API Reference

Last modified on April 17, 2023

The StrongDM API allows users of StrongDM to programmatically interact with their organization in StrongDM in order to create, remove, or manage users, roles, permissions, gateways, relays, resources, and more. The amount of API access afforded to an API key depends entirely on what was granted to the key by the organization’s administrators when the key was created.

The StrongDM API is constructed with gRPC and a request signature model that requires the use of one of the StrongDM SDKs to interface with the API. The SDKs were designed with REST principles in mind. They are built around a set of domain objects, as well as the basic set of REST verbs: Create, Read, Update, and Delete.

Moreover, the StrongDM API provides advanced auditing and logging capabilities that simplify how data is extracted from StrongDM for programmatic integration into other parts of your organization, such as SIEM, log aggregators, compliance and/or security reports, or end-to-end IAM workflows. You can additionally use the StrongDM API to do the following:

  • Get the history of what happened in your organization.
  • View full snapshots.
  • Look at shells for all replays.
  • View SSH session data as it comes in, and watch sessions play live.
  • Actively look at queries as they come in.
  • Suspend users by ID.

The destination for requests directly to the StrongDM API is api.strongdm.com.

You can interact with the API via any of StrongDM’s SDKs or Terraform.

StrongDM SDKs

The StrongDM API allows for the programmatic management of StrongDM features as well as the resources attached to the organization. StrongDM supports the following SDK options: Go, Java, Python, and Ruby.

Gopkg.go.devstrongdm-sdk-goGo SDK Examples
Javajavadocstrongdm-sdk-javaJava SDK Examples
Pythonpdocsstrongdm-sdk-pythonPython SDK Examples
RubyRubyDocstrongdm-sdk-rubyRuby SDK Examples

Feel free to use the SDKs to interact with StrongDM from your own software, and contact support@strongdm.com if you have any questions or concerns.

StrongDM Terraform Provider

StrongDM’s Terraform provider makes use of the StrongDM API and has a set of Terraform provider examples.

How It Works

The StrongDM API does not rely on bearer tokens alone to protect your requests (and thus your infrastructure). Instead, the StrongDM API requires the use of request signatures modeled on the AWS V4 signing process. This methodology never sends a secret key over the network. If the key isn’t sent, the key cannot be intercepted. Furthermore, this methodology allows StrongDM to validate the time and payload of each API call, protecting against replay attacks or Manipulator in the Middle (MitM) message tampering. The StrongDM SDKs handle the gRPC calls and signing process to ensure a consistent and convenient experience.


Each SDK provides a client that must be constructed with an API ID and Secret (also referred to as your API key). This key also sets the client’s permission to manage objects within StrongDM. For instructions on creating your API key, see the API Keys page.

For example, in Python:

def main():
    client = strongdm.Client(<YOUR-ID>,<YOUR-SECRET>)

Domain objects

Domain objects are present in all of the StrongDM SDKs. These domain objects are, in a way, the glossary of the API. Once you’re familiar with them, you’ll better understand what you can do with the API.

Domain objectDescription
AccountAttachmentsAssigns an Account to a Role
AccountAttachmentsHistoryRecords all changes to the state of an AccountAttachment
AccountGrantsAssigns a resource directly to an Account, giving the account the permission to connect to that resource
AccountGrantsHistoryRecords all changes to the state of an AccountGrant
AccountPermissionsRecords the granular permissions accounts have, allowing them to execute relevant commands via StrongDM’s APIs
AccountResourcesEnumerates the resources to which accounts have access; AccountResources service is read-only
AccountsUser accounts or service accounts that have access to StrongDM; a user account is for humans who are authenticated through username and password or SSO; a service account is for machines that are authenticated using a service token
AccountsHistoryRecords all changes to the state of an Account
ActivitiesAn Activity is a record of an action taken against a StrongDM deployment (for example, user creation, resource deletion, SSO configuration change, and so forth); Activities service is read-only
NodesThe gateway(s) and relay(s) that make up your StrongDM network and allow your users to connect securely to your resources. Gateways, the entry points into the network, listen for connections from the StrongDM client and provide access to databases and servers. Relays are used to extend the StrongDM network into segmented subnets. They provide access to databases and servers but do not listen for incoming connections.
NodesHistoryRecords all changes to the state of a Node
OrganizationHistoryRecords all changes to the state of an Organization
QueriesA Query is a record of single client request to a resource (for example, a SQL query); SSH, RDP, or Kubernetes interactive sessions also count as queries; Queries service is read-only
RemoteIdentitiesAssigns a Remote Identity-enabled Resource directly to an Account, giving the Account the permission to connect to that Resource using a Remote Identity instead of a leased credential
RemoteIdentitiesHistoryRecords all changes to the state of a RemoteIdentity
RemoteIdentityGroupsA RemoteIdentityGroup is a named grouping of Remote Identities for Accounts; an Account’s relationship to a RemoteIdentityGroup is defined via RemoteIdentity objects
RemoteIdentityGroupsHistoryRecords all changes to the state of a RemoteIdentityGroup
ReplaysA Replay captures the data transferred over a long-running SSH, RDP, or Kubernetes interactive session (otherwise referred to as a query); Replays service is read-only
ResourcesDatabases, servers, clusters, websites, or clouds to which StrongDM delegates access
ResourcesHistoryRecords all changes to the state of a Resource
RoleResourcesEnumerates the resources to which roles have access; RoleResources service is read-only
RoleResourcesHistoryRecords all changes to the state of a RoleResource
RolesA Role has a list of access rules that determine which Resources the members of the Role can access; an Account can be a member of multiple Roles via AccountAttachments
RolesHistoryRecords all changes to the state of a Role
SecretStoresServers where resource secrets (for example, passwords and keys) are stored
SecretStoresHistoryRecords all changes to the state of a SecretStore


Each domain object is accessible via functions or methods provided by the client.

For example, in Ruby:

users = client.accounts.list("")


Many domain objects provide a common filtering language. You can use filters to narrow results from most Read operations when making requests.

For example, in Go:

users, err := client.Accounts().List(ctx, "firstName:Alice")
if err != nil {
  log.Fatal("failed to query accounts:", err)

In the Go example shown, only users matching the first name “Alice” are returned.

Paginate results

When making a request with a Read operation that returns many results, the SDK automatically paginates the results. Depending on the language, pagination may be modeled as a transparent iterator, as in Ruby:

users.each do |user|
    p user

Alternatively, pagination may be modeled as an explicit call to receive the next result, as in Go:

for users.Next() {
    user := users.Value()

Audit API


History domain objects (such as AccountsHistory) offer a time range to show the history of what was changed over time. For example, Accounts provides information about users and service accounts, whereas AccountsHistory provides a historical record of all the changes that have been made to the state of those accounts.

If the Advanced Insights reporting and auditing bundle is enabled for your organization, you can query the domain objects and get history for the last 13 months. If Advanced Insights is not enabled, you can query back 30 days by default and results may be truncated to 20 rows returned.


Typical calls to the API return the state of a domain object at the time of the request. Snapshots, however, allow you to view the state of one or more domain objects at a specified time in the past. Snapshots let you programmatically extract the history of what happened in your organization at a certain time regarding access grants, gateways and relays, roles, resources, and so forth.

Let’s say, for example, that within the last hour there was a security incident related to a role granting access to all Redis resources. You can use a snapshot to see the state of the role an hour ago. In the following example, the desired time is specified in client.SnapshotAt(<TIME>).

For example, in Go:

client.SnapshotAt(time.Now().Add(-1*time.Hour)).Roles().Get(ctx, "r-123456")

Snapshots are supported for the following domain objects:

  • AccountAttachments
  • AccountGrants
  • AccountPermissions
  • Accounts
  • Nodes
  • RemoteIdentities
  • RemoteIdentityGroups
  • Resources
  • RoleResources
  • Roles
  • SecretStores

If the Advanced Insights reporting and auditing bundle is enabled for your organization, you can use snapshots for any time in the last 13 months. If Advanced Insights is not enabled, you can use snapshots for the last 30 days by default and results may be truncated to 20 rows returned.

Rate Limits

Requests are subject to rate limits. Default rate limits are generous, and you’re unlikely to reach rate limits during normal operations. If you do, however, encounter a rate limit for a valid use case, please notify support@strongdm.com to have your rate limit increased.

The following Python snippet illustrates the expected behavior for a rate-limited call. Note the remaining attribute on the returned RateLimitError, which quantifies the remaining call budget for this time period (in this case, 0):

except sdm.errors.RateLimitError as ex:
    self.assertEqual(ex.rate_limit.limit, 1)
    self.assertEqual(ex.rate_limit.remaining, 0)

Additional Information

You can find resources and information about the following StrongDM topics in this section: