Aembit REST API

Base URL: https://control.aembit.io/v1. All requests require the Authorization: Bearer <api-key> header. API keys are scoped to your tenant and can be created in the console under Settings → API Keys.

Workload Identities

Returns paginated list of workload identity registrations for the authenticated tenant.

# Request
GET /v1/workloads?limit=20&cursor=eyJpZCI6MX0
Authorization: Bearer aem_key_xxxxxxxxxxxxxxxx

# Response
{
  "data": [
    {
      "id": "wl_7FvkJq3mNpxT",
      "name": "payment-service",
      "attestation_type": "kubernetes-service-account",
      "namespace": "production",
      "service_account": "payment-svc",
      "created_at": "2026-04-10T09:31:00Z"
    }
  ],
  "next_cursor": "eyJpZCI6Mn0"
}

Creates a new workload identity registration with the specified attestation policy.

# Request
POST /v1/workloads
Content-Type: application/json

{
  "name": "inventory-service",
  "attestation": {
    "type": "kubernetes-service-account",
    "namespace": "production",
    "service_account": "inventory-svc"
  }
}

# Response 201 Created
{
  "id": "wl_9GhKpR4nQtzV",
  "name": "inventory-service",
  "status": "active"
}

Permanently removes a workload registration. Any running workloads with this identity will no longer receive tokens after the next attestation cycle.

DELETE /v1/workloads/wl_7FvkJq3mNpxT

# Response 204 No Content

Token Exchange

Accepts a workload attestation (SVID, Kubernetes SA JWT, or cloud provider token) and returns a short-lived OIDC token for the specified target audience. This is the core token exchange endpoint used by the proxy sidecar.

POST /v1/token-exchange
Content-Type: application/json

{
  "subject_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
  "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
  "audience": "https://api.stripe.com",
  "requested_token_type": "urn:ietf:params:oauth:token-type:access_token"
}

# Response 200
{
  "access_token": "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9...",
  "issued_token_type": "urn:ietf:params:oauth:token-type:access_token",
  "token_type": "Bearer",
  "expires_in": 300
}

Audit Log

Returns a paginated list of authentication events. Filter by workload ID, target service, time range, or event type.

GET /v1/audit?workload_id=wl_7FvkJq3mNpxT&since=2026-06-01T00:00:00Z

# Response 200
{
  "events": [
    {
      "id": "evt_01HXYZ",
      "type": "token.issued",
      "workload_id": "wl_7FvkJq3mNpxT",
      "target_service": "stripe-api",
      "audience": "https://api.stripe.com",
      "ttl_seconds": 300,
      "timestamp": "2026-06-15T14:22:01Z"
    }
  ]
}