# Enterprise Console API

The Pomerium Enterprise Console supports programmatic interaction through an API. This page covers enabling and authenticating to the API.

# Before You Begin

This doc assumes:

  • You already have installed Pomerium and Pomerium Enterprise,
  • The enterprise console service is encrypted. Review the tls-* keys for more information.

# Configure a New Route

  1. We suggest configuring the route for API access in the open-source Pomerium. That way changes made through the API that might break access to the console GUI will not break access to the API route.

    - from: https://console-api.pomerium.localhost.io
      to: https://pomerium-console-domain-name:8702
      pass_identity_headers: true
      allow_any_authenticated_user: true
      tls_custom_ca_file: /path/to/rootCA.pem # See https://www.pomerium.com/reference/#tls-custom-certificate-authority
  2. You must also update the audience key to include the new route's from value:

    audience: "console.pomerium.localhost.io,console-api.pomerium.localhost.io"

    If you're running Pomerium Enterprise as a system service, restart the daemon.

# Create a Service Account

  1. In the enterprise Console under Configure -> Service Accounts, Click + Add Service Account. You can choose an existing user for the service account to impersonate, or create a new user. Note that a new user will not be synced to your IdP.

  2. The Enterprise Console will display the service account token. Be sure to store it securely now, as you cannot view it again after this point.

  3. Grant the service account the appropriate role on the Namespace(s) it will operate against.


Service accounts created in any Namespace other than Global will include a reference to that Namespace ID. You must specify the entire user ID (i.e. design-api@bff1bea6-a3d6-232d-812c-b4fd8e26d72e.pomerium) when using the service account.

# Install The Library

# Test the API Connection

The repositories for our Python (opens new window) and Go (opens new window) implementations include example scripts:

Modify the example script to match your console API path, Namespace(s) and Policy names.

# More Information

To see all endpoints available for both the Python and Go libraries, see the gRPC API Reference (opens new window).