--- title: Delinea API Integration on Truto slug: delinea category: IM canonical: "https://truto.one/integrations/detail/delinea/" --- # Delinea API Integration on Truto **Category:** IM **Status:** Generally available ## How it works 1. **Link your customer's Delinea account.** Use Truto's frontend SDK; we handle every OAuth and API key flow so you don't need to create the OAuth app. 2. **Authentication is automatic.** Truto refreshes tokens, stores credentials securely, and injects them into every API request. 3. **Call Truto's API to reach Delinea.** The Proxy API is a 1-to-1 mapping of the Delinea API. 4. **Get a unified response format.** Every response uses a single shape, with cursor-based pagination and data in the `result` field. ## Use cases - **Broker privileged credentials for secure remote access** — Infrastructure access platforms can fetch vaulted credentials from their customers' Delinea instances at runtime, proxying secure sessions without ever exposing passwords to end users. This eliminates credential theft risk while keeping workflows seamless. - **Inject secrets into CI/CD pipelines at build time** — Deployment and DevOps platforms can pull production secrets from Delinea's DevOps Secrets Vault during builds, so enterprise customers never have to paste API keys or database passwords into a third-party dashboard. - **Automate privileged access revocation during offboarding** — ITSM and HR platforms can trigger immediate access revocation and forced password rotation in Delinea when an employee is terminated, closing the window between offboarding and credential cleanup. - **Audit privileged access posture across cloud environments** — Cloud security and compliance platforms can query Delinea to identify unvaulted service accounts, stale credentials, and rotation policy violations — surfacing privileged access risks that would otherwise go undetected. - **Sync identity lifecycle events to Delinea via SCIM** — Identity governance platforms can push user, group, and role changes into Delinea using SCIM provisioning, ensuring that PAM policies stay in sync with the organization's identity directory without manual intervention. ## What you can build - **Zero-knowledge credential injection** — Fetch secrets from a customer's Delinea vault at connection time and inject them into remote sessions or database proxies so end users never see raw credentials. - **Just-in-time secret checkout with auto-release** — Request temporary, time-boxed access to a privileged secret on behalf of a user, automatically releasing the checkout when the task completes. - **Automated password rotation trigger** — Invoke Delinea's Remote Password Changer from your product to rotate credentials on target systems and update the vault in a single operation. - **Privileged access audit dashboard** — Pull audit logs from Delinea to show customers who accessed which secrets, when, and from where — directly inside your product's compliance reporting UI. - **Approval-gated secret access tied to tickets** — Require a valid support or change ticket ID before checking out a secret, integrating Delinea's approval workflow with your ITSM or ticketing system. - **Vault coverage gap detection** — Compare active cloud IAM accounts against secrets stored in Delinea to flag high-privilege credentials that aren't vaulted or haven't been rotated within policy. ## FAQs ### What authentication methods does the Delinea API support? Delinea's REST APIs support OAuth2 token-based authentication. For Secret Server, you obtain a bearer token via the /oauth2/token endpoint using client credentials or resource owner grants. Truto can manage token acquisition and refresh on your behalf. ### Does Truto have pre-built Unified API resources for Delinea? Not yet. Delinea integrations are built on request. Truto will work with you to map the specific Delinea API endpoints — secrets, folders, audit logs, SCIM, etc. — to your use case and can expose them through a custom or unified interface. ### Can I access secrets across multiple Delinea tenants or Secret Server instances? Yes. Delinea Platform supports vault discovery via its Vault Broker API, which resolves the correct underlying Secret Server tenant URL. Truto can route API calls to the appropriate instance per customer connection. ### How does Delinea handle rate limiting on its API? Rate limits vary by deployment type (cloud vs. on-premises Secret Server). Cloud tenants enforce per-tenant throttling. Truto handles retry logic and backoff so your application doesn't need to manage rate limit errors directly. ### Can I provision and deprovision users in Delinea programmatically? Yes. Delinea supports SCIM 2.0 for user and group provisioning. You can create, update, disable, and delete user accounts and manage group memberships through standard SCIM endpoints. ### Is it possible to trigger password rotation through the API? Yes. Delinea's API exposes endpoints to invoke the Remote Password Changer (RPC), which rotates the credential on the target system and updates the vaulted secret atomically. This can be triggered on-demand from your application.