Get Confluent | Sign up for Confluent Cloud or download Confluent Platform

Confluent Cloud APIs

Download OpenAPI specification:Download

Introduction

Note

This documents the collection of Confluent Cloud APIs. Each API documents its lifecycle phase. APIs marked as Early Access or Preview are not ready for production usage. We're currently working with a select group of customers to get feedback and iterate on these APIs.

Confluent Cloud APIs are a core building block of Confluent Cloud. You can use the APIs to manage your own account or to integrate Confluent into your product.

Most of the APIs are organized around REST and the resources which make up Confluent Cloud. The APIs have predictable resource-oriented URLs, transport data using JSON, and use standard HTTP verbs, response codes, authentication, and design principles.

Object Model

Note

This section describes the object model for many Confluent Cloud APIs, but not all. The Connect v1 API group has a different object model. You can review the example request and response bodies in Connect v1 API to see its object model.

Confluent Cloud APIs are primarily designed to be declarative and intent-oriented. In other words, tell the API what you want (for example, throughput or SLOs) and it will figure out how to make it happen (for example, cluster sizing). A Confluent object acts as a "record of intent" — after you create the object, Confluent Cloud will work tirelessly in the background to ensure that the object exists as specified.

Confluent APIs represent objects in JSON with media-type application/json.

Many objects follow a model consisting of spec and status. An object's spec tells Confluent the desired state (specification) of the resource. The object may not be immediately available or changes may not be immediately applied. For this reason, many objects also have a status property that provides info about the current state of the resource. Confluent Cloud is continuously and actively managing each resource's current state to match it's desired state.

All Confluent objects share a set of common properties:

  • api_version – API objects have an api_version field indicating their API version.
  • kind – API objects have a kind field indicating the kind of object it is.
  • id – Each object in the API will have an identifier, indicated via its id field, and should be treated as an opaque string unless otherwise specified.

There are a number of other standard properties and that you'll encounter used by many API objects. And of course, objects have plenty of non-standard fields that are specific to each object kind... this is what makes them interesting!

Authentication

Confluent uses API keys and JSON Web Tokens (JWTs) to integrate your applications and workflows to your Confluent Cloud resources using the Confluent Cloud REST APIs. Your applications and workflows must be authenticated and authorized in order to access and manage Confluent Cloud resources.

API keys

You can create and manage your API keys using the Confluent Cloud Console or Confluent CLI. For more information, see Use API Keys to Control Access in Confluent Cloud.

Confluent Cloud uses the following two categories of API keys:

  • A Cloud API key grants access to the Confluent Cloud Management APIs, such as for Provisioning and Metrics integrations.
  • A resource-specific API key grants access to a Confluent Kafka cluster (Kafka API key), a Confluent Cloud Schema Registry (Schema Registry API key), Flink (Flink API key scoped to an Environment + Region pair), or a ksqlDB application.

Each Confluent Cloud API key is associated with a principal (specific user or service account) and inherits the permissions granted to the owner.

  • For example, if service account Armageddon is granted ACLs on Kafka cluster neptune, then a Kafka API Key for neptune owned by Armageddon will have these ACLs enforced.
  • Note: API keys are automatically deleted when the associated user or service account is deleted (for example, when an employee leaves the company or moves to a new department and an SSO integration removes the Confluent Cloud user as they no longer require access).
  • Confluent strongly recommends that you use service accounts for all production-critical access.

Confluent Cloud API keys grant access to Confluent Cloud resources, so keep them secure! Do not share your API keys and secrets in publicly-accessible locations, such as GitHub or client-side code.

All API requests must be made over HTTPS. Calls made over plain HTTP will fail. API requests without authentication will also fail.

To use an API key, you must send it in an Authorization: Basic {credentials} header. Remember that HTTP Basic authentication requires you to provide your credentials as the API key ID and associated API secret separated by a colon and encoded using Base64 format. For example, if your API key ID is ABCDEFGH123456789 and the API key Secret is XNCIW93I2L1SQPJSJ823K1LS902KLDFMCZPWEO, then the authorization header is:

Authorization: Basic QUJDREVGR0gxMjM0NTY3ODk6WE5DSVc5M0kyTDFTUVBKU0o4MjNLMUxTOTAyS0xERk1DWlBXRU8=

You can generate this header example from the API key:

macOS:

$ echo -n "ABCDEFGH123456789:XNCIW93I2L1SQPJSJ823K1LS902KLDFMCZPWEO" | base64

Linux:

$ echo -n "ABCDEFGH123456789:XNCIW93I2L1SQPJSJ823K1LS902KLDFMCZPWEO" | base64 -w 0

To find out if an API operation supports Cloud API Keys, look in the AUTHORIZATIONS listing for cloud-api-key.

To find out if an API operation supports resource-specific API Keys, look in the AUTHORIZATIONS listing for resource-api-key.

External OAuth

You can use OAuth/OIDC support for Confluent Cloud to authenticate and authorize access to applications and workloads for the following Confluent Cloud REST APIs:

Alternatively, to find out if an API operation supports external tokens, look in the AUTHORIZATIONS listing for external-access-token.

Confluent STS tokens

Confluent Security Token Service (STS) issues access tokens (confluent-sts-access-token) by exchanging an external token (external-access-token) for a confluent-sts-access-token. You can use Confluent STS tokens to authenticate to Confluent Cloud APIs that support the confluent-sts-access-token notation.

To find out if an API operation supports Confluent STS tokens, look in the AUTHORIZATIONS listing for confluent-sts-access-token.

Partner OAuth

Approved partners can fetch Partner tokens (confluent-partner-access-token) that validate their identity and grant access to the Partner API (partner/v2), which lets them sign up an organization on behalf of a customer, manage entitlements (create, read, and list), and read or list organizations they have signed up.

To find out an API operation supports Partner tokens, look in the AUTHORIZATIONS listing for confluent-partner-access-token.

cloud-api-key

Authenticate with Cloud API Keys using HTTP Basic Auth. Treat the Cloud API Key ID as the username and Cloud API Key Secret as the password.

Security Scheme Type: HTTP
HTTP Authorization Scheme: basic

confluent-sts-access-token

Authenticate with Confluent API using this credentials (JSON Web Tokens) following OAuth 2.0.

Security Scheme Type: OAuth2
Flow type: clientCredentials
Token URL: https://api.confluent.cloud/sts/v1/oauth2/token

api-key

Authenticate with API Keys using HTTP Basic Auth. Treat the API Key ID as the username and API Key Secret as the password.

Security Scheme Type: HTTP
HTTP Authorization Scheme: basic

resource-api-key

Authenticate with resource-specific API Keys using HTTP Basic Auth. Treat the resource-specific API Key ID as the username and resource-specific API Key Secret as the password.

Security Scheme Type: HTTP
HTTP Authorization Scheme: basic

external-access-token

Authenticate with OAuth 2.0.

Security Scheme Type: OAuth2
Flow type: clientCredentials
Token URL: https://<oauth-identity-provider>/token

oauth

Authenticate with OAuth 2.0. Currently this is only supported for partner APIs.

Security Scheme Type: OAuth2
Flow type: clientCredentials
Token URL: /oauth2/token
Scopes:
  • partner:alter -

    enables partners to alter entitlements

  • partner:create -

    enables partners to create entitlements and signup on behalf of customers

  • partner:delete -

    enables partners to delete entitlements and organizations

  • partner:describe -

    enables partners to read and list entitlements and organizations

Errors

Note

This section describes the structure of error responses for many Confluent Cloud APIs, but not all. The Connect v1 API group has a different set of structures for error responses. Please review the example request and response bodies in the Connect v1 API documentation below to see its error behaviour.

Confluent uses conventional HTTP status codes to indicate the success or failure of an API request.

Failures follow a standard model to tell you about what went wrong. They may include one or more error objects with the following fields:

Field Type Description
id* UUID A unique identifier for this particular occurrence of the problem.
status String The HTTP status code applicable to this problem.
code String An application-specific error code.
title String A short, human-readable summary of the problem that should not change from occurrence to occurrence of the problem, except for purposes of localization.
detail* String A human-readable explanation specific to this occurrence of the problem. Like title, this field’s value can be localized.
source Object An object that references the source of the error, and optionally includes any of the following members:
  pointer String A JSON Pointer to the associated entity in the request document (e.g. "/spec/title" for a specific attribute).
  parameter String A string indicating which URI query parameter caused the error.
meta Object A meta object that contains non-standard meta-information about the error.
resolution String Instructions for the end-user for correcting the error.

* indicates a required field

All errors include an id and some detail message. The id is a unique identifier — use it when you're working with Confluent support to debug a problem with a specific API call. The detail describes what went wrong.

Some errors that could be handled programmatically (e.g., a Kafka cluster config is invalid) may include an error code that briefly explains the error reported.

Validation issues and similar errors include a source which tells you exactly what in the request was responsible for the error.

For example, a failure may look like

{
  "errors": [{
    "status": "422",
    "code": "invalid_configuration",
    "id": "30ce6058-87da-11e4-b116-123b93f75cba",
    "title": "The Kafka cluster configuration is invalid",
    "detail": "The property '/cluster/storage_size' of type string did not match the following type: integer",
    "source": {
      "pointer": "/cluster/storage_size"
    }
  }]
}

If a request fails validation, it will return an HTTP 422 Unprocessable Entity with a list of fields that failed validation.

Pagination

Note

This section describes the pagination behavior of “list” operations for many Confluent Cloud APIs, but not all. The Connect v1 API list operations do not support pagination.

All API resources have support for bulk reads via "list" API operations. For example, you can "list Kafka clusters", "list api keys", and "list environments". These "list" operations require pagination; by requesting smaller subsets of data, API clients receive a response much faster than requesting the entire, potentially large, data set.

All "list" operations follow the same pattern with the following parameters:

  • page_size – client-provided max number of items per page, only valid on the first request.
  • page_token – server-generated token used for traversing through the result set.

A paginated response may include any of the following pagination links. API clients may follow the respective link to page forward or backward through the result set as desired.

Link Relation Description
next A link to the next page of results. A response that does not contain a next link does not have further data to fetch.
prev A link to the previous page of results. A response that does not contain a prev link has no previous data. This link is optional for collections that cannot be traversed backward.
first A link to the first page of results. This link is optional for collections that cannot be indexed directly to a given page.
last A link to the last page of results. This link is optional for collections that cannot be indexed directly to a given page.

API clients must treat pagination links and the page_token parameter in particular as an opaque string.

An example paginated list response may look like

{
    "api_version": "v2",
    "kind": "KafkaClusterList",
    "metadata": {
        "next": "https://api.confluent.cloud/kafka-clusters?page_token=ABCDEFGHIJKLMNOP1234567890"
    }
    "data": [
        {
            "metadata": {
                "id": "lkc-abc123",
                "self": "https://api.confluent.cloud/kafka-clusters/lkc-abc123",
                "resource_name": "crn://confluent.cloud/kafka=lkc-abc123",
            }
            "spec": {
                "display_name": "My Kafka Cluster",
                <snip>
            },
            "status": {
                "phase": "RUNNING",
                <snip>
            }
        },
        <snip>
    ]
}

Rate Limiting

To protect the stability of the API and keep it available to all users, Confluent employs multiple safeguards. If you send too many requests in quick succession or perform too many concurrent operations, you may be throttled or have your request rejected with an error.

When a rate limit is breached, an HTTP 429 Too Many Requests error is returned. The following headers are sent back to provide assistance in dealing with rate limits. Note that headers are not returned for a 429 error response with Kafka REST API (v3).

Header Description
X-RateLimit-Limit The maximum number of requests you're permitted to make per time period.
X-RateLimit-Reset The relative time in seconds until the current rate limit window resets.
Retry-After The number of seconds to wait until the rate limit window resets. Only sent when the rate limit is reached.
X-RateLimit-Remaining The number of requests remaining in the current rate-limit window. Important: This differs from Github and Twitter's same-named header which uses UTC epoch seconds. We use relative time to avoid client/server time synchronization issues.

Confluent enforces multiple kinds of limits, including request-rate and concurrency limits, both per user and organization-wide. Unauthenticated requests are associated with the originating IP address, not the user making requests.

Integrations should gracefully handle these limits by watching for 429 error responses and building in a retry mechanism. This mechanism should follow a capped exponential backoff policy to prevent retry amplification ("retry storms") and also introduce some randomness ("jitter") to avoid the thundering herd effect.

If you’re running into this error and think you need a higher rate limit, contact Confluent at support@confluent.io.

Identifiers and URLs

Most resources have multiple identifiers:

  • id is the "natural identifier" for an object. It is only unique within its parent resource. The id is unique across time: the ID will not be reclaimed and reused after an object is deleted.
  • resource_name is a Uniform Resource Identifier (URI) that is globally unique across all resources. This encompasses all parent resource kinds and ids necessary to uniquely identify a particular instance of this object kind. Because it uses object ids, the CRN will not be reclaimed and reused after an object is deleted. It is represented as a Confluent Resource Name (see below).
  • self is a Uniform Resource Locator (URL) at which an object can be addressed. This URL encodes the service location, API version, and other particulars necessary to locate the resource at a point in time.

To see how these relate to each other, consider KafkaBroker with broker.id=2 in a KafkaCluster in Confluent Cloud identified as lkc-xsi8201. In such an example, the KafkaBroker has id=2, the resource_name is crn://confluent.cloud/kafka=lkc-xsi8201/broker=2 and the self URL may be something like https://pkc-8wlk2n.us-west-2.aws.confluent.cloud. Note that different identifiers carry different information for different purposes, but the resource_name is the most complete and canonical identifier.

Confluent Resource Names (CRNs)

Confluent Resource Names (CRNs) are used to uniquely identify all Confluent resources.

A CRN is a valid URI having an "authority" of confluent.cloud or a self-managed metadata service URL, followed by the minimal hierarchical set of key-value pairs necessary to uniquely identify a resource.

Here are some examples for basic resources in Confluent Cloud:

Resource Example CRN
Organization crn://confluent.cloud/organization=9bb441c4-edef-46ac-8a41-c49e44a3fd9a
Environment crn://confluent.cloud/organization=9bb441c4-edef-46ac-8a41-c49e44a3fd9a/environment=env-456xy
User crn://confluent.cloud/organization=9bb441c4-edef-46ac-8a41-c49e44a3fd9a/user=u-rst9876
API Key crn://confluent.cloud/organization=9bb441c4-edef-46ac-8a41-c49e44a3fd9a/user=u-zyx98/api-key=ABCDEFG9876543210
Service Account crn://confluent.cloud/organization=9bb441c4-edef-46ac-8a41-c49e44a3fd9a/service-account=sa-abc1234
Kafka Cluster crn://confluent.cloud/organization=9bb441c4-edef-46ac-8a41-c49e44a3fd9a/environment=env-456xy/cloud-cluster=lkc-123abc/kafka=lkc-123abc
Kafka Topic crn://confluent.cloud/organization=9bb441c4-edef-46ac-8a41-c49e44a3fd9a/environment=env-456xy/cloud-cluster=lkc-123abc/kafka=lkc-123abc/topic=my_kafka_topic
Consumer Group crn://confluent.cloud/organization=9bb441c4-edef-46ac-8a41-c49e44a3fd9a/environment=env-456xy/cloud-cluster=lkc-123abc/kafka=lkc-123abc/group=confluent_cli_consumer_123
Network crn://confluent.cloud/organization=9bb441c4-edef-46ac-8a41-c49e44a3fd9a/environment=env-456xy/network=n-123abc
Peering crn://confluent.cloud/organization=9bb441c4-edef-46ac-8a41-c49e44a3fd9a/environment=env-456xy/network=n-123abc/peering=p-123abc
Private Link Access crn://confluent.cloud/organization=9bb441c4-edef-46ac-8a41-c49e44a3fd9a/environment=env-456xy/network=n-123abc/private-link-access=pla-123abc
Transit Gateway Attachment crn://confluent.cloud/organization=9bb441c4-edef-46ac-8a41-c49e44a3fd9a/environment=env-456xy/network=n-123abc/transit-gateway-attachment=tgwa-123abc
Schema Registry Cluster crn://confluent.cloud/organization=9bb441c4-edef-46ac-8a41-c49e44a3fd9a/environment=env-456xy/schema-registry=lsrc-789qw
Schema Subject crn://confluent.cloud/organization=9bb441c4-edef-46ac-8a41-c49e44a3fd9a/environment=env-456xy/schema-registry=lsrc-789qw/subject=test
Connector crn://confluent.cloud/organization=9bb441c4-edef-46ac-8a41-c49e44a3fd9a/environment=env-456xy/cloud-cluster=lkc-123abc/connector=my_datagen_connector

Data Types

Primitive Types

Data Type Representation
Integers Each API may specify the type as int32 or int64. Note that many languages, including JavaScript, are limited to a max size of approx 2**53 and don't correctly handle large int64 values with their default JSON parser.
Dates RFC 3339 formatted string. UTC timezones are assumed, unless otherwise given.
Times RFC 3339 formatted string. UTC timezones are assumed, unless otherwise given.
Durations RFC 3339 formatted string.
Periods RFC 3339 formatted string. UTC timezones are assumed, unless otherwise given.
Ranges All ranges are represented using half-open intervals with naming conventions like [start_XXX, end_XXX) such as [start_time, end_time).
Enums Most APIs use x-extensible-enum as an open-ended list of values. This improves compatibility compared with a standard enum which by definition represents a closed set. All enums have a 0-valued entry which either serves as the default for common cases, or represents UNSPECIFIED when no default exists and results in an error.

Standard Properties

Confluent uses this set of standard properties to ensure common concepts use the same name and semantics across different APIs.

Name Description
api_version Many API objects have an api_version field indicating their API version. See the Object Model.
kind Many API objects have a kind field indicating the kind of object it is. See the Object Model.
id Many objects in the API will have an identifier, indicated via its id field, and should be treated as an opaque string unless otherwise specified. See the Object Model.
name Objects which support a client-provided unique identifier instead of a generated id will indicate this identifier via its name field.
display_name The human-readable display name of an API object.
title The official name of an API object, such as a company name. It should be treated as the formal version of display_name.
description One or more paragraphs of text description of an entity.
created_at The date and time the object was created, represented as a string in RFC 3339 format.
updated_at The date and time the object was last modified, represented as a string in RFC 3339 format.
deleted_at If present, the date and time after which the object was/will be deleted, represented as a string in RFC 3339 format.
page_token The pagination token in the List request. See Pagination.
page_size The pagination size in the List request. See Pagination.
total_size The total count of items in the list irrespective of pagination. See Pagination.
spec The desired state specification of the resource, as observed by Confluent Cloud.
status The current state of the resource, as observed by Confluent Cloud.

Versioning

Confluent APIs ensure stability for your integrations by avoiding the introduction of breaking changes to customers unexpectedly. Confluent will make non-breaking API changes without advance notice. Thus, API clients must follow the Compatibility Policy below to ensure your ingtegration remains stable. All APIs follow the API Lifecycle Policy described below, which describes the guarantees API clients can rely on.

Breaking changes will be widely communicated in advance in accordance with the Confluent Deprecation Policy. Confluent will provide timelines and a migration path for all API changes, where available. Be sure to subscribe to one or more communication channels so you don't miss any updates!

One exception to these guidelines is for critical security issues. Confluent will take any necessary actions to mitigate any critical security issue as soon as possible, which may include disabling the vulnerable functionality until a proper solution is available.

Do not consume any Confluent API unless it is documented in the API Reference. All undocumented endpoints should be considered private, subject to change without notice, and not covered by any agreements.

Note: The version in the URL (e.g. "v1" or "v2") is not a "major version" in the Semantic Versioning sense. It is a "generational version" or "meta version", as seen in APIs like Github API or the Stripe API.

API Groups

Confluent APIs are divided into API Groups, such as the Cluster Management for Apache Kafka (CMK) API group, the Connect API group, and the Data Catalog API group. Each group has its own set of endpoints and resources, as well as its own API group version.

Because different API groups have different versions, there is no single version for the "Confluent Cloud API". The latest version of the Connect API group may be connect/v1, while the latest version of the CMK API group may be cmk/v2.

When a breaking change is introduced into one API group, Confluent will increase the API version for that API group only, leaving the other API groups' versions unchanged. This makes it easier for you to understand whether a given breaking change impacts your usage of the APIs.

Known Issues

During the Early Access and Preview periods, we have a few known issues.

Issue Description Proposed Resolution
Quota Exceeded Some "Quota Exceeded" errors will be returned as HTTP 400 instead of HTTP 402 Return 402 consistently for "Quota Exceeded" errors

API Lifecycle Policy

The following status labels are applicable to APIs, features, and SDK versions, based on the current support status of each:

  • Early Access – May change at any time. Not recommended for production usage. Not officially supported by Confluent. Intended for user feedback only. Users must be granted explicit access to the API by Confluent.
  • Preview – Unlikely to change between Preview and General Availability. Not recommended for production usage. Officially supported by Confluent for non-production usage. Accessible to all users.
  • Limited Availability (LA) - Available to key select customers in a subset of regions/providers/networks and recommended for production usage.
  • Generally Available (GA) – Will not change at short notice. Recommended for production usage. Officially supported by Confluent for non-production and production usage.
  • Deprecated – Still supported, but no longer under active development. Existing usage will continue to function but migration following the upgrade guide is strongly recommended. New use cases should be built against the new version. Deprecated feature or version will be removed in the future at the announced date.
  • Sunset – Removed, and no longer supported or available.

An API is "Generally Available" unless explicitly marked otherwise.

Compatibility Policy

Confluent Cloud APIs are governed by Confluent Cloud Upgrade Policy, which means that backward incompatible changes and deprecations will be made approximately once per year, and 180 days notice will be provided via email to all registered Confluent Cloud users.

Backward Compatibility

An API version is backward compatible if a program written against the previous version of the API will continue to work the same way, without modification, against this version of the API.

Confluent considers the following changes to be backward compatible:

  • Adding new API resources.
  • Adding new optional parameters to existing API requests (e.g., query string).
  • Adding new properties to existing API resources (e.g., request body).
  • Changing the order of properties in existing API responses.
  • Changing the length or format of object IDs or other opaque strings.
    • Unless otherwise documented, you can safely assume object IDs generated by Confluent will never exceed 255 characters, but you should be able to handle IDs of up to that length. If you're using MySQL, for example, you should store IDs in a VARCHAR(255) COLLATE utf8_bin column.
    • This includes adding or removing fixed prefixes (such as lkc- on Kafka cluster IDs).
    • This includes API keys, API tokens, and similar authentication mechanisms.
    • This includes all strings described as "opaque" in the docs, such as pagination cursors.
  • Adding new API event types.
  • Adding new properties to existing API event types.
  • Omitting properties with null values from existing API responses.

Forward Compatibility

An API version is forward compatible if a program written against the next version of the API will continue to work the same way, without modification, against this version of the API.

In other words, a forward compatible API will accept input intended for a later version of itself.

Confluent does not guarantee the forward compatibility of the APIs, but Confluent does generally follow the guidelines given by the Robustness principle. This means that the API determines what to do with a request based only on the parts that it recognizes.

This is often referred to as the MUST IGNORE rule.

  • Request parameters that are not recognized will be ignored (e.g., query string).
  • Request properties that are not recognized will be ignored (e.g., request body).
  • Request metadata that are not recognized will be ignored (e.g., request headers).

API clients must also follow the MUST IGNORE rule.

  • Response properties that are not recognized must be ignored (e.g., response body).
  • Response metadata that are not recognized must be ignored (e.g., response headers).

Additionally, there is a more subtle related rule called the MUST FORWARD rule. Any parts of a request that an API doesn't recognize must be forwarded unchanged.

  • Response properties that are not recognized must be included in any input subsequent updates (e.g., request body)
    • This includes future PUT requests in a read/modify/write operation. (This isn't required for PATCH partial updates, which is why Confluent APIs use PATCH.)
  • Event processors must not strip unknown properties before forwarding messages.

Client Responsibilities

  • Resource and rate limits, and the default and maximum sizes of paginated data are not considered part of the API contract and may change (possibly dynamically). It is the client's responsibility to read the road signs and obey the speed limit.
  • If a property has a primitive type and the API documentation does not explicitly limit its possible values, clients must not assume the values are constrained to a particular set of possible responses.
  • If a property of an object is not explicitly declared as mandatory in the API, clients must not assume it will be present.
  • A resource may be modified to return a "redirection" response (e.g. 301, 307) instead of directly returning the resource. Clients must handle HTTP-level redirects, and respect HTTP headers (e.g. Location).

Deprecation Policy

Confluent will announce deprecations at least 180 days in advance of a breaking change and will continue to maintain the deprecated APIs in their original form during this time.

Exceptions to this policy apply in case of critical security vulnerabilities or functional defects.

Communication

When a deprecation is announced, the details and any relevant migration information will be available on one or more of the following channels:

HTTP Guidelines

Status Codes

Confluent respects the meanings and behavior of HTTP status codes as defined in RFC2616 and elsewhere.

  • Codes in the 2xx range indicate success
  • Codes in the 3xx range indicate redirection
  • Codes in the 4xx range indicate an error caused by the client request (e.g., a required parameter was omitted, an invalid cluster configuration was provided, etc.)
  • Codes in the 5xx range indicate an error with Confluent's servers (these are rare)

The various HTTP status codes that might be returned are listed below.

Code Title Description
200 OK Everything worked as expected.
201 Created The resource was created. Follow the Location header.
204 No Content Everything worked and there is no content to return.
400 Bad Request The request was unacceptable, often due to malformed syntax, or a missing or malformed parameter.
401 Unauthorized No valid credentials provided. or the credentials are unsuitable, invalid, or unauthorized.
402 Over Quota The request was valid, but you've exceeded your plan quota or limits.
404 Not Found The requested resource doesn't exist or you're unauthorized to know it exists.
409 Conflict The request conflicts with another request (perhaps it already exists or was based on a stale version of data).
422 Validation Failed The request was parsed correctly but failed some sort of validation.
429 Too Many Requests Too many requests hit the API too quickly. Confluent recommends an exponential backoff of your requests.
500, 502, 503, 504 Server Errors Something went wrong on Confluent's end. (These are rare.)

This list is not exhaustive; other standard HTTP error codes may be used, including 304, 307, 308, 405, 406, 408, 410, and 415.

For more details, see https://httpstatuses.com.

Metrics APIs

For Metrics APIs, see Confluent Cloud Metrics API.

API Keys (iam/v2)

General Availability

ApiKey objects represent access to different parts of Confluent Cloud. Some types of API keys represent access to a single cluster/resource such as a Kafka cluster, Schema Registry cluster or a ksqlDB cluster. Cloud API Keys represent access to resources within an organization that are not tied to a specific cluster, such as the Org API, IAM API, Metrics API or Connect API.

The API allows you to list, create, update and delete your API Keys.

Related guide: API Keys in Confluent Cloud.

The API Keys Model

api_version
string
Value: "iam/v2"

APIVersion defines the schema version of this representation of a resource.

kind
string
Value: "ApiKey"

Kind defines the object this REST resource represents.

id
string <= 255 characters

ID is the "natural identifier" for an object within its scope/namespace; it is normally unique across time but not space. That is, you can assume that the ID will not be reclaimed and reused after an object is deleted ("time"); however, it may collide with IDs for other object kinds or objects of the same kind within a different scope/namespace ("space").

object

ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.

object (iam.v2.ApiKeySpec)

The desired state of the Api Key

{
  • "api_version": "iam/v2",
  • "kind": "ApiKey",
  • "id": "dlz-f3a90de",
  • "metadata": {
    },
  • "spec": {
    }
}

Quotas and Limits

This resource is subject to the following quotas:

Quota Description
apikeys_per_org API Keys in one Confluent Cloud organization

List of API Keys

General Availability

Retrieve a sorted, filtered, paginated list of all API keys.

This can show all keys for a single owner (across resources - Kafka clusters), or all keys for a single resource (across owners). If no owner or resource filters are specified, returns all API Keys in the organization. You will only see the keys that are accessible to the account making the API request.

Authorizations:
cloud-api-key
query Parameters
spec.owner
string (SearchFilter)

Filter the results by exact match for spec.owner.

spec.resource
string (SearchFilter)

Filter the results by exact match for spec.resource.

page_size
integer <= 100
Default: 10

A pagination size for collection requests.

page_token
string <= 255 characters

An opaque pagination token for collection requests.

Responses

Request samples

curl --request GET \
  --url 'https://api.confluent.cloud/iam/v2/api-keys?spec.owner=SOME_STRING_VALUE&spec.resource=SOME_STRING_VALUE' \
  --header 'Authorization: Basic REPLACE_BASIC_AUTH'

Response samples

Content type
application/json
{}

Create an API Key

General Availability

Make a request to create an API key.

Authorizations:
cloud-api-key
Request Body schema: application/json
required
object

The desired state of the Api Key

Responses

Request samples

Content type
application/json
{
  • "spec": {
    }
}

Response samples

Content type
application/json
{}

Read an API Key

General Availability

Make a request to read an API key.

Authorizations:
cloud-api-key
path Parameters
id
required
string

The unique identifier for the API key.

Responses

Request samples

curl --request GET \
  --url 'https://api.confluent.cloud/iam/v2/api-keys/{id}' \
  --header 'Authorization: Basic REPLACE_BASIC_AUTH'

Response samples

Content type
application/json
{}

Update an API Key

General Availability

Make a request to update an API key.

Authorizations:
cloud-api-key
path Parameters
id
required
string

The unique identifier for the API key.

Request Body schema: application/json
object (iam.v2.ApiKeySpecUpdate)

The desired state of the Api Key

Responses

Request samples

Content type
application/json
{
  • "spec": {
    }
}

Response samples

Content type
application/json
{}

Delete an API Key

General Availability

Make a request to delete an API key.

Authorizations:
cloud-api-key
path Parameters
id
required
string

The unique identifier for the API key.

Responses

Request samples

curl --request DELETE \
  --url 'https://api.confluent.cloud/iam/v2/api-keys/{id}' \
  --header 'Authorization: Basic REPLACE_BASIC_AUTH'

Response samples

Content type
application/json
{
  • "errors": [
    ]
}

Users (iam/v2)

General Availability

User objects represent individuals who may access your Confluent resources.

The API allows you to retrieve, update, and delete individual users, as well as list of all your users. This API cannot be used to create new user accounts.

Related guide: Users in Confluent Cloud.

The Users Model

api_version
string
Value: "iam/v2"

APIVersion defines the schema version of this representation of a resource.

kind
string
Value: "User"

Kind defines the object this REST resource represents.

id
string <= 255 characters

ID is the "natural identifier" for an object within its scope/namespace; it is normally unique across time but not space. That is, you can assume that the ID will not be reclaimed and reused after an object is deleted ("time"); however, it may collide with IDs for other object kinds or objects of the same kind within a different scope/namespace ("space").

object

ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.

email
string <email>

The user's email address

full_name
string

The user's full name

auth_type
string
extensible-enum: ["AUTH_TYPE_LOCAL","AUTH_TYPE_SSO"]

The user's authentication method

{
  • "api_version": "iam/v2",
  • "kind": "User",
  • "id": "dlz-f3a90de",
  • "metadata": {},
  • "email": "marty.mcfly@example.com",
  • "full_name": "Marty McFly",
  • "auth_type": "AUTH_TYPE_SSO"
}

Quotas and Limits

This resource is subject to the following quotas:

Quota Description
users_per_org Users in one Confluent Cloud organization

List of Users

General Availability

Retrieve a sorted, filtered, paginated list of all users.

Authorizations:
cloud-api-keyconfluent-sts-access-token
query Parameters
page_size
integer <= 100
Default: 10

A pagination size for collection requests.

page_token
string <= 255 characters

An opaque pagination token for collection requests.

Responses

Request samples

curl --request GET \
  --url https://api.confluent.cloud/iam/v2/users \
  --header 'Authorization: Basic REPLACE_BASIC_AUTH'

Response samples

Content type
application/json
{}

Read a User

General Availability

Make a request to read a user.

Authorizations:
cloud-api-keyconfluent-sts-access-token
path Parameters
id
required
string

The unique identifier for the user.

Responses

Request samples

curl --request GET \
  --url 'https://api.confluent.cloud/iam/v2/users/{id}' \
  --header 'Authorization: Basic REPLACE_BASIC_AUTH'

Response samples

Content type
application/json
{
  • "api_version": "iam/v2",
  • "kind": "User",
  • "id": "dlz-f3a90de",
  • "metadata": {},
  • "email": "marty.mcfly@example.com",
  • "full_name": "Marty McFly",
  • "auth_type": "AUTH_TYPE_SSO"
}

Update a User

General Availability

Make a request to update a user.

Authorizations:
cloud-api-keyconfluent-sts-access-token
path Parameters
id
required
string

The unique identifier for the user.

Request Body schema: application/json
full_name
string

The user's full name

Responses

Request samples

Content type
application/json
{
  • "full_name": "Marty McFly"
}

Response samples

Content type
application/json
{
  • "api_version": "iam/v2",
  • "kind": "User",
  • "id": "dlz-f3a90de",
  • "metadata": {},
  • "email": "marty.mcfly@example.com",
  • "full_name": "Marty McFly",
  • "auth_type": "AUTH_TYPE_SSO"
}

Delete a User

General Availability

Make a request to delete a user.

If successful, this request will also recursively delete all of the user's associated resources, including its cloud and cluster API keys.

Authorizations:
cloud-api-keyconfluent-sts-access-token
path Parameters
id
required
string

The unique identifier for the user.

Responses

Request samples

curl --request DELETE \
  --url 'https://api.confluent.cloud/iam/v2/users/{id}' \
  --header 'Authorization: Basic REPLACE_BASIC_AUTH'

Response samples

Content type
application/json
{
  • "errors": [
    ]
}

Service Accounts (iam/v2)

General Availability

ServiceAccount objects are typically used to represent applications and other non-human principals that may access your Confluent resources.

The API allows you to create, retrieve, update, and delete individual service accounts, as well as list all your service accounts.

Related guide: Service Accounts in Confluent Cloud.

The Service Accounts Model

api_version
string
Value: "iam/v2"

APIVersion defines the schema version of this representation of a resource.

kind
string
Value: "ServiceAccount"

Kind defines the object this REST resource represents.

id
string <= 255 characters

ID is the "natural identifier" for an object within its scope/namespace; it is normally unique across time but not space. That is, you can assume that the ID will not be reclaimed and reused after an object is deleted ("time"); however, it may collide with IDs for other object kinds or objects of the same kind within a different scope/namespace ("space").

object

ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.

display_name
string

A human-readable name for the Service Account

description
string

A free-form description of the Service Account

{
  • "api_version": "iam/v2",
  • "kind": "ServiceAccount",
  • "id": "dlz-f3a90de",
  • "metadata": {},
  • "display_name": "DeLorean_auto_repair",
  • "description": "Doc's repair bot for the DeLorean"
}

Quotas and Limits

This resource is subject to the following quotas:

Quota Description
service_accounts_per_org Service Accounts in one Confluent Cloud organization

List of Service Accounts

General Availability

Retrieve a sorted, filtered, paginated list of all service accounts.

Authorizations:
cloud-api-keyconfluent-sts-access-token
query Parameters
page_size
integer <= 100
Default: 10

A pagination size for collection requests.

page_token
string <= 255 characters

An opaque pagination token for collection requests.

Responses

Request samples

curl --request GET \
  --url https://api.confluent.cloud/iam/v2/service-accounts \
  --header 'Authorization: Basic REPLACE_BASIC_AUTH'

Response samples

Content type
application/json
{}

Create a Service Account

General Availability

Make a request to create a service account.

Authorizations:
cloud-api-keyconfluent-sts-access-token
Request Body schema: application/json
display_name
required
string

A human-readable name for the Service Account

description
string

A free-form description of the Service Account

Responses

Request samples

Content type
application/json
{
  • "display_name": "DeLorean_auto_repair",
  • "description": "Doc's repair bot for the DeLorean"
}

Response samples

Content type
application/json
{
  • "api_version": "iam/v2",
  • "kind": "ServiceAccount",
  • "id": "dlz-f3a90de",
  • "metadata": {},
  • "display_name": "DeLorean_auto_repair",
  • "description": "Doc's repair bot for the DeLorean"
}

Read a Service Account

General Availability

Make a request to read a service account.

Authorizations:
cloud-api-keyconfluent-sts-access-token
path Parameters
id
required
string

The unique identifier for the service account.

Responses

Request samples

curl --request GET \
  --url 'https://api.confluent.cloud/iam/v2/service-accounts/{id}' \
  --header 'Authorization: Basic REPLACE_BASIC_AUTH'

Response samples

Content type
application/json
{
  • "api_version": "iam/v2",
  • "kind": "ServiceAccount",
  • "id": "dlz-f3a90de",
  • "metadata": {},
  • "display_name": "DeLorean_auto_repair",
  • "description": "Doc's repair bot for the DeLorean"
}

Update a Service Account

General Availability

Make a request to update a service account.

Authorizations:
cloud-api-keyconfluent-sts-access-token
path Parameters
id
required
string

The unique identifier for the service account.

Request Body schema: application/json
description
string

A free-form description of the Service Account

Responses

Request samples

Content type
application/json
{
  • "description": "Doc's repair bot for the DeLorean"
}

Response samples

Content type
application/json
{
  • "api_version": "iam/v2",
  • "kind": "ServiceAccount",
  • "id": "dlz-f3a90de",
  • "metadata": {},
  • "display_name": "DeLorean_auto_repair",
  • "description": "Doc's repair bot for the DeLorean"
}

Delete a Service Account

General Availability

Make a request to delete a service account.

If successful, this request will also recursively delete all of the service account's associated resources, including its cloud and cluster API keys.

Authorizations:
cloud-api-keyconfluent-sts-access-token
path Parameters
id
required
string

The unique identifier for the service account.

Responses

Request samples

curl --request DELETE \
  --url 'https://api.confluent.cloud/iam/v2/service-accounts/{id}' \
  --header 'Authorization: Basic REPLACE_BASIC_AUTH'

Response samples

Content type
application/json
{
  • "errors": [
    ]
}

Invitations (iam/v2)

General Availability

Invitation objects represent invitations to invite users to join your organizations in Confluent Cloud.

The API allows you to list all your invitations, as well as create, read, and delete a specified invitation.

Related guide: User invitations in Confluent Cloud.

The Invitations Model

api_version
string
Value: "iam/v2"

APIVersion defines the schema version of this representation of a resource.

kind
string
Value: "Invitation"

Kind defines the object this REST resource represents.

id
string <= 255 characters

ID is the "natural identifier" for an object within its scope/namespace; it is normally unique across time but not space. That is, you can assume that the ID will not be reclaimed and reused after an object is deleted ("time"); however, it may collide with IDs for other object kinds or objects of the same kind within a different scope/namespace ("space").

object

ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.

email
string <email>

The user/invitee's email address

auth_type
string
extensible-enum: ["AUTH_TYPE_LOCAL","AUTH_TYPE_SSO"]

The user/invitee's authentication type. Note that only the OrganizationAdmin role can invite AUTH_TYPE_LOCAL users to SSO organizations. The user's auth_type is set as AUTH_TYPE_SSO by default if the organization has SSO enabled. Otherwise, the user's auth_type is AUTH_TYPE_LOCAL by default.

status
string
extensible-enum: ["INVITE_STATUS_SENT","INVITE_STATUS_STAGED","INVITE_STATUS_ACCEPTED","INVITE_STATUS_EXPIRED","INVITE_STATUS_DEACTIVATED"]

The status of invitations

accepted_at
string or null <date-time>

The timestamp that the invitation was accepted

expires_at
string <date-time>

The timestamp that the invitation will expire

object

The user/invitee

object

The invitation creator

{
  • "api_version": "iam/v2",
  • "kind": "Invitation",
  • "id": "dlz-f3a90de",
  • "metadata": {
    },
  • "email": "johndoe@confluent.io",
  • "auth_type": "AUTH_TYPE_SSO",
  • "status": "INVITE_STATUS_SENT",
  • "accepted_at": "2022-07-06T17:21:33Z",
  • "expires_at": "2022-07-07T17:22:39Z",
  • "user": {},
  • "creator": {}
}

Quotas and Limits

This resource is subject to the following quotas:

Quota Description
invitations_per_org Invitations in a Confluent Cloud organization

List of Invitations

General Availability

Retrieve a sorted, filtered, paginated list of all invitations.

Authorizations:
cloud-api-keyconfluent-sts-access-token
query Parameters
email
string (SearchFilter)
Example: email=johndoe@confluent.io

Filter the results by exact match for email.

status
string (SearchFilter)
Example: status=INVITE_STATUS_SENT

Filter the results by exact match for status.

user
string (SearchFilter)
Example: user=u-j93dy8

Filter the results by exact match for user.

creator
string (SearchFilter)
Example: creator=u-m2r9o7

Filter the results by exact match for creator.

page_size
integer <= 100
Default: 10

A pagination size for collection requests.

page_token
string <= 255 characters

An opaque pagination token for collection requests.

Responses

Request samples

curl --request GET \
  --url 'https://api.confluent.cloud/iam/v2/invitations?email=johndoe@confluent.io&status=INVITE_STATUS_SENT&user=u-j93dy8&creator=u-m2r9o7' \
  --header 'Authorization: Basic REPLACE_BASIC_AUTH'

Response samples

Content type
application/json
{}

Create an Invitation

General Availability

Make a request to create an invitation.

The newly invited user will not have any permissions. Give the user permission by assigning them to one or more roles by creating role bindings for the created user.

Authorizations:
cloud-api-keyconfluent-sts-access-token
Request Body schema: application/json
email
required
string <email>

The user/invitee's email address

auth_type
string
extensible-enum: ["AUTH_TYPE_LOCAL","AUTH_TYPE_SSO"]

The user/invitee's authentication type. Note that only the OrganizationAdmin role can invite AUTH_TYPE_LOCAL users to SSO organizations. The user's auth_type is set as AUTH_TYPE_SSO by default if the organization has SSO enabled. Otherwise, the user's auth_type is AUTH_TYPE_LOCAL by default.

Responses

Request samples

Content type
application/json
{
  • "email": "johndoe@confluent.io",
  • "auth_type": "AUTH_TYPE_SSO"
}

Response samples

Content type
application/json
{
  • "api_version": "iam/v2",
  • "kind": "Invitation",
  • "id": "dlz-f3a90de",
  • "metadata": {
    },
  • "email": "johndoe@confluent.io",
  • "auth_type": "AUTH_TYPE_SSO",
  • "status": "INVITE_STATUS_SENT",
  • "accepted_at": "2022-07-06T17:21:33Z",
  • "expires_at": "2022-07-07T17:22:39Z",
  • "user": {},
  • "creator": {}
}

Read an Invitation

General Availability

Make a request to read an invitation.

Authorizations:
cloud-api-keyconfluent-sts-access-token
path Parameters
id
required
string

The unique identifier for the invitation.

Responses

Request samples

curl --request GET \
  --url 'https://api.confluent.cloud/iam/v2/invitations/{id}' \
  --header 'Authorization: Basic REPLACE_BASIC_AUTH'

Response samples

Content type
application/json
{
  • "api_version": "iam/v2",
  • "kind": "Invitation",
  • "id": "dlz-f3a90de",
  • "metadata": {
    },
  • "email": "johndoe@confluent.io",
  • "auth_type": "AUTH_TYPE_SSO",
  • "status": "INVITE_STATUS_SENT",
  • "accepted_at": "2022-07-06T17:21:33Z",
  • "expires_at": "2022-07-07T17:22:39Z",
  • "user": {},
  • "creator": {}
}

Delete an Invitation

General Availability

Make a request to delete an invitation.

Delete will deactivate the user if the user didn't accept the invitation yet.

Authorizations:
cloud-api-keyconfluent-sts-access-token
path Parameters
id
required
string

The unique identifier for the invitation.

Responses

Request samples

curl --request DELETE \
  --url 'https://api.confluent.cloud/iam/v2/invitations/{id}' \
  --header 'Authorization: Basic REPLACE_BASIC_AUTH'

Response samples

Content type
application/json
{
  • "errors": [
    ]
}

IP Groups (iam/v2)

Limited Availability Request Access To IP Groups API

Definitions of networks which can be named and referred by IP blocks, commonly used to attach to IP Filter rules.

The IP Groups Model

api_version
string
Value: "iam/v2"

APIVersion defines the schema version of this representation of a resource.

kind
string
Value: "IpGroup"

Kind defines the object this REST resource represents.

id
string <= 255 characters

ID is the "natural identifier" for an object within its scope/namespace; it is normally unique across time but not space. That is, you can assume that the ID will not be reclaimed and reused after an object is deleted ("time"); however, it may collide with IDs for other object kinds or objects of the same kind within a different scope/namespace ("space").

object

ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.

group_name
string [ 1 .. 64 ] characters

A human readable name for an IP Group. Can contain any unicode letter or number, the ASCII space character, or any of the following special characters: [, ], |, &, +, -, _, /, ., ,.

cidr_blocks
Array of strings non-empty

A list of CIDRs.

{
  • "api_version": "iam/v2",
  • "kind": "IpGroup",
  • "id": "dlz-f3a90de",
  • "metadata": {
    },
  • "group_name": "CorpNet",
  • "cidr_blocks": [
    ]
}

List of IP Groups

Limited Availability Request Access To IP Groups API

Retrieve a sorted, filtered, paginated list of all IP groups.

Authorizations:
cloud-api-keyconfluent-sts-access-token
query Parameters
page_size
integer <= 100
Default: 25

A pagination size for collection requests.

page_token
string <= 255 characters

An opaque pagination token for collection requests.

Responses

Request samples

curl --request GET \
  --url https://api.confluent.cloud/iam/v2/ip-groups \
  --header 'Authorization: Basic REPLACE_BASIC_AUTH'

Response samples

Content type
application/json
{}

Create an IP Group

Limited Availability Request Access To IP Groups API

Make a request to create an IP group.

Authorizations:
cloud-api-keyconfluent-sts-access-token
Request Body schema: application/json
group_name
required
string [ 1 .. 64 ] characters

A human readable name for an IP Group. Can contain any unicode letter or number, the ASCII space character, or any of the following special characters: [, ], |, &, +, -, _, /, ., ,.

cidr_blocks
required
Array of strings non-empty

A list of CIDRs.

Responses

Request samples

Content type
application/json
{
  • "group_name": "CorpNet",
  • "cidr_blocks": [
    ]
}

Response samples

Content type
application/json
{
  • "api_version": "iam/v2",
  • "kind": "IpGroup",
  • "id": "dlz-f3a90de",
  • "metadata": {
    },
  • "group_name": "CorpNet",
  • "cidr_blocks": [
    ]
}

Read an IP Group

Limited Availability Request Access To IP Groups API

Make a request to read an IP group.

Authorizations:
cloud-api-keyconfluent-sts-access-token
path Parameters
id
required
string

The unique identifier for the IP group.

Responses

Request samples

curl --request GET \
  --url 'https://api.confluent.cloud/iam/v2/ip-groups/{id}' \
  --header 'Authorization: Basic REPLACE_BASIC_AUTH'

Response samples

Content type
application/json
{
  • "api_version": "iam/v2",
  • "kind": "IpGroup",
  • "id": "dlz-f3a90de",
  • "metadata": {
    },
  • "group_name": "CorpNet",
  • "cidr_blocks": [
    ]
}

Update an IP Group

Limited Availability Request Access To IP Groups API

Make a request to update an IP group.

Authorizations:
cloud-api-keyconfluent-sts-access-token
path Parameters
id
required
string

The unique identifier for the IP group.

Request Body schema: application/json
group_name
string [ 1 .. 64 ] characters

A human readable name for an IP Group. Can contain any unicode letter or number, the ASCII space character, or any of the following special characters: [, ], |, &, +, -, _, /, ., ,.

cidr_blocks
Array of strings non-empty

A list of CIDRs.

Responses

Request samples

Content type
application/json
{
  • "group_name": "CorpNet",
  • "cidr_blocks": [
    ]
}

Response samples

Content type
application/json
{
  • "api_version": "iam/v2",
  • "kind": "IpGroup",
  • "id": "dlz-f3a90de",
  • "metadata": {
    },
  • "group_name": "CorpNet",
  • "cidr_blocks": [
    ]
}

Delete an IP Group

Limited Availability Request Access To IP Groups API

Make a request to delete an IP group.

Authorizations:
cloud-api-keyconfluent-sts-access-token
path Parameters
id
required
string

The unique identifier for the IP group.

Responses

Request samples

curl --request DELETE \
  --url 'https://api.confluent.cloud/iam/v2/ip-groups/{id}' \
  --header 'Authorization: Basic REPLACE_BASIC_AUTH'

Response samples

Content type
application/json
{
  • "errors": [
    ]
}

IP Filters (iam/v2)

Limited Availability Request Access To IP Filters API

IP Filter objects are bindings between IP Groups and Confluent resource(s). For example, a binding between "CorpNet" and "Management APIs" will enforce that access must come from one of the CIDR blocks associated with CorpNet. If there are multiple IP filters bound to a resource, a request matching any of the CIDR blocks for any of the IP Group will allow the request. If there are no IP Filters for a resource, then access will be granted to requests originating from any IP Address.

The IP Filters Model

api_version
string
Value: "iam/v2"

APIVersion defines the schema version of this representation of a resource.

kind
string
Value: "IpFilter"

Kind defines the object this REST resource represents.

id
string <= 255 characters

ID is the "natural identifier" for an object within its scope/namespace; it is normally unique across time but not space. That is, you can assume that the ID will not be reclaimed and reused after an object is deleted ("time"); however, it may collide with IDs for other object kinds or objects of the same kind within a different scope/namespace ("space").

object

ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.

filter_name
string [ 1 .. 64 ] characters

A human readable name for an IP Filter. Can contain any unicode letter or number, the ASCII space character, or any of the following special characters: [, ], |, &, +, -, _, /, ., ,.

resource_group
string

Scope of resources covered by this IP filter. The only resource_group currently available is "management".

Array of objects (GlobalObjectReference) non-empty

A list of IP Groups.

{
  • "api_version": "iam/v2",
  • "kind": "IpFilter",
  • "id": "dlz-f3a90de",
  • "metadata": {
    },
  • "filter_name": "Management API Rules",
  • "resource_group": "management",
  • "ip_groups": []
}

List of IP Filters

Limited Availability Request Access To IP Filters API

Retrieve a sorted, filtered, paginated list of all IP filters.

Authorizations:
cloud-api-keyconfluent-sts-access-token
query Parameters
page_size
integer <= 100
Default: 25

A pagination size for collection requests.

page_token
string <= 255 characters

An opaque pagination token for collection requests.

Responses

Request samples

curl --request GET \
  --url https://api.confluent.cloud/iam/v2/ip-filters \
  --header 'Authorization: Basic REPLACE_BASIC_AUTH'

Response samples

Content type
application/json
{}

Create an IP Filter

Limited Availability Request Access To IP Filters API

Make a request to create an IP filter.

Authorizations:
cloud-api-keyconfluent-sts-access-token
Request Body schema: application/json
filter_name
required
string [ 1 .. 64 ] characters

A human readable name for an IP Filter. Can contain any unicode letter or number, the ASCII space character, or any of the following special characters: [, ], |, &, +, -, _, /, ., ,.

resource_group
required
string

Scope of resources covered by this IP filter. The only resource_group currently available is "management".

required
Array of objects (GlobalObjectReference) non-empty

A list of IP Groups.

Responses

Request samples

Content type
application/json
{
  • "filter_name": "Management API Rules",
  • "resource_group": "management",
  • "ip_groups": [
    ]
}

Response samples

Content type
application/json
{
  • "api_version": "iam/v2",
  • "kind": "IpFilter",
  • "id": "dlz-f3a90de",
  • "metadata": {
    },
  • "filter_name": "Management API Rules",
  • "resource_group": "management",
  • "ip_groups": []
}

Read an IP Filter

Limited Availability Request Access To IP Filters API

Make a request to read an IP filter.

Authorizations:
cloud-api-keyconfluent-sts-access-token
path Parameters
id
required
string

The unique identifier for the IP filter.

Responses

Request samples

curl --request GET \
  --url 'https://api.confluent.cloud/iam/v2/ip-filters/{id}' \
  --header 'Authorization: Basic REPLACE_BASIC_AUTH'

Response samples

Content type
application/json
{
  • "api_version": "iam/v2",
  • "kind": "IpFilter",
  • "id": "dlz-f3a90de",
  • "metadata": {
    },
  • "filter_name": "Management API Rules",
  • "resource_group": "management",
  • "ip_groups": []
}

Update an IP Filter

Limited Availability Request Access To IP Filters API

Make a request to update an IP filter.

Authorizations:
cloud-api-keyconfluent-sts-access-token
path Parameters
id
required
string

The unique identifier for the IP filter.

Request Body schema: application/json
filter_name
string [ 1 .. 64 ] characters

A human readable name for an IP Filter. Can contain any unicode letter or number, the ASCII space character, or any of the following special characters: [, ], |, &, +, -, _, /, ., ,.

resource_group
string

Scope of resources covered by this IP filter. The only resource_group currently available is "management".

Array of objects (GlobalObjectReference) non-empty

A list of IP Groups.

Responses

Request samples

Content type
application/json
{
  • "filter_name": "Management API Rules",
  • "resource_group": "management",
  • "ip_groups": [
    ]
}

Response samples

Content type
application/json
{
  • "api_version": "iam/v2",
  • "kind": "IpFilter",
  • "id": "dlz-f3a90de",
  • "metadata": {
    },
  • "filter_name": "Management API Rules",
  • "resource_group": "management",
  • "ip_groups": []
}

Delete an IP Filter

Limited Availability Request Access To IP Filters API

Make a request to delete an IP filter.

Authorizations:
cloud-api-keyconfluent-sts-access-token
path Parameters
id
required
string

The unique identifier for the IP filter.

Responses

Request samples

curl --request DELETE \
  --url 'https://api.confluent.cloud/iam/v2/ip-filters/{id}' \
  --header 'Authorization: Basic REPLACE_BASIC_AUTH'

Response samples

Content type
application/json
{
  • "errors": [
    ]
}

Role Bindings (iam/v2)

General Availability

A role binding grants a Principal a role on resources that match a pattern.

The API allows you to perform create, delete, and list operations on role bindings.

Related guide: Role-Based Access Control (RBAC).

The Role Bindings Model

api_version
string
Value: "iam/v2"

APIVersion defines the schema version of this representation of a resource.

kind
string
Value: "RoleBinding"

Kind defines the object this REST resource represents.

id
string <= 255 characters

ID is the "natural identifier" for an object within its scope/namespace; it is normally unique across time but not space. That is, you can assume that the ID will not be reclaimed and reused after an object is deleted ("time"); however, it may collide with IDs for other object kinds or objects of the same kind within a different scope/namespace ("space").

object

ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.

principal
string(^User:.+$)

The principal User to bind the role to

role_name
string

The name of the role to bind to the principal

crn_pattern
string <uri> ^crn://.+$

A CRN that specifies the scope and resource patterns necessary for the role to bind

{
  • "api_version": "iam/v2",
  • "kind": "RoleBinding",
  • "id": "dlz-f3a90de",
  • "metadata": {
    },
  • "principal": "User:u-111aaa",
  • "role_name": "CloudClusterAdmin",
  • "crn_pattern": "crn://confluent.cloud/organization=1111aaaa-11aa-11aa-11aa-111111aaaaaa/environment=env-aaa1111/cloud-cluster=lkc-1111aaa"
}

List of Role Bindings

General Availability

Retrieve a sorted, filtered, paginated list of all role bindings.

Authorizations:
cloud-api-keyconfluent-sts-access-token
query Parameters
principal
string (SearchFilter)
Example: principal=User:u-111aaa

Filter the results by exact match for principal.

role_name
string (SearchFilter)
Example: role_name=CloudClusterAdmin

Filter the results by exact match for role_name.

crn_pattern
required
string (SearchFilter)
Example: crn_pattern=crn://confluent.cloud/organization=1111aaaa-11aa-11aa-11aa-111111aaaaaa/environment=env-aaa1111/cloud-cluster=lkc-1111aaa

Filter the results by a partial search of crn_pattern.

page_size
integer <= 1000
Default: 1000

A pagination size for collection requests.

page_token
string <= 255 characters

An opaque pagination token for collection requests.

Responses

Request samples

curl --request GET \
  --url 'https://api.confluent.cloud/iam/v2/role-bindings?principal=User:u-111aaa&role_name=CloudClusterAdmin&crn_pattern=crn://confluent.cloud/organization=1111aaaa-11aa-11aa-11aa-111111aaaaaa/environment=env-aaa1111/cloud-cluster=lkc-1111aaa' \
  --header 'Authorization: Basic REPLACE_BASIC_AUTH'

Response samples

Content type
application/json
{}

Create a Role Binding

General Availability

Make a request to create a role binding.

Authorizations:
cloud-api-keyconfluent-sts-access-token
Request Body schema: application/json
principal
required
string(^User:.+$)

The principal User to bind the role to

role_name
required
string

The name of the role to bind to the principal

crn_pattern
required
string <uri> ^crn://.+$

A CRN that specifies the scope and resource patterns necessary for the role to bind

Responses

Request samples

Content type
application/json
{
  • "principal": "User:u-111aaa",
  • "role_name": "CloudClusterAdmin",
  • "crn_pattern": "crn://confluent.cloud/organization=1111aaaa-11aa-11aa-11aa-111111aaaaaa/environment=env-aaa1111/cloud-cluster=lkc-1111aaa"
}

Response samples

Content type
application/json
{
  • "api_version": "iam/v2",
  • "kind": "RoleBinding",
  • "id": "dlz-f3a90de",
  • "metadata": {
    },
  • "principal": "User:u-111aaa",
  • "role_name": "CloudClusterAdmin",
  • "crn_pattern": "crn://confluent.cloud/organization=1111aaaa-11aa-11aa-11aa-111111aaaaaa/environment=env-aaa1111/cloud-cluster=lkc-1111aaa"
}

Read a Role Binding

General Availability

Make a request to read a role binding.

Authorizations:
cloud-api-keyconfluent-sts-access-token
path Parameters
id
required
string

The unique identifier for the role binding.

Responses

Request samples

curl --request GET \
  --url 'https://api.confluent.cloud/iam/v2/role-bindings/{id}' \
  --header 'Authorization: Basic REPLACE_BASIC_AUTH'

Response samples

Content type
application/json
{
  • "api_version": "iam/v2",
  • "kind": "RoleBinding",
  • "id": "dlz-f3a90de",
  • "metadata": {
    },
  • "principal": "User:u-111aaa",
  • "role_name": "CloudClusterAdmin",
  • "crn_pattern": "crn://confluent.cloud/organization=1111aaaa-11aa-11aa-11aa-111111aaaaaa/environment=env-aaa1111/cloud-cluster=lkc-1111aaa"
}

Delete a Role Binding

General Availability

Make a request to delete a role binding.

Authorizations:
cloud-api-keyconfluent-sts-access-token
path Parameters
id
required
string

The unique identifier for the role binding.

Responses

Request samples

curl --request DELETE \
  --url 'https://api.confluent.cloud/iam/v2/role-bindings/{id}' \
  --header 'Authorization: Basic REPLACE_BASIC_AUTH'

Response samples

Content type
application/json
{
  • "api_version": "iam/v2",
  • "kind": "RoleBinding",
  • "id": "dlz-f3a90de",
  • "metadata": {
    },
  • "principal": "User:u-111aaa",
  • "role_name": "CloudClusterAdmin",
  • "crn_pattern": "crn://confluent.cloud/organization=1111aaaa-11aa-11aa-11aa-111111aaaaaa/environment=env-aaa1111/cloud-cluster=lkc-1111aaa"
}

Identity Providers (iam/v2)

General Availability

IdentityProvider objects represent external OAuth-OIDC providers in Confluent Cloud.

The API allows you to list, create, read, update, and delete your Identity Provider.

Related guide: OAuth for Confluent Cloud.

The Identity Providers Model

api_version
string
Value: "iam/v2"

APIVersion defines the schema version of this representation of a resource.

kind
string
Value: "IdentityProvider"

Kind defines the object this REST resource represents.

id
string <= 255 characters

ID is the "natural identifier" for an object within its scope/namespace; it is normally unique across time but not space. That is, you can assume that the ID will not be reclaimed and reused after an object is deleted ("time"); however, it may collide with IDs for other object kinds or objects of the same kind within a different scope/namespace ("space").

object

ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.

display_name
string

The human-readable name of the OAuth identity provider.

description
string

A description of the identity provider.

state
string
extensible-enum: ["ENABLED"]

The current state of the identity provider.

issuer
string <uri>

A publicly accessible URL uniquely identifying the OAuth identity provider authorized to issue access tokens.

jwks_uri
string <uri>

A publicly accessible JSON Web Key Set (JWKS) URI for the OAuth identity provider. JWKS provides a set of crypotgraphic keys used to verify the authenticity and integrity of JSON Web Tokens (JWTs) issued by the OAuth identity provider.

Array of objects (iam.v2.JwksObject)

The JWKS issued by the OAuth identity provider. Only kid (key ID) and alg (algorithm) properties for each key set are included.

{}

Quotas and Limits

This resource is subject to the following quotas:

Quota Description
identity_providers_per_org Number of OAuth identity providers per organization
public_keys_per_provider Number of public keys saved per identity provider

List of Identity Providers

General Availability

Retrieve a sorted, filtered, paginated list of all identity providers.

Authorizations:
cloud-api-keyconfluent-sts-access-token
query Parameters
page_size
integer <= 100
Default: 10

A pagination size for collection requests.

page_token
string <= 255 characters

An opaque pagination token for collection requests.

Responses

Request samples

curl --request GET \
  --url https://api.confluent.cloud/iam/v2/identity-providers \
  --header 'Authorization: Basic REPLACE_BASIC_AUTH'

Response samples

Content type
application/json
{}

Create an Identity Provider

General Availability

Make a request to create an identity provider.

Authorizations:
cloud-api-keyconfluent-sts-access-token
Request Body schema: application/json
display_name
required
string

The human-readable name of the OAuth identity provider.

description
required
string

A description of the identity provider.

issuer
required
string <uri>

A publicly accessible URL uniquely identifying the OAuth identity provider authorized to issue access tokens.

jwks_uri
required
string <uri>

A publicly accessible JSON Web Key Set (JWKS) URI for the OAuth identity provider. JWKS provides a set of crypotgraphic keys used to verify the authenticity and integrity of JSON Web Tokens (JWTs) issued by the OAuth identity provider.

Responses

Request samples

Content type
application/json
{}

Response samples

Content type
application/json
{}

Read an Identity Provider

General Availability

Make a request to read an identity provider.

Authorizations:
cloud-api-keyconfluent-sts-access-token
path Parameters
id
required
string

The unique identifier for the identity provider.

Responses

Request samples

curl --request GET \
  --url 'https://api.confluent.cloud/iam/v2/identity-providers/{id}' \
  --header 'Authorization: Basic REPLACE_BASIC_AUTH'

Response samples

Content type
application/json
{}

Update an Identity Provider

General Availability

Make a request to update an identity provider.

Authorizations:
cloud-api-keyconfluent-sts-access-token
path Parameters
id
required
string

The unique identifier for the identity provider.

Request Body schema: application/json
display_name
string

The human-readable name of the OAuth identity provider.

description
string

A description of the identity provider.

issuer
string <uri>

A publicly accessible URL uniquely identifying the OAuth identity provider authorized to issue access tokens.

jwks_uri
string <uri>

A publicly accessible JSON Web Key Set (JWKS) URI for the OAuth identity provider. JWKS provides a set of crypotgraphic keys used to verify the authenticity and integrity of JSON Web Tokens (JWTs) issued by the OAuth identity provider.

Responses

Request samples

Content type
application/json
{}

Response samples

Content type
application/json
{}

Delete an Identity Provider

General Availability

Make a request to delete an identity provider.

Authorizations:
cloud-api-keyconfluent-sts-access-token
path Parameters
id
required
string

The unique identifier for the identity provider.

Responses

Request samples

curl --request DELETE \
  --url 'https://api.confluent.cloud/iam/v2/identity-providers/{id}' \
  --header 'Authorization: Basic REPLACE_BASIC_AUTH'

Response samples

Content type
application/json
{
  • "errors": [
    ]
}

Jwks (iam/v2)

General Availability

JWKS objects represent public key sets for a specific OAuth/OpenID Connect provider within Confluent Cloud.

The API allows you to refresh JWKS public key data.

Related guide: OAuth for Confluent Cloud.

The Jwks Model

api_version
string
Value: "iam/v2"

APIVersion defines the schema version of this representation of a resource.

kind
string
Value: "Jwks"

Kind defines the object this REST resource represents.

object (iam.v2.JwksSpec)

The desired state of the Jwks

object (iam.v2.JwksStatus)

The status of the Jwks

{
  • "api_version": "iam/v2",
  • "kind": "Jwks",
  • "spec": {
    },
  • "status": {
    }
}

Refresh a provider's JWKS

General Availability

Make a request to refresh the provider's JWKS

Authorizations:
cloud-api-keyconfluent-sts-access-token
path Parameters
provider_id
required
string

The Provider

Request Body schema: application/json