Skip to main content

Authentication

DigiCert® ONE API integrations rely on service users. Service users are non-interactive identities created specifically for making API calls.

You can authenticate a service user using two primary methods:

Tip

Using Document Trust Manager? OAuth and digest flows are limited to CSC operations in Document Trust Manager. For all core product APIs, API keys and mTLS are the only options.

What is a service user?

A service user is essentially a credential container. Think of it as a headless account holding only the permissions your integration needs. Service users:

  • Authenticate using API keys or client certificates.

  • Cannot sign in to the user interface.

  • Are created in Account Manager (through browser or API).

Important

An API key is generated only when creating a new service user. You cannot regenerate an API key for an existing service user. Securely store your API key immediately after creation.

Note

To create a service user in DigiCert ONE, you must have a user role with Manage users permission.

API key authentication

Use an API key for straightforward, stateless authentication.

Make API requests:

curl -X GET \
-H "x-api-key: <SERVICE_USER_KEY>" \
https://one.digicert.com/account/api/v1/user

Rotate and scope keys:

  • Treat keys like passwords. Store securely and rotate as needed.

  • Assign only roles necessary for each service user (least privilege).

Important

If a key expires or is disabled, every integration using it immediately stops. Monitor expiry dates and proactively rotate keys.

Certificate authentication (mTLS)

mTLS replaces API keys with a secure X.509 digital client certificate for verifying your identity as a service user during API requests.

Important

Certificates can only be downloaded once. Securely store both the certificate file and its password immediately after generation.

API requests with mTLS

With curl, your request looks like:

curl --cert /path/auth-cert.pem --key /path/to/auth-key.pem \
  https://clientauth.one.digicert.com/account/api/v1/user

Use the clientauth. hostname and omit the x-api-key header.

Warning

If the linked service user is disabled or expired, the certificate stops working—even if the certificate itself is valid. Ensure service users remain active and manage certificates proactively.

API troubleshooting basics

What's next?