Manage credential lifecycle for document signers
Cancel, revoke, or reassign credentials as needs change.
6 minute read
Credential lifecycle management enables you to monitor, cancel, revoke, and reassign signing credentials through the API. These operations help you maintain control over your organization’s document signing infrastructure.
In this tutorial, you will:
- Get the status of a credential.
- Cancel a pending credential.
- Revoke an active or suspended credential.
- Replace a client administrator.
Before you begin
Before you begin, make sure you have:
A DigiCert ONE account with Document Trust Manager access.
A service user with API key authentication. For instructions, see Create a service user.
API token with the following permissions:
- Permission to create and update users
- Permission to create and manage credentials
- Permission to access the required DigiCert ONE accounts
The signer must have the
DSM_DOCUMENT_SIGNER role assigned.For Step 4 (Replace client administrator): OAuth credentials (
client_id and client_secret).The credential name and user ID for the credential you want to manage.
Endpoint overview
| Method | Path | Description |
|---|---|---|
| GET | /api/v2/credential/{name} | Get credential status |
| PUT | /api/v2/credential/{name}/cancel | Cancel a pending credential |
| PUT | /api/v1/credential/{name}/revoke | Revoke a credential |
| POST | /api/v1/user/{userId}/replace-client-admin | Replace a client administrator |
Credential status values
A credential progresses through the following statuses during its lifecycle:
| Status | Description |
|---|---|
ACTIVE | Credential is active and available for signing |
PENDING_ISSUANCE | Credential issuance is in progress |
DEACTIVATED | Credential was cancelled before issuance completed |
REVOKED | Credential was revoked after activation |
SUSPENDED | Credential is temporarily suspended |
Revocation reason codes
Use these reason codes when revoking a credential in Step 3:
| Reason | Description |
|---|---|
KEY_COMPROMISE | Private key was compromised |
AFFILIATION_CHANGED | Signer’s organizational affiliation changed |
SUPERSEDED | Credential was replaced by a new one |
CESSATION_OF_OPERATION | Credential is no longer needed |
Step 1: Get credential status
Before you cancel or revoke a credential, retrieve its current status to confirm which operations are available. Only credentials with PENDING_ISSUANCE status can be cancelled, and only ACTIVE or SUSPENDED credentials can be revoked.
Request:
curl -X GET "https://demo.one.digicert.com/documentmanager/api/v2/credential/CREDENTIAL_NAME?user_id=USER_ID" \
-H "x-api-key: SERVICE_USER_API_TOKEN" \
| jq '.'import requests
CREDENTIAL_NAME = "CREDENTIAL_NAME"
response = requests.get(
f"https://demo.one.digicert.com/documentmanager/api/v2/credential/{CREDENTIAL_NAME}",
headers={"x-api-key": "SERVICE_USER_API_TOKEN"},
params={"user_id": "USER_ID"}
)
print(f"Status: {response.status_code}")
if response.status_code != 204:
print(response.json())import java.net.http.*;
import java.net.URI;
HttpClient client = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
.uri(URI.create("https://demo.one.digicert.com/documentmanager/api/v2/credential/CREDENTIAL_NAME?user_id=USER_ID"))
.header("x-api-key", "SERVICE_USER_API_TOKEN")
.GET()
.build();
HttpResponse<String> response = client.send(request,
HttpResponse.BodyHandlers.ofString());
System.out.println("Status: " + response.statusCode());
System.out.println(response.body());using System.Net.Http;
using System.Text;
using System.Text.Json;
var client = new HttpClient();
client.DefaultRequestHeaders.Add("x-api-key", "SERVICE_USER_API_TOKEN");
var response = await client.GetAsync("https://demo.one.digicert.com/documentmanager/api/v2/credential/CREDENTIAL_NAME?user_id=USER_ID");
Console.WriteLine($"Status: {(int)response.StatusCode}");
Console.WriteLine(await response.Content.ReadAsStringAsync());Replace {name} with the credential name. The user_id query parameter is optional.
Successful response (201 OK):
{
"created_by": "CREATED_BY_VALUE",
"modified_on": "MODIFIED_ON_VALUE",
"modified_by": "MODIFIED_BY_VALUE",
"created_on": "CREATED_ON_VALUE",
"id": "69f3fea8-a13f-4359-aacd-d03ee3133671",
"name": "tets4",
"user_id": "a37322f1-5fd3-40d1-a1bc-a8640466a052",
"account_id": "d02b6af4-6497-4d12-9b28-ac0678dd3eef",
"profile_id": "01234567-89ab-cdef-0123-456789abcdef",
"first_credential": false,
"status": "ACTIVE",
"cc_order_id": "01234567-89ab-cdef-0123-456789abcdef"
}
From the response, note the status field. This determines which operations you can perform:
- If the status is
PENDING_ISSUANCE, you can cancel the credential (Step 2). - If the status is
ACTIVEorSUSPENDED, you can revoke the credential (Step 3).
Step 2: Cancel a credential
Cancel a credential when it is still in PENDING_ISSUANCE status. You might need to cancel a credential if it was created with incorrect organization data or incorrect signer information.
Request:
curl -X PUT "https://demo.one.digicert.com/documentmanager/api/v2/credential/CREDENTIAL_NAME/cancel?user_id=USER_ID" \
-H "x-api-key: SERVICE_USER_API_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"notes": "cancellation notes"
}' \
| jq '.'import requests
CREDENTIAL_NAME = "CREDENTIAL_NAME"
response = requests.put(
f"https://demo.one.digicert.com/documentmanager/api/v2/credential/{CREDENTIAL_NAME}/cancel",
headers={"x-api-key": "SERVICE_USER_API_TOKEN", "Content-Type": "application/json"},
params={"user_id": "USER_ID"},
json={
"notes": "cancellation notes"
}
)
print(f"Status: {response.status_code}")
if response.status_code != 204:
print(response.json())import java.net.http.*;
import java.net.URI;
HttpClient client = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
.uri(URI.create("https://demo.one.digicert.com/documentmanager/api/v2/credential/CREDENTIAL_NAME/cancel?user_id=USER_ID"))
.header("x-api-key", "SERVICE_USER_API_TOKEN")
.header("Content-Type", "application/json")
.PUT(HttpRequest.BodyPublishers.ofString("{\"notes\": \"cancellation notes\"}"))
.build();
HttpResponse<String> response = client.send(request,
HttpResponse.BodyHandlers.ofString());
System.out.println("Status: " + response.statusCode());
System.out.println(response.body());using System.Net.Http;
using System.Text;
using System.Text.Json;
var client = new HttpClient();
client.DefaultRequestHeaders.Add("x-api-key", "SERVICE_USER_API_TOKEN");
var content = new StringContent(@"{
""notes"": ""cancellation notes""
}",
Encoding.UTF8, "application/json");
var response = await client.PutAsync("https://demo.one.digicert.com/documentmanager/api/v2/credential/CREDENTIAL_NAME/cancel?user_id=USER_ID", content);
Console.WriteLine($"Status: {(int)response.StatusCode}");
Console.WriteLine(await response.Content.ReadAsStringAsync());Replace {name} with the credential name. The user_id query parameter is optional.
Successful response (201 OK):
{
"id": "01234567-89ab-cdef-0123-456789abcdef"
}
The credential status changes to DEACTIVATED. You can verify this by repeating Step 1.
Step 3: Revoke a credential
Revoke a credential that has ACTIVE or SUSPENDED status. Revocation is permanent and cannot be undone.
Request:
curl -X PUT "https://demo.one.digicert.com/documentmanager/api/v1/credential/CREDENTIAL_NAME/revoke?user_id=USER_ID" \
-H "x-api-key: SERVICE_USER_API_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"reason": "REASON_VALUE"
}' \
| jq '.'import requests
CREDENTIAL_NAME = "CREDENTIAL_NAME"
response = requests.put(
f"https://demo.one.digicert.com/documentmanager/api/v1/credential/{CREDENTIAL_NAME}/revoke",
headers={"x-api-key": "SERVICE_USER_API_TOKEN", "Content-Type": "application/json"},
params={"user_id": "USER_ID"},
json={
"reason": "REASON_VALUE"
}
)
print(f"Status: {response.status_code}")
if response.status_code != 204:
print(response.json())import java.net.http.*;
import java.net.URI;
HttpClient client = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
.uri(URI.create("https://demo.one.digicert.com/documentmanager/api/v1/credential/CREDENTIAL_NAME/revoke?user_id=USER_ID"))
.header("x-api-key", "SERVICE_USER_API_TOKEN")
.header("Content-Type", "application/json")
.PUT(HttpRequest.BodyPublishers.ofString("{\"reason\": \"REASON_VALUE\"}"))
.build();
HttpResponse<String> response = client.send(request,
HttpResponse.BodyHandlers.ofString());
System.out.println("Status: " + response.statusCode());
System.out.println(response.body());using System.Net.Http;
using System.Text;
using System.Text.Json;
var client = new HttpClient();
client.DefaultRequestHeaders.Add("x-api-key", "SERVICE_USER_API_TOKEN");
var content = new StringContent(@"{
""reason"": ""REASON_VALUE""
}",
Encoding.UTF8, "application/json");
var response = await client.PutAsync("https://demo.one.digicert.com/documentmanager/api/v1/credential/CREDENTIAL_NAME/revoke?user_id=USER_ID", content);
Console.WriteLine($"Status: {(int)response.StatusCode}");
Console.WriteLine(await response.Content.ReadAsStringAsync());Replace {name} with the credential name. The user_id query parameter is required for this endpoint. Set the reason field to one of the revocation reason codes listed above.
Successful response (201 OK):
{
"id": "01234567-89ab-cdef-0123-456789abcdef",
"status": "REVOKED"
}
The response confirms the revocation with the updated credential details, including the new status of REVOKED.
Step 4: Replace a client administrator
Replace an existing client administrator with a different user. This operation is useful when an administrator changes roles or leaves the organization.
This endpoint requires OAuth authentication (
client_id and client_secret), not API key authentication.Request:
curl -X POST "https://demo.one.digicert.com/documentmanager/api/v1/user/01234567-89ab-cdef-0123-456789abcdef/replace-client-admin" \
-H "x-api-key: OAUTH_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"email": "john@local.com",
"first_name": "John",
"last_name": "Doe",
"user_name": "abc12345",
"phone_number": 911234567890,
"locale": "en_US",
"description": "abc12345"
}' \
| jq '.'import requests
USER_ID = "01234567-89ab-cdef-0123-456789abcdef"
response = requests.post(
f"https://demo.one.digicert.com/documentmanager/api/v1/user/{USER_ID}/replace-client-admin",
headers={"x-api-key": "OAUTH_TOKEN", "Content-Type": "application/json"},
json={
"email": "john@local.com",
"first_name": "John",
"last_name": "Doe",
"user_name": "abc12345",
"phone_number": 911234567890,
"locale": "en_US",
"description": "abc12345"
}
)
print(f"Status: {response.status_code}")
if response.status_code != 204:
print(response.json())import java.net.http.*;
import java.net.URI;
HttpClient client = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
.uri(URI.create("https://demo.one.digicert.com/documentmanager/api/v1/user/01234567-89ab-cdef-0123-456789abcdef/replace-client-admin"))
.header("x-api-key", "OAUTH_TOKEN")
.header("Content-Type", "application/json")
.POST(HttpRequest.BodyPublishers.ofString("{\"email\": \"john@local.com\", \"first_name\": \"John\", \"last_name\": \"Doe\", \"user_name\": \"abc12345\", \"phone_number\": 911234567890, \"locale\": \"en_US\", \"description\": \"abc12345\"}"))
.build();
HttpResponse<String> response = client.send(request,
HttpResponse.BodyHandlers.ofString());
System.out.println("Status: " + response.statusCode());
System.out.println(response.body());using System.Net.Http;
using System.Text;
using System.Text.Json;
var client = new HttpClient();
client.DefaultRequestHeaders.Add("x-api-key", "OAUTH_TOKEN");
var content = new StringContent(@"{
""email"": ""john@local.com"",
""first_name"": ""John"",
""last_name"": ""Doe"",
""user_name"": ""abc12345"",
""phone_number"": 911234567890,
""locale"": ""en_US"",
""description"": ""abc12345""
}",
Encoding.UTF8, "application/json");
var response = await client.PostAsync("https://demo.one.digicert.com/documentmanager/api/v1/user/01234567-89ab-cdef-0123-456789abcdef/replace-client-admin", content);
Console.WriteLine($"Status: {(int)response.StatusCode}");
Console.WriteLine(await response.Content.ReadAsStringAsync());Replace {userId} with the user ID of the current client administrator you want to replace.
Successful response (201 Created):
{
"id": "01234567-89ab-cdef-0123-456789abcdef"
}
From the response, save the id value. This is the user ID for the new client administrator.
Was this page helpful?
Provide feedback