOUNT_ADMIN). Roles contain sets of permissions.

Common operations

MethodEndpointDescription
GET/account/api/v1/userList all users; use query parameters to view specific user types ?user_type=service
GET/account/api/v1/user/{user_id}Get details for the specified user
GET/account/api/v1/user/meGet details about the currently authenticated user
PUT/account/api/v1/user/{user_id}Update the specified user; add or remove assigned roles/accounts, change email address, friendly name
GET/account/api/v1/audit-logView audit logs; use query parameters to target dates or actions ?from=2024-01-01&action=CREATE
GET/account/api/v1/roleList all available roles; use query parameters to filter by manager ?application_code=account_manager
Tutorials

API reference

OpenAPI reference documentation for Account Manager