AvePoint Learn
Request article
Contact support
Request article
Contact support
English

Home > AvePoint Cloud Governance API

Export to PDF

AvePoint Cloud Governance API

AvePoint Cloud Governance provides APIs. Refer to the instructions below to use the APIs. You can also refer to the coding details demonstrated in cloud-governance-client.

C#

AvePoint Cloud Governance provides a Software Development Kit (SDK) for the C# language. Refer to the instructions below to get started:

  1. Install the AvePoint Cloud Governance Client by using the following:

Install-Package Cloud.Governance.Client

  1. Choose any of the following methods to authenticate with AvePoint Cloud Governance API:

    • Authentication via a client ID and client secret

      1. Navigate to System settings > API authentication profiles and click Create on the ribbon.

      2. Enter a name for the profile.

      3. Configure a duration for the client secret. The start time is the profile created time. Enter a number in the text box and select Days, Weeks, Months, or Years as the unit of time.

      4. Define the services that can be called using this AvePoint Cloud Governance API access token.

      5. Click Save to save your configurations.

      6. The Note window appears displaying the API authentication details. Click the Copy (Button: Copy) button to copy the client secret to your clipboard.

        image968

        *Note: The client secret will only be displayed one time, and you cannot retrieve it after you close the window.

      7. Refer to the example below to authenticate with AvePoint Cloud Governance API.

        image969

        The value of the userPrincipalName parameter is the login name of a delegated user that will be used to invoke the AvePoint Cloud Governance API. Make sure the user’s account has been added to AvePoint Online Services and has the subscription for AvePoint Cloud Governance.

        The API URLs vary with AvePoint Cloud Governance environments. Choose one of the following API URLs according to the environment you are using.

AvePoint Cloud Governance EnvironmentAPI URL
The production environment for commercial usehttps://go-api.avepointonlineservices.com
The production environment for U.S. Government Public Sectorhttps://governance-api-us-gov.avepointonlineservices.com
The Insider environment – the East US (Virginia) data centerhttps://insider-governance-api-us-east.avepointonlineservices.com
The Insider environment – the North Europe (Ireland) data centerhttps://insider-governance-api-north-europe.avepointonlineservices.com
- Authentication via an app registered in AvePoint Online Services > ***Note**: This method cannot limit the services that can be called using the Cloud Governance API access token. 1. Go to the AvePoint Online Services > **Administration** > **App registration** page to register an app for AvePoint Cloud Governance. For details, refer to [Configure App Registrations](https://cdn.avepoint.com/assets/webhelp/avepoint-online-services/index.htm#!Documents/configureappregistrations.htm). 2. After you registered the app, get the access token to authenticate with AvePoint Cloud Governance Public API. To get the access token, specify the following attributes:
ElementDescription
identityServiceUrlFor Commercial environment, use: https://identity.avepointonlineservices.com For U.S. Government environment, use:https://identity-gov.avepointonlineservices.com
clientIdSpecifies the application (client) ID of the app you registered through AvePoint Online Services > Administration > App registration.
clientsecretSpecifies the client secret of the app you registered through AvePoint Online Services > Administration > App registration.
scopeSpecifies the permission that has been granted to the app. For AvePoint Cloud Governance, the value is cloudgovernance.fullcontrol.all.
thumbprintThe thumbprint of the corresponding .pfx certificate file of the .cer certificate you used when registering the app.
TokenLifetimeInMinutesSpecifies an expiration time for the retrieved token. The unit of time is Minute.
usernameSpecifies a username as a delegated user to call Cloud Governance API.
Example: Certificate as a credential:
private static void GetTokenByClientCertificate(){ var client = new HttpClient(); var disco = client.GetDiscoveryDocumentAsync("{identityServiceUrl}").GetAwaiter().GetResult(); ; if (disco.IsError) { Console.WriteLine(disco.Error); return; } var tokenResponse = client.RequestClientCredentialsTokenAsync(new ClientCredentialsTokenRequest { Address = disco.TokenEndpoint, ClientAssertion = new ClientAssertion() { Type = OidcConstants.ClientAssertionTypes.JwtBearer, Value = CreateClientAuthJwt(disco) }, Scope = "cloudgovernance.fullcontrol.all", }).GetAwaiter().GetResult(); if (tokenResponse.IsError) { Console.WriteLine(tokenResponse.Error); return; } Console.WriteLine(tokenResponse.Json);}private static string CreateClientAuthJwt(DiscoveryDocumentResponse response){ var clientId = "{client ID}"; // set exp to 5 minutes var tokenHandler = new JwtSecurityTokenHandler { TokenLifetimeInMinutes = 5 }; var securityToken = tokenHandler.CreateJwtSecurityToken( // iss must be the client_id of our application issuer: clientId, // aud must be the identity provider (token endpoint) audience: response.TokenEndpoint, // sub must be the client_id of our application subject: new ClaimsIdentity( new List { new Claim("sub", clientId), new Claim("username", "{username}"), new Claim("jti", Guid.NewGuid().ToString())}), // sign with the private key (using RS256 for IdentityServer) signingCredentials: new SigningCredentials( new X509SecurityKey(new X509Certificate2(LoadCertificate())), "RS256") ); return tokenHandler.WriteToken(securityToken);}private static X509Certificate2 LoadCertificate(){ //Gao certificate var store = new X509Store(StoreName.My, StoreLocation.LocalMachine); store.Open(OpenFlags.ReadOnly); var certificate = store.Certificates.Find( X509FindType.FindByThumbprint, "{thumbprint}", false)[0]; return certificate;}
Client secret as a credential:
private static void GetTokenByClientSecret(){ var client = new HttpClient(); var disco = client.GetDiscoveryDocumentAsync("https://identity.avepointonlineservices.com ").GetAwaiter().GetResult(); if (disco.IsError) { Console.WriteLine(disco.Error); return; } var tokenResponse = client.RequestClientCredentialsTokenAsync(new ClientCredentialsTokenRequest { Address = disco.TokenEndpoint, ClientId = "{client id}", ClientSecret = "{clientsecret}", Scope = "cloudgovernance.fullcontrol.all", Parameters = new Parameters() { new KeyValuePair<string, string>("username", "{user name}") } }).GetAwaiter().GetResult(); if (tokenResponse.IsError) { Console.WriteLine(tokenResponse.Error); return; } Console.WriteLine(tokenResponse.Json);}
  1. You can find more information on what is possible with AvePoint Cloud Governance API here, as well as the coding details and examples.

PowerShell

AvePoint Cloud Governance provides a Software Development Kit (SDK) for integration with PowerShell. Refer to the instructions below to get started:

  1. Use the following command to install the Cloud Governance PowerShell module:

Install-Module -Name Cloud.Governance.Client

> ***Note**: The Cloud Governance PowerShell module requires PowerShell 3.0 or above.

2. Choose any of the following methods to authenticate with AvePoint Cloud Governance API:

- Authentication via a client ID and client secret 1. Navigate to **System settings** >**API** **authentication** **profiles** and click **Create** on the ribbon. 2. Enter a name for the profile. 3. Configure a duration for the client secret. The start time is the profile created time. Enter a number in the text box and select **Days**, **Weeks**, **Months**, or **Years** as the unit of time. 4. Define the services that can be called using this AvePoint Cloud Governance API access token. 5. Click **Save** to save your configurations. 6. The **Note** window appears displaying the API authentication details. Click the Copy (![Button: Copy](/en/cloud-governance-administrator-guide/images/image970.png "Button: Copy")) button to copy the client secret to your clipboard. ![A screenshot of a computer

Description automatically generated](/en/cloud-governance-administrator-guide/images/image971.png "A screenshot of a computer

Description automatically generated")

> ***Note**: The client secret will only be displayed one time, and you cannot retrieve it after you close the window. 7. Refer to the example below to authenticate with AvePoint Cloud Governance API. ![image972](/en/cloud-governance-administrator-guide/images/image972.png "image972") The value of the **userPrincipalName** parameter is the login name of a delegated user that will be used to invoke the AvePoint Cloud Governance API. Make sure the user’s account has been added to AvePoint Online Services and has the subscription for AvePoint Cloud Governance. The API URLs vary with AvePoint Cloud Governance environments. Choose one of the following API URLs according to the environment you are using.
AvePoint Cloud Governance EnvironmentAPI URL
The production environment for commercial usehttps://go-api.avepointonlineservices.com
The production environment for U.S. Government Public Sectorhttps://governance-api-us-gov.avepointonlineservices.com
The Insider environment – the East US (Virginia) data centerhttps://insider-governance-api-us-east.avepointonlineservices.com
The Insider environment – the North Europe (Ireland) data centerhttps://insider-governance-api-north-europe.avepointonlineservices.com
- Authentication via an app registered in AvePoint Online Services > ***Note**: This method cannot limit the services that can be called using the Cloud Governance API access token. 1. Go to the AvePoint Online Services > **Administration** > **App registration** page to register an app for AvePoint Cloud Governance. For details, refer to [Configure App Registrations](https://cdn.avepoint.com/assets/webhelp/avepoint-online-services/index.htm#!Documents/configureappregistrations.htm). 2. After you registered the app, get the access token to authenticate with AvePoint Cloud Governance Public API. To get the access token, specify the following attributes:
ElementDescription
identityServiceUrlFor Commercial environment, use: https://identity.avepointonlineservices.com For U.S. Government environment, use:https://identity-gov.avepointonlineservices.com
clientIdSpecifies the application (client) ID of the app you registered through AvePoint Online Services > Administration > App registration.
clientsecretSpecifies the client secret of the app you registered through AvePoint Online Services > Administration > App registration.
scopeSpecifies the permission that has been granted to the app. For AvePoint Cloud Governance, the value is cloudgovernance.fullcontrol.all.
certificateThe path of the corresponding .pfx certificate file of the .cer certificate you used when registering the app.
usernameSpecifies a username as a delegated user to call Cloud Governance API.
Example Certificate as a credential:

|function Get-IdentityServiceToken { [CmdletBinding()] [OutputType([string])] Param( [Parameter(Mandatory)] [string]$IdentityServiceUri, [Parameter(Mandatory)] [string]$Scope, [Parameter(Mandatory)] [string]$ClientId, [Parameter(Mandatory)] [Alias("Certificate", "Cert")] [System.Security.Cryptography.X509Certificates.X509Certificate2]$SigningCertificate ) PROCESS { 'Calling method: Get-IdentityServiceToken' | Write-Debug $encodedThumbprint = ConvertTo-Base64UrlEncodedString -Bytes $SigningCertificate.GetCertHash() $headerTable = [ordered]@{typ = "JWT"; alg = "RS256"; kid = $encodedThumbprint } $header = $headerTable | ConvertTo-Json -Compress | ConvertTo-Base64UrlEncodedString $now = Get-Date $currentEpochTime = Convert-DateTimeToEpoch -DateTime $now $notBefore = $currentEpochTime $futureEpochTime = Convert-DateTimeToEpoch -DateTime ($now.AddHours(1)) $payloadTable = [ordered]@{sub = $ClientId; jti = ([System.Guid]::NewGuid()).ToString(); iss = $ClientId; aud = $IdentityServiceUri.TrimEnd('/') + "/connect/token"; nbf = $notBefore; exp = $futureEpochTime; iat = $currentEpochTime } $payload = $payloadTable | ConvertTo-Json -Compress | ConvertTo-Base64UrlEncodedString $jwtPlainText = "{0}.{1}" -f $header, $payload $jwtSig = New-JwtRsaSignature -JsonWebToken $jwtPlainText -SigningCertificate $SigningCertificate $ClientAssertion = "{0}.{1}" -f $jwtPlainText, $jwtSig $RequestUri = $IdentityServiceUri.TrimEnd('/') + "/connect/token" $Body = @{ grant_type = 'client_credentials' scope = $Scope username = '{username}' client_assertion_type = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer' client_assertion = $ClientAssertion } $Response = Invoke-WebRequest -Uri $RequestUri -Method 'POST' -Body $Body return (ConvertFrom-Json $Response).access_token }}function New-JwtRsaSignature { [CmdletBinding()] [OutputType([string])] Param( [System.Security.Cryptography.X509Certificates.X509Certificate2]$SigningCertificate, [String]$JsonWebToken ) PROCESS { 'Calling method: New-JwtRsaSignature' | Write-Debug $rsaSigFormatter = [System.Security.Cryptography.RSAPKCS1SignatureFormatter]::new() $rsaSigFormatter.SetKey($SigningCertificate.PrivateKey) $rsaSigFormatter.SetHashAlgorithm("SHA256") [byte[]]$message = [System.Text.Encoding]::UTF8.GetBytes($JsonWebToken) $shaAlg = [System.Security.Cryptography.SHA256]::Create() [byte[]]$messageDigest = $shaAlg.ComputeHash($message) $sigBytes = $rsaSigFormatter.CreateSignature($messageDigest) return ConvertTo-Base64UrlEncodedString -Bytes $sigBytes }}function ConvertTo-Base64UrlEncodedString { [CmdletBinding()] [OutputType([string])] Param ( [Parameter(Position = 0, ParameterSetName = "String", Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)] [string]$InputString, [Parameter(Position = 1, ParameterSetName = "Byte Array", Mandatory = $false, ValueFromPipeline = $false, ValueFromPipelineByPropertyName = $false)] [byte[]]$Bytes ) PROCESS { [string]$base64UrlEncodedString = "" if ($PSBoundParameters.ContainsKey("Bytes")) { $output = [Convert]::ToBase64String($Bytes) $output = $output.Split('=')[0] # Remove any trailing '='s $output = $output.Replace('+', '-') # 62nd char of encoding $output = $output.Replace('/', '') # 63rd char of encoding $base64UrlEncodedString = $output } else { $encoder = [System.Text.UTF8Encoding]::new() [byte[]]$inputBytes = $encoder.GetBytes($InputString) $base64String = [Convert]::ToBase64String($inputBytes) [string]$base64UrlEncodedString = "" $base64UrlEncodedString = $base64String.Split('=')[0] # Remove any trailing '='s $base64UrlEncodedString = $base64UrlEncodedString.Replace('+', '-'); # 62nd char of encoding $base64UrlEncodedString = $base64UrlEncodedString.Replace('/', ''); # 63rd char of encoding } return $base64UrlEncodedString }}function Convert-DateTimeToEpoch { [CmdletBinding()] [OutputType([System.Int64])] Param( [Parameter(Mandatory)] [DateTime]$DateTime ) PROCESS { 'Calling method: Convert-DateTimeToEpoch' | Write-Debug $dtut = $DateTime.ToUniversalTime() [TimeSpan]$ts = New-TimeSpan -Start (Get-Date "01/01/1970") -End $dtut [Int64]$secondsSinceEpoch = [Math]::Floor($ts.TotalSeconds) return $secondsSinceEpoch }}$cert = (Get-ChildItem -path 'Cert:*23BA1FFD6E83B92529317F80B55CFADA00877E4A' -Recurse)[0]Get-IdentityServiceToken -IdentityServiceUri "https://identity.avepointonlineservices.com" -Scope cloudgovernance.fullcontrol.all -ClientId '{clientId}' -Cert $cert| |-|

Client secret as a credential:

|function Get-IdentityServiceToken { [CmdletBinding()] [OutputType([string])] Param( [Parameter(Mandatory)] [string]$IdentityServiceUri, [Parameter(Mandatory)] [string]$Scope, [Parameter(Mandatory)] [string]$ClientId, [Parameter(Mandatory)] [string]$ClientSecret ) PROCESS { 'Calling method: Get-IdentityServiceToken' | Write-Debug $RequestUri = $IdentityServiceUri.TrimEnd('/') + "/connect/token" $Body = @{ grant_type = 'client_credentials' scope = $Scope username = '{username}' client_id = $ClientId client_secret = $ClientSecret } $Response = Invoke-WebRequest -Uri $RequestUri -Method 'POST' -Body $Body return (ConvertFrom-Json $Response).access_token }}Get-IdentityServiceToken -IdentityServiceUri "https://identity.avepointonlineservices.com" -Scope cloudgovernance.fullcontrol.all -ClientId '{clientId}' -ClientSecret '**'| |-|

  1. You can find more information on what is possible with AvePoint Cloud Governance API here, as well as the coding details and examples.

REST API

Refer to the instructions below to get started with AvePoint Cloud Governance REST API.

  1. In the AvePoint Cloud Governance API, you can see the supported methods. Access the API URL according to the environment you are using.
AvePoint Cloud Governance EnvironmentAPI URL(End User Level APIs)API URL(System Level APIs)
The production environment for commercial usehttps://go-api.avepointonlineservices.comhttps://go-api.avepointonlineservices.com/admin
The production environment for U.S. Government Public Sectorhttps://governance-api-us-gov.avepointonlineservices.comhttps://governance-api-us-gov.avepointonlineservices.com/admin
The Insider environment – the East US (Virginia) data centerhttps://insider-governance-api-us-east.avepointonlineservices.comhttps://insider-governance-api-us-east.avepointonlineservices.com/admin
The Insider environment – the North Europe (Ireland) data centerhttps://insider-governance-api-north-europe.avepointonlineservices.comhttps://insider-governance-api-north-europe.avepointonlineservices.com/admin

  1. Choose one of the following methods to authenticate with AvePoint Cloud Governance API:

    • Authentication via a client ID and client secret

      1. Navigate to System settings >API authentication profiles and click Create on the ribbon.

      2. Enter a name for the profile.

      3. Configure a duration for the client secret. The start time is the profile created time. Enter a number in the text box and select Days, Weeks, Months, or Years as the unit of time.

      4. Define the services that can be called using this Cloud Governance API access token.

      5. Click Save to save your configurations.

      6. The Note window appears displaying the API authentication details. Click the Copy (Button: Copy) button to copy the client secret to your clipboard.

        image974

        *Note: The client secret will only be displayed one time, and you cannot retrieve it after you close the window.

    • Authenticate via Microsoft 365 single sign-on

      This authentication method requires an access token and the access token will expire in one hour.

      1. Access {API URL}/auth/token/user via your web browser. For example, https://go-api.avepointonlineservices.com/auth/token/user.

        Refer to the information in the table below to choose the API URL.

AvePoint Cloud Governance EnvironmentAPI URL(End User Level APIs)API URL(System Level APIs)
The production environment for commercial usehttps://go-api.avepointonlineservices.comhttps://go-api.avepointonlineservices.com/admin
The production environment for U.S. Government Public Sectorhttps://governance-api-us-gov.avepointonlineservices.comhttps://governance-api-us-gov.avepointonlineservices.com/admin
The Insider environment – the East US (Virginia) data centerhttps://insider-governance-api-us-east.avepointonlineservices.comhttps://insider-governance-api-us-east.avepointonlineservices.com/admin
The Insider environment – the North Europe (Ireland) data centerhttps://insider-governance-api-north-europe.avepointonlineservices.comhttps://insider-governance-api-north-europe.avepointonlineservices.com/admin/index.html
2. On the Microsoft 365 sign-in page, sign in with your Microsoft 365 account. > ***Note**: Make sure the account has been added to AvePoint Online Services and has the subscription for AvePoint Cloud Governance. 3. You can see an access token, a refresh token, and user information. The following is an example of the response:
{ "access_token": "eyJhbGci…", "refresh_token": "eyJhbGci…", "user": { "userPrincipalName": "user’s principal name", "displayName": "user’s display name", "aadObjectId": "user’s object ID in Microsoft Entra" }, "duration": 3600}
- Authentication via an app registered in AvePoint Online Services Go to the AvePoint Online Services > **Administration** > **App registration** page to register an app for AvePoint Cloud Governance. For details, refer to [Configure App Registrations](https://cdn.avepoint.com/assets/webhelp/avepoint-online-services/index.htm#!Documents/configureappregistrations.htm).

3. See the examples below for using the authentication.

- Authentication via a client ID and client secret The following is an example of the request that contains the required parameters for authentication: **clientid**, **clientSecret**, and **userPrincipalName**. > ***Note**: The value of the **userPrincipalName** parameter is the login name of a delegated user that will be used to invoke the AvePoint Cloud Governance API. Make sure the user’s account has been added to AvePoint Online Services and has a subscription for AvePoint Cloud Governance.
POST /tasks/my HTTP/1.1Host: go-api.avepointonlineservices.comclientId: ceb5e…clientSecret: jLMX+…userPrincipalName: someone@contoso.com
- Authentication via Microsoft single sign-on Add a header in the request. The header name is **Authorization**, and the header value is **Bearer {access token}**. The following is an example:
GET /tasks/my HTTP/1.1Host: go-api.avepointonlineservices.comAuthorization: Bearer eyJhbGciOi…
If you want your application to receive the access token, you can append a **redirect_uri** query string. For example, **https://go-api.avepointonlineservices.com/auth/token/user?redirect_uri={your application URL}**. AvePoint Cloud Governance API will post a form with the above information to your application URL. - Authentication via an app registered in AvePoint Online Services Add a header in the request. The header name is **Authorization**, and the header value is **Bearer {access token}**. The following is an example:
GET /tasks/my HTTP/1.1Host: go-api.avepointonlineservices.comAuthorization: Bearer eyJhbGciOi…