Retrieve a Key

This API is used to retrieve a single Key by unique Id or all of the configured Keys.

Request#

Global API Key Authentication
Retrieve all of the Keys
GET/api/key
OpenAPI Spec
Global API Key Authentication
Retrieve a Key by Id
GET/api/key/{keyId}
OpenAPI Spec

Request Parameters#

keyIdUUIDrequired

The unique Id of the Key to retrieve.

Response#

The response for this API contains either a single Key or all of the Keys. When you call this API with an Id the response will contain a single Key. When you call this API without an Id the response will contain all of the Keys. Both response types are defined below along with an example JSON response.

Response Codes
CodeDescription
200The request was successful. The response will contain a JSON body.
400The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present.
401You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication.
404The object you requested doesn't exist. The response will be empty.
500There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty.
503The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body.

Response Body#

key.algorithmString

The algorithm used to generate the key. For Secrets, this value will be None.

key.certificateString

The X.509 certificate. This field is omitted for HMAC keys and Secrets.

key.certificateInformationMap<String, Object>

The RSA or EC certificate information. This field is omitted for HMAC keys and Secrets.

key.certificateInformation.issuerString

The issuer of the certificate. This field is omitted for HMAC keys and Secrets.

key.certificateInformation.md5FingerprintString

The md5 fingerprint of the certificate. This field is omitted for HMAC keys and Secrets.

key.certificateInformation.serialNumberString

The serial number of the certificate. This field is omitted for HMAC keys and Secrets.

key.certificateInformation.sha1FingerprintString

The SHA-1 fingerprint of the certificate. This field is omitted for HMAC keys and Secrets.

key.certificateInformation.sha1ThumbprintString

The SHA-1 thumbprint of the certificate. This field is omitted for HMAC keys and Secrets.

key.certificateInformation.sha256FingerprintString

The SHA-256 fingerprint of the certificate. This field is omitted for HMAC keys and Secrets.

key.certificateInformation.sha256ThumbprintString

The SHA-256 thumbprint of the certificate. This field is omitted for HMAC keys and Secrets.

key.certificateInformation.subjectString

The subject of the certificate. This field is omitted for HMAC keys and Secrets.

key.certificateInformation.validFromInteger

The UNIX time in milliseconds marking the start of the certificate validity period. This field is omitted for HMAC keys and Secrets.

key.certificateInformation.validToInteger

The UNIX time in milliseconds marking the expiration certificate. This field is omitted for HMAC keys and Secrets.

key.expirationInstantInteger

The instant marking the expiration certificate. This field is omitted for HMAC keys and Secrets.

key.hasPrivateKeyBoolean

Because the private key will never be returned in the API response, this value will indicate if the private key is stored in FusionAuth. This field is omitted for HMAC keys and Secrets.

key.idUUID

The Id of the Key.

key.insertInstantLong

The instant that the key was added to the FusionAuth database.

key.issuerString

The issuer of the certificate. This field is omitted for HMAC keys and Secrets.

key.kidString

The key identifier 'kid'.

key.lastUpdateInstantLong

The instant that the key was updated in the FusionAuth database.

key.lengthString

The length of the certificate. This field is omitted for HMAC keys and Secrets.

key.nameString

The name of the key.

key.publicKeyString

The certificate public key. This field is omitted for HMAC keys and Secrets.

key.typeString

The key type. The possible values are:

  • EC
  • OKP Available since 1.62.0
  • RSA
  • HMAC
  • Secret Available since 1.64.0

Example HMAC Key Response JSON

{
  "key": {
    "algorithm": "HS256",
    "id": "092dbedc-30af-4149-9c61-b578f2c72f59",
    "insertInstant": 1562171137000,
    "kid": "10d51735a5",
    "lastUpdateInstant": 1595361143101,
    "name": "OpenID Connect compliant HMAC using SHA-256",
    "type": "HMAC"
  }
}

Example RSA Key Response JSON

{
  "key": {
    "algorithm": "RS256",
    "certificate": "-----BEGIN CERTIFICATE-----\nMIICrjCCAZagAwIBAQIQeA4dW+47Q7KuyNuZuZrcTjANBgkqhkiG9w0BAQsFADAT\nMREwDwYDVQQDEwhhY21lLmNvbTAeFw0xOTA3MDMyMTI0MzJaFw0yOTA3MDMyMTI0\nMzJaMBMxETAPBgNVBAMTCGFjbWUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A\nMIIBCgKCAQEAnbNGwtU33S4vbipGeIwe/DhLEfc5FaEOHK4WeQ3QF8zZGyI09bNQ\ndkp8uNTFfVehIgmvYHmJWPeaNrYK//qjWAsSvYYoytj1j4BywI8uLSjt8QvzaoFU\nMOi1cBbXM2586R7yTRm7jMk91MLM101zkrf1cmFdRUwTpeJjw66XG3JlTGZCmZsJ\nG7m6+nbe5LHt4CiufmJHujGeFzgwby3jXZtuK1y3ua3380Fv95JyG3TucnMwEw5E\nYQ8Q+dZzNC8OSaKrgmnN0gWdsJ7P7vu6lMy6sXKhvcxo1p+tXywYPFJahxA+rZDG\n16RLbUppCx10q8tIcFKeAyl4eywzBaBLxwIDAQABMA0GCSqGSIb3DQEBCwUAA4IB\nAQBbsHWIBDwW1hFEin0D5BK/rwpCIZ4jlJ9PON4q0rF/tl9+pSzTqMeEqU0NMlJ7\nXm2O5U0i8Sy8Lhemo9qYCZ76qEiHFZwQBmNAC4de92KMcw4Q7q5CVjTGv3X+Avlg\n/c+I+zJLO/IJlzhOvHj+iCeBZDznt6/KlFfXA9EvlznxqZCQHSf2f94UlvBmqbVY\nOfXE5+OQ3URyNyh88g9yClSb4hzu1lmzevZ/AVbe2kTjZQQWB0TmqPg/6SS+nhsa\nuAMK1kSlSK9t6CPz/L7olJeAi7G/PZPaYG1gIFVFaBnYM0rwagQGtPMi1uCERCKr\nkUlBh6gSyN7SGJBvWEh6+zZF\n-----END CERTIFICATE-----",
    "certificateInformation": {
      "issuer": "CN=acme.com",
      "md5Fingerprint": "FC:36:CD:0B:9C:B7:62:F0:A9:16:AE:72:8E:F8:7D:D8",
      "serialNumber": "78:0E:1D:5B:EE:3B:43:B2:AE:C8:DB:99:B9:9A:DC:4E",
      "sha1Fingerprint": "CD:A9:80:5F:4D:37:EB:CD:B4:45:42:DF:76:35:15:E9:89:21:61:B6",
      "sha1Thumbprint": "zamAX0036820RULfdjUV6YkhYbY",
      "sha256Fingerprint": "33:7C:CB:4C:23:3B:F5:22:49:2F:68:C5:FA:D1:6E:3C:72:54:CB:3C:E6:D1:70:08:55:FC:43:24:9A:98:05:CF",
      "sha256Thumbprint": "M3zLTCM79SJJL2jF-tFuPHJUyzzm0XAIVfxDJJqYBc8",
      "subject": "CN=acme.com",
      "validFrom": 1562189072183,
      "validTo": 1877808272183
    },
    "expirationInstant": 1877808272183,
    "hasPrivateKey": false,
    "id": "780e1d5b-ee3b-43b2-aec8-db99b99adc4e",
    "insertInstant": 1562189072183,
    "issuer": "acme.com",
    "kid": "zamAX0036820RULfdjUV6YkhYbY",
    "lastUpdateInstant": 1595361143101,
    "length": 2048,
    "name": "SHA-256 with RSA",
    "publicKey": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnbNGwtU33S4vbipGeIwe\n/DhLEfc5FaEOHK4WeQ3QF8zZGyI09bNQdkp8uNTFfVehIgmvYHmJWPeaNrYK//qj\nWAsSvYYoytj1j4BywI8uLSjt8QvzaoFUMOi1cBbXM2586R7yTRm7jMk91MLM101z\nkrf1cmFdRUwTpeJjw66XG3JlTGZCmZsJG7m6+nbe5LHt4CiufmJHujGeFzgwby3j\nXZtuK1y3ua3380Fv95JyG3TucnMwEw5EYQ8Q+dZzNC8OSaKrgmnN0gWdsJ7P7vu6\nlMy6sXKhvcxo1p+tXywYPFJahxA+rZDG16RLbUppCx10q8tIcFKeAyl4eywzBaBL\nxwIDAQAB\n-----END PUBLIC KEY-----",
    "type": "RSA"
  }
}

Example EC Key Response JSON

{
  "key": {
    "algorithm": "ES256",
    "certificate": "-----BEGIN CERTIFICATE-----\nMIIBJzCBy6ADAgEBAhEAwUtQ5YaLTb6fPAKM0FFbETAMBggqhkjOPQQDAgUAMBMx\nETAPBgNVBAMTCGFjbWUuY29tMB4XDTIxMTAwMjEzNDE1MVoXDTMxMTAwMjEzNDE1\nMVowEzERMA8GA1UEAxMIYWNtZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC\nAARPysdu/AKSICtkZa9hlBGb7vJHJ0GHWYXEeyTYDCPd2XoT5icVAZQ5GVU1q2WV\nEaVJRmlFuGqWElvYLIRYrce2MAwGCCqGSM49BAMCBQADSQAwRgIhAJCXC5Ys25Wk\nYXeC1bWjyt71p8Yn1B//DZo+SzQrBVF+AiEA3u6an0m+wsO1dnNN1wtXdUsa5Avo\nOjME4ZLJHhtGQ1I=\n-----END CERTIFICATE-----",
    "certificateInformation": {
      "issuer": "CN=acme.com",
      "md5Fingerprint": "E5:50:70:3A:88:56:7C:BE:CB:FA:50:29:19:B5:CE:2D",
      "serialNumber": "00:C1:4B:50:E5:86:8B:4D:BE:9F:3C:02:8C:D0:51:5B:11",
      "sha1Fingerprint": "2F:22:15:AC:7C:2A:67:E8:F3:AB:87:97:3A:E0:84:58:79:A3:35:7F",
      "sha1Thumbprint": "LyIVrHwqZ-jzq4eXOuCEWHmjNX8",
      "sha256Fingerprint": "D5:B0:B5:5E:07:1D:2B:84:A8:7C:5F:89:B7:74:62:2F:8C:57:A8:66:A1:D5:A2:F1:A9:94:70:8F:D3:0D:64:0F",
      "sha256Thumbprint": "1bC1XgcdK4SofF-Jt3RiL4xXqGah1aLxqZRwj9MNZA8",
      "subject": "CN=acme.com",
      "validFrom": 1633182111000,
      "validTo": 1948714911000
    },
    "expirationInstant": 1948714911000,
    "hasPrivateKey": true,
    "id": "c14b50e5-868b-4dbe-9f3c-028cd0515b11",
    "insertInstant": 1633182111648,
    "issuer": "acme.com",
    "kid": "LyIVrHwqZ-jzq4eXOuCEWHmjNX8",
    "lastUpdateInstant": 1633182111648,
    "length": 256,
    "name": "ECDSA using P-256 curve and SHA-256",
    "publicKey": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAET8rHbvwCkiArZGWvYZQRm+7yRydB\nh1mFxHsk2Awj3dl6E+YnFQGUORlVNatllRGlSUZpRbhqlhJb2CyEWK3Htg==\n-----END PUBLIC KEY-----",
    "type": "EC"
  }
}

Example EdDSA Key Response JSON

{
  "key": {
    "algorithm": "Ed25519",
    "certificate": "-----BEGIN CERTIFICATE-----\nMIHsMIGfoAMCAQECEQDqdRGGNnhIwI8IEfDjwZN7MAUGAytlcDAYMRYwFAYDVQQD\nEw1mdXNpb25hdXRoLmlvMB4XDTI1MTIxODE2MDUyNVoXDTM1MTIxODE2MDUyNVow\nGDEWMBQGA1UEAxMNZnVzaW9uYXV0aC5pbzAqMAUGAytlcAMhAI+wTC3wU30tqiGR\n8RsFrAYl++dNZTRIdwUqPmMv3xeqMAUGAytlcANBANiOCGE+XoUorYo13gor1PWM\n6sL7j2oDBbSExzThihvYXyO7Lx7s8ZCgJ8rIcxgDQRJbhq1n5oxMAvGnzezDMwQ=\n-----END CERTIFICATE-----",
    "certificateInformation": {
      "issuer": "CN=fusionauth.io",
      "md5Fingerprint": "74:19:09:95:D9:6F:52:D9:83:D5:CD:48:D2:26:34:A2",
      "serialNumber": "00:EA:75:11:86:36:78:48:C0:8F:08:11:F0:E3:C1:93:7B",
      "sha1Fingerprint": "AB:6D:71:A6:B6:36:BA:D3:00:7D:1D:E8:CB:08:25:6F:46:13:EF:51",
      "sha1Thumbprint": "q21xprY2utMAfR3oywglb0YT71E",
      "sha256Fingerprint": "1A:BE:72:43:9A:B6:06:D5:08:32:06:28:A8:1B:DF:73:A2:99:5E:82:FF:C4:A3:FD:F3:9B:5F:5F:80:4A:27:D4",
      "sha256Thumbprint": "Gr5yQ5q2BtUIMgYoqBvfc6KZXoL_xKP985tfX4BKJ9Q",
      "subject": "CN=fusionauth.io",
      "validFrom": 1766073925573,
      "validTo": 2081606725573
    },
    "expirationInstant": 2081606725573,
    "hasPrivateKey": true,
    "id": "ea751186-3678-48c0-8f08-11f0e3c1937b",
    "insertInstant": 1766073925573,
    "issuer": "fusionauth.io",
    "kid": "q21xprY2utMAfR3oywglb0YT71E",
    "lastUpdateInstant": 1766073925573,
    "length": 32,
    "name": "EdDSA using the Ed25519 parameter set",
    "publicKey": "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAj7BMLfBTfS2qIZHxGwWsBiX7501lNEh3BSo+Yy/fF6o=\n-----END PUBLIC KEY-----",
    "type": "OKP"
  }
}

Response Body#

keys[x]Array

The list of Key objects.

keys[x].algorithmString

The algorithm used to generate the key. For Secrets, this value will be None.

keys[x].certificateString

The X.509 certificate. This field is omitted for HMAC keys and Secrets.

keys[x].certificateInformationMap<String, Object>

The RSA or EC certificate information. This field is omitted for HMAC keys and Secrets.

keys[x].certificateInformation.issuerString

The issuer of the certificate. This field is omitted for HMAC keys and Secrets.

keys[x].certificateInformation.md5FingerprintString

The md5 fingerprint of the certificate. This field is omitted for HMAC keys and Secrets.

keys[x].certificateInformation.serialNumberString

The serial number of the certificate. This field is omitted for HMAC keys and Secrets.

keys[x].certificateInformation.sha1FingerprintString

The SHA-1 fingerprint of the certificate. This field is omitted for HMAC keys and Secrets.

keys[x].certificateInformation.sha1ThumbprintString

The SHA-1 thumbprint of the certificate. This field is omitted for HMAC keys and Secrets.

keys[x].certificateInformation.sha256FingerprintString

The SHA-256 fingerprint of the certificate. This field is omitted for HMAC keys and Secrets.

keys[x].certificateInformation.sha256ThumbprintString

The SHA-256 thumbprint of the certificate. This field is omitted for HMAC keys and Secrets.

keys[x].certificateInformation.subjectString

The subject of the certificate. This field is omitted for HMAC keys and Secrets.

keys[x].certificateInformation.validFromInteger

The UNIX time in milliseconds marking the start of the certificate validity period. This field is omitted for HMAC keys and Secrets.

keys[x].certificateInformation.validToInteger

The UNIX time in milliseconds marking the expiration certificate. This field is omitted for HMAC keys and Secrets.

keys[x].expirationInstantInteger

The instant marking the expiration certificate. This field is omitted for HMAC keys and Secrets.

keys[x].hasPrivateKeyBoolean

Because the private key will never be returned in the API response, this value will indicate if the private key is stored in FusionAuth. This field is omitted for HMAC keys and Secrets.

keys[x].idUUID

The Id of the Key.

keys[x].insertInstantLong

The instant that the key was added to the FusionAuth database.

keys[x].issuerString

The issuer of the certificate. This field is omitted for HMAC keys and Secrets.

keys[x].kidString

The key identifier 'kid'.

keys[x].lastUpdateInstantLong

The instant that the key was updated in the FusionAuth database.

keys[x].lengthString

The length of the certificate. This field is omitted for HMAC keys and Secrets.

keys[x].nameString

The name of the key.

keys[x].publicKeyString

The certificate public key. This field is omitted for HMAC keys and Secrets.

keys[x].typeString

The key type. The possible values are:

  • EC
  • OKP Available since 1.62.0
  • RSA
  • HMAC
  • Secret Available since 1.64.0