API Reference
Aembit REST API
Base URL: https://control.aembit.io/v1. All requests require the Authorization: Bearer <api-key> header. API keys are scoped to your tenant and can be created in the console under Settings → API Keys.
Workload Identities
Returns paginated list of workload identity registrations for the authenticated tenant.
# Request
GET /v1/workloads?limit=20&cursor=eyJpZCI6MX0
Authorization: Bearer aem_key_xxxxxxxxxxxxxxxx
# Response
{
"data": [
{
"id": "wl_7FvkJq3mNpxT",
"name": "payment-service",
"attestation_type": "kubernetes-service-account",
"namespace": "production",
"service_account": "payment-svc",
"created_at": "2026-04-10T09:31:00Z"
}
],
"next_cursor": "eyJpZCI6Mn0"
}
Creates a new workload identity registration with the specified attestation policy.
# Request
POST /v1/workloads
Content-Type: application/json
{
"name": "inventory-service",
"attestation": {
"type": "kubernetes-service-account",
"namespace": "production",
"service_account": "inventory-svc"
}
}
# Response 201 Created
{
"id": "wl_9GhKpR4nQtzV",
"name": "inventory-service",
"status": "active"
}
Permanently removes a workload registration. Any running workloads with this identity will no longer receive tokens after the next attestation cycle.
DELETE /v1/workloads/wl_7FvkJq3mNpxT
# Response 204 No Content
Token Exchange
Accepts a workload attestation (SVID, Kubernetes SA JWT, or cloud provider token) and returns a short-lived OIDC token for the specified target audience. This is the core token exchange endpoint used by the proxy sidecar.
POST /v1/token-exchange
Content-Type: application/json
{
"subject_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
"subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
"audience": "https://api.stripe.com",
"requested_token_type": "urn:ietf:params:oauth:token-type:access_token"
}
# Response 200
{
"access_token": "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9...",
"issued_token_type": "urn:ietf:params:oauth:token-type:access_token",
"token_type": "Bearer",
"expires_in": 300
}
Audit Log
Returns a paginated list of authentication events. Filter by workload ID, target service, time range, or event type.
GET /v1/audit?workload_id=wl_7FvkJq3mNpxT&since=2026-06-01T00:00:00Z
# Response 200
{
"events": [
{
"id": "evt_01HXYZ",
"type": "token.issued",
"workload_id": "wl_7FvkJq3mNpxT",
"target_service": "stripe-api",
"audience": "https://api.stripe.com",
"ttl_seconds": 300,
"timestamp": "2026-06-15T14:22:01Z"
}
]
}