Authentication
DigiCert® ONE API integrations rely on service users. Service users are non-interactive identities created specifically for making API calls.
You can authenticate a service user using two primary methods:
Tip
Using Document Trust Manager? OAuth and digest flows are limited to CSC operations in Document Trust Manager. For all core product APIs, API keys and mTLS are the only options.
What is a service user?
A service user is essentially a credential container. Think of it as a headless account holding only the permissions your integration needs. Service users:
Authenticate using API keys or client certificates.
Cannot sign in to the user interface.
Are created in Account Manager (through browser or API).
Important
An API key is generated only when creating a new service user. You cannot regenerate an API key for an existing service user. Securely store your API key immediately after creation.
Note
To create a service user in DigiCert ONE, you must have a user role with Manage users permission.
API key authentication
Use an API key for straightforward, stateless authentication.
Make API requests:
curl -X GET \ -H "x-api-key: <SERVICE_USER_KEY>" \ https://one.digicert.com/account/api/v1/user
Rotate and scope keys:
Treat keys like passwords. Store securely and rotate as needed.
Assign only roles necessary for each service user (least privilege).
Important
If a key expires or is disabled, every integration using it immediately stops. Monitor expiry dates and proactively rotate keys.
Certificate authentication (mTLS)
mTLS replaces API keys with a secure X.509 digital client certificate for verifying your identity as a service user during API requests.
Important
Certificates can only be downloaded once. Securely store both the certificate file and its password immediately after generation.
API requests with mTLS
With curl
, your request looks like:
curl --cert /path/auth-cert.pem --key /path/to/auth-key.pem \ https://clientauth.one.digicert.com/account/api/v1/user
Use the clientauth.
hostname and omit the x-api-key
header.
Warning
If the linked service user is disabled or expired, the certificate stops working—even if the certificate itself is valid. Ensure service users remain active and manage certificates proactively.
API troubleshooting basics
What's next?
Make your first API call Walk through prerequisites, environment setup, and pagination.
Error handling & rate limits Decode
401
/403
responses and implement retry strategies.