The CryptoMove Developer Hub

Welcome to the CryptoMove Developer Hub. You'll find comprehensive guides and documentation to help you start working with CryptoMove as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started

Access Tokens

CryptoMove API requests must include an Authorization:<access_token> name/value pair in the HTTP header of the request, where <access_token> is a valid access token.

You can obtain a valid access token in two ways (both methods assume that you have
created a user account):

  • Use a browser to obtain the access token from https://app.cryptomove.com. Once logged in, use the top navigation bar to access the API token page.
  • Call the generate_access_token endpoint to return an access token.

Access tokens copied from the app always give unlimited access to a user's secrets, while an access token returned through the API can be limited in scope based on attributes like classification or name. In addition, access tokens acquired from the app always expire after 24 hours, while an access token returned through the API can have a custom expiration date.

Using the generate_access_token Endpoint

The generate_access_token endpoint returns the access token that is used to authenticate API calls. For example, the following API call returns an access token that can be used to work with every secret that the test@email.com user has in CryptoMove.

curl --request POST \
  --url https://api.cryptomove.com/v1/user/generate_access_token \
  --header 'content-type: application/json' \
  --data '{"email":"test@email.com",
 "password":"1dr2Password",
 "scope":"cloud_type:*,environment_type:*,application_type:*,classification:*,secret_name:*",
  "expiration_hours":24}'
var request = require("request");

var options = {
  method: 'POST',
  url: 'https://api.cryptomove.com/v1/user/generate_access_token',
  headers: {'content-type': 'application/json'},
  body: '{"email":"test@email.com","password":"1dr2Password","scope":"cloud_type:all,environment_type:all,application_type:all,classification:all,secret_name:all","expiration_hours":24}'
};

request(options, function (error, response, body) {
  if (error) throw new Error(error);

  console.log(body);
});
require 'uri'
require 'net/http'
require 'openssl'

url = URI("https://api.cryptomove.com/v1/user/generate_access_token")

http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

request = Net::HTTP::Post.new(url)
request["content-type"] = 'application/json'
request.body = "{\"email\":\"test@email.com\",\"password\":\"1dr2Password\",\"scope\":\"cloud_type:all,environment_type:all,application_type:all,classification:all,secret_name:all\",\"expiration_hours\":24}"

response = http.request(request)
puts response.read_body
var data = "{\"email\":\"test@email.com\",\"password\":\"1dr2Password\",\"scope\":\"cloud_type:all,environment_type:all,application_type:all,classification:all,secret_name:all\",\"expiration_hours\":24}";

var xhr = new XMLHttpRequest();

xhr.addEventListener("readystatechange", function () {
  if (this.readyState === this.DONE) {
    console.log(this.responseText);
  }
});

xhr.open("POST", "https://api.cryptomove.com/v1/user/generate_access_token");
xhr.setRequestHeader("content-type", "application/json");

xhr.send(data);
import requests

url = "https://api.cryptomove.com/v1/user/generate_access_token"

payload = "{\"email\":\"test@email.com\",\"password\":\"1dr2Password\",\"scope\":\"cloud_type:all,environment_type:all,application_type:all,classification:all,secret_name:all\",\"expiration_hours\":24}"
headers = {'content-type': 'application/json'}

response = requests.request("POST", url, data=payload, headers=headers)

print(response.text)

The body of the generate_access_token request has the following parameters, all of which are required:

Key
Description

email

CryptoMove username.

password

CryptoMove password.

scope

Attributes of the secrets that the access token can work with. There can be no spaces in the value. All five attributes must be specified at least once.

expiration_hours

Number of hours before the returned access token expires. There is no maximum value.

Defining the Scope of an Access Token

You can control which secrets can be accessed with an access token by defining the scope parameter of the generate_access_token endpoint. The attributes that are used to control the scope of the access token are cloud_type, environment_type, application_type, classification, and secret_name. These attributes correspond to the attributes you defined when creating a secret in the app or with the protect endpoint. All five of these attributes must be specified at least once. To generate an access token that can access all of a user's secrets, define the value of every attribute as *.

For example, suppose you want API calls to work with only one CryptoMove secret, MySecret01. Passing the following JSON object to generate_access_token returns an access token that can be used to work with MySecret01 only.

{
"email" : "test@email.com",
"password" : "1dr2Password",
"scope":"secret_name:MySecret01,cloud_type:*,environment_type:*,application_type:*,classification:*",
"expiration_hours" : 24
}

In this case, the returned access token limits API calls to working with MySecret01. For example, if you use the access token to authenticate the list_no_dup endpoint, only MySecret01 is returned in the list of secrets. If you try to use the access token to reveal the value of MySecret02, the call fails.

You can repeat an attribute to specify multiple values. For example, the following JSON request object would return an access token that can be used to work with all secrets with classification of "sensitive" or "critical".

{
	"email" : "test@email.com",
	"password" : "1dr2Password",
	"scope" : "classification:sensitive,classification:critical,cloud_type:*,environment_type:*,application_type:*,secret_name:*",
	"expiration_hours" : 24 
}

The Response Object of generate_access_token

The generate_access_token returns a JSON object that contains the access token (access_token) and refresh token (refresh_token). You do not need to examine the other JSON name/value pairs, and can ignore the value of id_token. For more information about using the refresh token to obtain a new access token when the original one expires, see Using a Refresh Token. The following is an example of a JSON object returned by the generate_access_token endpoint:

{
    "access_token": "eyJhbGciOAccessToken",
    "expires_in": 86400,
    "id_token": "eyJraWQiOIDToken",
    "refresh_token": "NkjOIFo9RefreshToken",
    "scope": "offline_access openid",
    "token_type": "Bearer"
}

Expiration of Access Tokens

Access tokens obtained from the app expire after 24 hours, while access tokens obtained from the generate_access_token endpoint expire after the time period that was specified when the endpoint was called. To obtain a new access token, you can simply follow the same steps you used to get the first one. Alternatively, you pass a refresh token to the refresh_token endpoint whenever you need a new access token.

Using a Refresh Token

You can pass a refresh token to the refresh_token endpoint to obtain a new access token whenever the old one expires. The app and the generate_access_token endpoint both provide a refresh token when obtaining the initial access token. If you are using https://app.cryptomove.com, use the top navigation bar to access the API token page and copy the refresh token to a safe location. If you used the generate_access_token endpoint, the refresh token was returned in the JSON object. The refresh token does not expire as long as you use it to obtain a new access token at least once every 90 days.

The call to the refresh_token endpoint must include the old access token as well as the refresh token. For example, the following call returns a JSON object with a new access token:

curl --request POST \
  --url https://api.cryptomove.com/v1/user/refresh_token \
  --header 'content-type: application/json' \
  --data '{"refresh_token":"NkjOIFo9RefreshToken",
  "used_access_token":"eyJhbGciOAccessToken"}'
var request = require("request");

var options = {
  method: 'POST',
  url: 'https://api.cryptomove.com/v1/user/refresh_token',
  headers: {'content-type': 'application/json'},
  body: '{"refresh_token":"NkjOIFo9RefreshToken","used_access_token":"eyJhbGciOAccessToken"}'
};

request(options, function (error, response, body) {
  if (error) throw new Error(error);

  console.log(body);
});
require 'uri'
require 'net/http'
require 'openssl'

url = URI("https://api.cryptomove.com/v1/user/refresh_token")

http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

request = Net::HTTP::Post.new(url)
request["content-type"] = 'application/json'
request.body = "{\"refresh_token\":\"NkjOIFo9RefreshToken\",\"used_access_token\":\"eyJhbGciOAccessToken\"}"

response = http.request(request)
puts response.read_body
var data = "{\"refresh_token\":\"NkjOIFo9RefreshToken\",\"used_access_token\":\"eyJhbGciOAccessToken\"}";

var xhr = new XMLHttpRequest();

xhr.addEventListener("readystatechange", function () {
  if (this.readyState === this.DONE) {
    console.log(this.responseText);
  }
});

xhr.open("POST", "https://api.cryptomove.com/v1/user/refresh_token");
xhr.setRequestHeader("content-type", "application/json");

xhr.send(data);
import requests

url = "https://api.cryptomove.com/v1/user/refresh_token"

payload = "{\"refresh_token\":\"NkjOIFo9RefreshToken\",\"used_access_token\":\"eyJhbGciOAccessToken\"}"
headers = {'content-type': 'application/json'}

response = requests.request("POST", url, data=payload, headers=headers)

print(response.text)

The new access token is returned in a JSON response body that is identical to the response object for generate_access_token. The scope of this new access token is identical to the original access token. If you need to change the scope of the access token, call the generate_access_token endpoint again rather than using the refresh token.


Access Tokens


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.