Smallstep API
With the Smallstep API, you can manage:
- Devices in your Smallstep inventory
- High-level protected resources, such as Wi-Fi or VPN configurations
- Lower-level PKI resources like X.509 CAs and provisioners
- Smallstep SSH hosts, host grants, and tags (use the 2023-11-01 API version for this)
- And more!
The Smallstep API is OpenAPI conformant, with JSON requests and responses.
Smallstep API Setup and Usage
👉 Smallstep API Specification and Playground
You can get an API token in two ways:
- Smallstep UI: Add a token in Smallstep settings. You can choose the validity period and scopes here.
- Command Line: On the command line, using the
stepCLI. Thestep api token createcommand accepts a client certificate and private key to authenticate with Smallstep and issue a temporary API token with a 1 hour validity period. To use this option, you must configure one or more trusted root CAs in the Smallstep UI. Trusted roots can be Smallstep CAs or external CAs.
API Clients
Example: Add devices via the API
You can import devices from any source into Smallstep using our API. See Build Your Inventory for details.
Last updated on January 5, 2026
Introducing
Device Identity
Ensure that only company-owned devices can access your enterprise's most sensitive resources.
