strongDM API Introduction

Tired of clicking on buttons to create users and datasources? strongDM offers an API to automate control of your organization’s accounts, resources and gateways.

strongDM offers the following supported SDK options:

Theory of Operations

In contrast to many APIs, behind the scenes strongDM API relies on gRPC instead of REST. However, the strongDM SDKs were designed with REST principles to make them easy to understand. The API is built around a set of domain objects and the standard set of REST verbs: create, read, update, and delete.

In addition, since strongDM guards your infrastructure, rather than relying on bearer tokens the strongDM API requires a request signature modeled on the AWS V4 signing process. This means the secret key never goes over the network and cannot be intercepted. It allows us to validate the time and payload of each API call, protecting against replay attacks or MitM message tampering. The strongDM supported SDKs handle the gRPC calls and signing process to ensure a consistent and convenient experience.


Each SDK provides a client which must be constructed with an API ID and Secret (also referred to as your “API key”). This key will also set the client’s permission to manage objects within strongDM. Instructions for creating your API key can be found here.

For example, in Python:

def main():
    client = strongdm.Client(<YOUR-ID>,<YOUR-SECRET>)

Making Requests

Each domain object is accessible via functions or methods provided by the client.

For example, in Ruby:

users = client.accounts.list('')

Domain Objects

Note: Each SDK will also have language-specific documentation of each object.


Many domain objects provide a common filtering language. You can use this to narrow results from most read operations.

For example, in Go:

users, err := client.Accounts().List(ctx, "firstName:Alice")
if err != nil {
  log.Fatal("failed to query accounts:", err)

In the example above, only users matching the first name “Alice” will be returned.


For read calls with many results, the SDK will automatically page the results. Depending on the language, this may be modeled as a transparent iterator, as in Python:

users.each do |user|
	p user

or an explicit call to receive the next result, as in Go:

	for users.Next() {
		user := users.Value()

Rate Limits

Each SDK call is subject to a rate limit. Default rate limits are generous, and should not be encountered during normal operations. If you do encounter a rate limit for a valid use case, please notify to have your rate limit increased.

The following Python snippet illustrates the expected behavior for a rate limited call. Note the remaining attribute on the returned RateLimitError, which quantifies the remaining call budget for this time period:

        except sdm.errors.RateLimitError as ex:
            self.assertEqual(ex.rate_limit.limit, 1)
            self.assertEqual(ex.rate_limit.remaining, 0)