--- title: CyberArk API Integration on Truto slug: cyberark category: Default canonical: "https://truto.one/integrations/detail/cyberark/" --- # CyberArk API Integration on Truto **Category:** Default **Status:** Beta ## Unified APIs ### Unified User Directory API - **Users** — The User object represents a User. ## How it works 1. **Link your customer's CyberArk account.** Use Truto's frontend SDK; we handle every OAuth and API key flow so you don't need to create the OAuth app. 2. **Authentication is automatic.** Truto refreshes tokens, stores credentials securely, and injects them into every API request. 3. **Call Truto's API to reach CyberArk.** The Proxy API is a 1-to-1 mapping of the CyberArk API. 4. **Get a unified response format.** Every response uses a single shape, with cursor-based pagination and data in the `result` field. ## Use cases - **Sync user lifecycle events to enforce least-privilege access** — IGA and HR platforms can push onboarding, role changes, and offboarding events to CyberArk so privileged access is automatically granted or revoked in real time — eliminating standing privileges for departed or reassigned employees. - **Automate privileged account provisioning from your SaaS platform** — IT automation and cloud management tools can programmatically create and vault new privileged accounts in CyberArk whenever infrastructure is provisioned, removing manual credential handoffs and reducing exposure windows. - **Offer enterprise-grade secrets retrieval without storing credentials** — iPaaS and workflow platforms can let their enterprise customers pull sensitive credentials from CyberArk Conjur at runtime instead of pasting them into the SaaS UI, satisfying strict compliance and data-residency requirements. - **Enable just-in-time privileged access from service desk workflows** — ITSM and ticketing platforms can trigger CyberArk's PAM API to generate short-lived, approved access sessions for end users — ensuring no human ever sees the actual credentials and passwords are rotated automatically after use. - **Centralize identity directory data for security posture dashboards** — Security and compliance SaaS products can read user and group data from CyberArk to build unified views of who has privileged access, flag dormant accounts, and surface entitlement drift across the organization. ## What you can build - **Automated user provisioning and deprovisioning in CyberArk** — Ship a feature that automatically creates, updates, or disables CyberArk identities when users are added, modified, or removed in your platform — powered by Truto's Unified User Directory API. - **Group-based privileged access mapping** — Let your customers map roles in your application to CyberArk groups and vault permissions so that role changes instantly propagate to privileged access entitlements. - **Real-time user directory sync dashboard** — Build a UI that shows customers the current sync state of their CyberArk user directory — including last sync time, failed operations, and a list of all mapped identities. - **One-click CyberArk connection setup for end users** — Offer a guided connect flow where your customers authenticate their CyberArk instance through Truto, with auth complexity fully abstracted away from your engineering team. - **Entitlement drift detection alerts** — Compare user entitlements in your platform against CyberArk group memberships on a schedule, and surface alerts when access has drifted from the expected state. - **Bulk identity import from CyberArk on first connect** — When a customer connects their CyberArk account, automatically import all existing users and groups to bootstrap your product's access model without manual CSV uploads. ## FAQs ### What authentication methods does CyberArk support for API access? CyberArk supports multiple auth methods depending on the product surface. The Privilege Cloud REST API uses session-token-based auth via the /Auth/CyberArk/Logon endpoint. Conjur uses host/workload identity authentication that returns short-lived access tokens. CyberArk Identity services also expose SCIM 2.0 endpoints that typically use OAuth 2.0 or API key–based auth. Truto abstracts these flows so your team doesn't manage token lifecycle directly. ### Which Unified API does this integration map to? CyberArk maps to Truto's Unified User Directory API, which covers Users. This lets you read and manage identities across CyberArk's directory and SCIM endpoints using a single normalized schema. ### Are CyberArk-specific tools available out of the box in Truto? CyberArk tools (e.g., for secrets retrieval, PAM account management, or vault operations) are not pre-built but are available on request. Truto can build custom proxy or unified endpoints for any CyberArk API surface your use case requires. ### Does CyberArk support SCIM for user and group management? Yes. CyberArk exposes SCIM 2.0 endpoints for managing Users, Groups, Containers, and ContainerPermissions. This is the primary interface Truto's Unified User Directory API leverages for identity lifecycle operations like create, update, and deactivate. ### How does Truto handle pagination and rate limits for CyberArk APIs? Truto manages pagination automatically across CyberArk's REST and SCIM endpoints. Rate limit handling — including backoff and retry — is built into Truto's proxy layer so your application receives complete result sets without needing to implement API-specific pagination or throttling logic. ### Can my customers connect self-hosted (on-prem) CyberArk instances? CyberArk is commonly deployed on-premises or in private clouds. Truto supports connecting to customer-hosted CyberArk instances by allowing end users to specify their base URL during the connection setup flow, so both Privilege Cloud and self-hosted PAM deployments are supported.