Aembit Edge API - Full Reference

Aembit Edge API

Version: v1

Base URL

https://{tenant}.aembit-eng.com

---

Aembit Edge API - API Endpoints

Version: v1

Base URL: https://{tenant}.aembit-eng.com

Auth

POST /edge/v1/auth

Summary: Authenticate to the Edge API

Description: Authenticates Client Workloads to Aembit Edge using a Trust Provider

Operation ID: edge-api-auth

Parameters:

• X-Aembit-ResourceSet (undefined) (optional): any

Request Body:

• Content-Type: application/json
• Schema: any

Responses:

• ‘200’: Successfully retrieved access token
  • Content-Type: application/json
  • Schema: any
• ‘400’: Invalid request or missing parameters
  • Content-Type: application/json
  • Schema: any
• ‘401’: Unauthorized
  • Content-Type: application/json
  • Schema: any
• ‘500’: Internal server error
  • Content-Type: application/json
  • Schema: any

cURL Example:

curl -X POST \
  -H "Content-Type: application/json" \
  -d '{"example": "data"}' \
  "https://your-tenant.aembit-eng.com/edge/v1/auth"

Credentials

POST /edge/v1/credentials

Summary: Get credentials for a Client Workload

Description: Retrieves credentials for a Client Workload based on your configured Access Policies

Operation ID: edge-api-get-credentials

Parameters:

• X-Aembit-ResourceSet (undefined) (optional): any

Request Body:

• Content-Type: application/json
• Schema: any

Responses:

• ‘200’: Credentials returned for specified Client Workload
  • Content-Type: application/json
  • Schema: any
• ‘400’: Invalid request or missing parameters
• ‘500’: Internal server error
  • Content-Type: application/json
  • Schema: any

cURL Example:

curl -X POST \
  -H "Content-Type: application/json" \
  -d '{"example": "data"}' \
  "https://your-tenant.aembit-eng.com/edge/v1/credentials"

---

Aembit Edge API - Data Schemas

Version: v1

ApiCredentialsRequest

Request payload for retrieving credentials for a Client Workload

Type: object

Properties:

• client (optional): any
• server (optional): any
• credentialType (optional): any

ApiCredentialsResponse

Response containing credentials that a Client Workload requests with expiration details

Type: object

Properties:

• credentialType (optional): any
• expiresAt (optional): string (date-time) | null - Token expiration time in ISO 8601 format, null for non-expiring credentials
• data (optional): any

AuthRequest

Identity and attestation information for Client Workload authentication

Type: object

Properties:

• clientId (optional): string | null - Trust Provider Client Id for authentication
• client (optional): any

AwsDTO

AWS-specific attestation data for Client Workload identification

Type: object

Properties:

• instanceIdentityDocument (optional): string | null - Base64-encoded AWS instance identity document
• instanceIdentityDocumentSignature (optional): string | null - Base64-encoded signature for AWS instance identity document verification
• lambda (optional): any
• ecs (optional): any
• stsGetCallerIdentity (optional): any

AwsEcsDTO

AWS ECS container and task metadata for workload attestation

Type: object

Properties:

• containerMetadata (optional): string | null - JSON string containing AWS ECS container metadata
• taskMetadata (optional): string | null - JSON string containing AWS ECS task metadata

AzureAttestationDTO

Azure-specific attestation data for Client Workload identification

Type: object

Properties:

• attestedDocument (optional): any

AzureAttestedDocumentDTO

Azure attested document with signature and nonce for verification

Type: object

Properties:

• encoding (optional): string | null - Encoding format of the Azure attestation document
• signature (optional): string | null - Digital signature for Azure attestation document verification
• nonce (optional): string | null - Cryptographic nonce for Azure attestation document freshness

ClientWorkloadDetails

Identity and attestation information for a Client Workload requesting credentials

Type: object

Properties:

• sourceIP (optional): string | null - IP address of the requesting Client Workload
• aws (optional): any
• azure (optional): any
• gcp (optional): any
• os (optional): any
• k8s (optional): any
• host (optional): any
• github (optional): any
• terraform (optional): any
• gitlab (optional): any
• oidc (optional): any

CredentialProviderTypes

Type of credential being requested from your configured Credential Provider

Type: string

Possible values: Unknown, ApiKey, UsernamePassword, GoogleWorkloadIdentityFederation, OAuthToken, AwsStsFederation

CrowdStrikeDTO

CrowdStrike agent information for endpoint security attestation

Type: object

Properties:

• agentId (optional): string | null - Unique identifier for the CrowdStrike agent

EdgeCredentials

Credential data returned to Client Workloads based on your configured Credential Providers

Type: object

Properties:

• apiKey (optional): string | null - API key credential for authenticating to target services
• token (optional): string | null - Bearer token credential for authenticating to target services
• username (optional): string | null - Username for basic authentication credentials
• password (optional): string | null - Password for basic authentication credentials
• awsAccessKeyId (optional): string | null - AWS access key ID for programmatic access
• awsSecretAccessKey (optional): string | null - AWS secret access key for programmatic access
• awsSessionToken (optional): string | null - AWS session token for temporary credentials

EnvironmentDTO

Environment variables available to the Client Workload

Type: object

Properties:

• K8S_POD_NAME (optional): string | null - Kubernetes pod name environment variable
• CLIENT_WORKLOAD_ID (optional): string | null - Aembit Client Workload identifier environment variable
• KUBERNETES_PROVIDER_ID (optional): string | null - Kubernetes Trust Provider identifier environment variable
• AEMBIT_RESOURCE_SET_ID (optional): string | null - Aembit Resource Set identifier environment variable

GcpAttestationDTO

GCP-specific attestation data for Client Workload identification

Type: object

Properties:

• identityToken (optional): string | null - Identity token for workload attestation
• instanceDocument (optional): string | null - Base64-encoded GCP instance identity document

GenericResponseDTO

DTO for a Generic API Response

Type: object

Properties:

• success (optional): boolean - True if the API call was successful, False otherwise
• message (optional): string | null - Message to indicate why the API call failed
• id (optional): integer (int32) - Unique identifier of the API response

HostDTO

Host system information for Client Workload attestation

Type: object

Properties:

• hostname (optional): string | null - Client Workload hostname
• domainName (optional): string | null - Domain name of the Client Workload host
• process (optional): any
• sensors (optional): any
• systemSerialNumber (optional): string | null - Hardware serial number of the Client Workload system
• networkInterfaces (optional): Array

IdentityTokenAttestationDTO

JWT-based identity token attestation for CI/CD platforms

Type: object

Properties:

• identityToken (optional): string | null - Identity token for workload attestation

K8sDTO

Kubernetes-specific attestation data for Kubernetes pod identification

Type: object

Properties:

• serviceAccountToken (optional): string | null - Kubernetes service account JWT token

LambdaDTO

AWS Lambda function information for serverless workload attestation

Type: object

Properties:

• arn (optional): string | null - AWS Lambda function ARN

NetworkInterfacesDTO

Type: object

Properties:

• name (optional): string | null
• macAddress (optional): string | null
• ipv4Addresses (optional): Array
• ipv6Addresses (optional): Array

OsDTO

Operating system environment information for Client Workload attestation

Type: object

Properties:

• environment (optional): any

ProcessDTO

Process information for Client Workload identification

Type: object

Properties:

• name (optional): string | null - Process name
• pid (optional): integer (int32) - Process identifier (PID)
• userId (optional): integer (int32) - User identifier running the process
• userName (optional): string | null - Username running the process
• exePath (optional): string | null - Executable file path of the process

SensorsDTO

Security sensor data for enhanced Client Workload attestation

Type: object

Properties:

• crowdStrike (optional): any

ServerWorkloadDetails

Target server connection details for credential requests

Type: object

Properties:

• transportProtocol (optional): any
• host (optional): string | null - Target server hostname or IP address
• port (optional): integer (int32) - Target server port number

StsGetCallerIdentityDTO

AWS STS GetCallerIdentity request data for identity verification

Type: object

Properties:

• headers (optional): object | null - HTTP headers for AWS STS GetCallerIdentity request
• region (optional): string | null - AWS region for STS GetCallerIdentity request

TokenDTO

OAuth2-style access token response with expiration details

Type: object

Properties:

• accessToken (optional): string | null - Bearer token for authenticating subsequent API requests
• tokenType (optional): string | null - Token type, typically ”Bearer” for OAuth2-style tokens
• expiresIn (optional): integer (int32) - Token expiration time in seconds from issuance

TransportProtocol

Type: string

Possible values: TCP