Overview

Admin Console version 17.8.1 introduces new default policies for Keeper Endpoint Privilege Manager (KEPM) and includes several bug fixes.

Features

• EM-8541: Added a new set of default KEPM policies, including policies for Applications, File Operations, Network, Package Management, Process Management, Script Interpreter, Services, and User command-line activity. New enterprises will receive these policies automatically upon their first full KEPM sync.

Bug Fixes

• EM-8465: Fixed an issue where the "Turn On Now" buttons were missing from the KEPM and PAM sections for enterprises with an expired free trial.
• EM-8521: Improved performance for large enterprise environments
• EM-8536: Fixed an issue where KEPM collection counts were displaying inconsistent or fluctuating values.
• EM-8537: Fixed an issue where Keeper Endpoint Privilege Manager was causing browser crashes.

Original source Report a problem

Keeper Security Agent Kit for AI Agents

Teach AI coding agents to use Keeper Secrets Manager (KSM) and Keeper Commander from the terminal: retrieve and inject secrets, manage vaults, and run enterprise admin workflows without putting credentials in chat or source control.

What you get

Plugin Use it for CLI keeper-secrets App secrets, ksm exec, templates, CI/CD ksm keeper-admin Users, teams, PAM, enterprise vault ops keeper keeper-setup Install CLIs, profiles, first-time setup Both

Prerequisites

• A Keeper Security account
• KSM CLI (plugin: keeper-secrets)
• Commander CLI (plugin: keeper-admin)
• Python 3.10+
• Linux, Windows, Mac OS

The keeper-setup skill will guide you through first-time setup if you don't have the CLIs installed.

Installation

To install the Keeper Security Agent Kit, pick one path.

Claude Code Marketplace

/plugin marketplace add Keeper-Security/keeper-agent-kit
/plugin install keeper-secrets@keeper-security

Any agent via Vercel Skills CLI

# Add the Keeper Security Agent Kit
npx skills add Keeper-Security/keeper-agent-kit

Combine with optional flags to target a specific agent or install globally:

# target agent: cursor
npx skills add Keeper-Security/keeper-agent-kit -a cursor
# target agent: claude-code
npx skills add Keeper-Security/keeper-agent-kit -a claude-code
# target agent: codex
npx skills add Keeper-Security/keeper-agent-kit -a codex
# global install
npx skills add Keeper-Security/keeper-agent-kit -g

Manual installation

Clone the repo, then copy the plugin folders to your agent’s skills directory (create it if needed):

git clone https://github.com/Keeper-Security/keeper-agent-kit
cd keeper-agent-kit

Agent Typical skills path Claude Code ~/.claude/skills/ Cursor ~/.cursor/skills/ Codex ~/.codex/skills/ GitHub Copilot ~/.github/skills/

Example manual installation for Claude Code

NOTE: You may also create this at the project level by using ./.claude/skills/ instead of ~/.claude/skills/.

mkdir -p ~/.claude/skills
cp -r plugins/* /skills/* ~/.claude/skills/
ls ~/.claude/skills

Repeat for each agent you use; paths differ per product.

Usage

In the agent, try prompts like:

“Help me inject secrets from Keeper into my app” (should lean on keeper-secrets) or “How do I set up KSM?” (keeper-setup).

For more structured smoke tests, see TEST_PROMPTS.md.

Uninstall

Remove the skill directories from that agent’s skills folder, or with Vercel Skills:

npx skills remove keeper-secrets

(and the other two). To remove the Keeper CLIs from your machine, follow the uninstall guidance in the KSM CLI and Commander CLI docs.

Documentation

• KSM CLI - install, profiles, commands
• Commander CLI - install, shell, admin commands
• Keeper notation - keeper:// references for secrets
• Issues & features
• Keeper Security Support
• Docs

Security

Security is a top priority. The SECURITY.md file contains information on how to report vulnerabilities.

Contributing

We welcome issues and pull requests.

1. Check existing issues before filing a new one.
2. For changes: fork, branch, keep edits focused; follow CONTRIBUTING.md.
3. Pull requests should describe what changed and why, and note how you tested.

License

Licensed is provided in the LICENSE file.

Original source Report a problem

Integrate Keeper Secrets Manager and Commander with AI coding agents like Claude Code, Cursor, Codex, and GitHub Copilot.

Use AI coding agents with Keeper to retrieve secrets, manage vaults, and run admin workflows from the terminal. Credentials stay out of chat and source control.

GitHub:
github.com/Keeper-Security/keeper-agent-kit

Overview

Keeper supports two integration models for AI agents: skills/plugins for CLI-driven developer workflows, and MCP servers for agent orchestration platforms. This page covers the Keeper Agent Kit, a set of skills (also called plugins) that teach AI coding agents how to use Keeper's CLI tools.

After installation, your agent can:

• Retrieve and inject secrets with ksm (Keeper Secrets Manager CLI)
• Manage vaults, users, teams, and PAM resources with keeper (Commander CLI)
• Set up both CLIs from scratch if they aren't installed yet

Credentials never appear in chat or get committed to source control. The KSM CLI and Commander CLI resolve secrets at runtime. All access is subject to the same RBAC policies and audit logging as any other Keeper integration.

For the MCP-based approach see MCP for AI Agents (Docker).

What's Included

The Agent Kit contains three skills:

Skill What it does CLI used keeper-secrets App secrets, ksm exec, templates, CI/CD injection ksm keeper-admin Users, teams, PAM, enterprise vault operations keeper keeper-setup Install CLIs, configure profiles, first-time setup Both

Prerequisites

You'll need:

• A Keeper Security account (Business or Enterprise)
• Python 3.10 or later
• macOS, Linux, or Windows

The KSM CLI and Commander CLI can be installed manually, or you can let the keeper-setup skill walk your agent through first-time setup.

Installation

Choose the guide that matches your setup:

Method Best for Guide Claude Plugin Marketplace Claude users Install with Claude Skills CLI (npx skills) Cursor, Codex, Copilot, and multi-agent setups Install with Skills CLI Manual (git clone) Air-gapped environments, custom agent setups Install Manually

All three methods install the same skills. Pick whichever fits your workflow.

Supported Agents

Agent Plugin Marketplace Skills CLI Manual Claude Code ✅ ✅ ✅ Cursor ✅ ✅ ✅ Codex — ✅ ✅ GitHub Copilot — ✅ ✅ VS Code (Copilot Chat) — ✅ ✅ Other agents — ✅ (auto-detect) ✅

Quick Start

After installing, use your agent as usual. Skills activate based on context.

Inject a secret into your environment:

"Help me inject my database credentials from Keeper into my app's .env file"

The agent uses keeper-secrets to run ksm exec and pull the secret in without showing it in chat.

Set up KSM for the first time:

"I need to configure Keeper Secrets Manager on this machine"

The agent uses keeper-setup to walk you through CLI installation, profile creation, and token setup.

Look up a user in your Keeper enterprise:

"List all users on the Engineering team in Keeper"

The agent uses keeper-admin to run the right Commander command.

For more examples, see our sample Test Prompts in the repo.

How It Works

Skills are markdown files (SKILL.md) that tell your AI agent how to use a CLI tool. They're not executable code. Each skill documents commands, flags, and error-handling patterns. When you ask a question, the agent reads the relevant skill and builds the right CLI commands from it.

Security model:
The agent runs CLI commands on your local machine using your authenticated session. Secrets are resolved by the KSM and Commander CLIs at runtime, not pasted into chat. Standard Keeper RBAC policies and audit logging apply.

Skills vs. MCP

Keeper supports two ways to connect AI agents. You can use both in the same environment.

What it is Agent Kit (Skills/Plugins) MCP Server (Connector) Markdown files that teach agents to use Keeper CLIs A running Model Context Protocol server How it connects Agent reads skills, runs CLI commands locally Agent connects to an MCP server process Best for Developer workflows, CI/CD, DevOps, local use Agent orchestration platforms, hosted environments Auth model Your existing KSM/Commander CLI sessions KSM one-time access tokens Additional Information This page MCP (Docker)

Troubleshooting

Agent doesn't pick up the skill

Check that the skill files landed in the correct directory for your agent. Restart your agent session after installing. In Claude Code, run /plugin and check the Installed tab.

ksm or keeper command not found

The CLI tools need to be installed separately. Ask your agent "Help me install KSM CLI" and the keeper-setup skill will handle the rest.

Permission denied when running CLI commands

Make sure your KSM profile or Commander session has the right permissions. Keeper's RBAC policies apply to all CLI access. Talk to your Keeper admin if you need additional role assignments.

Skills installed globally but not loading in a project

Some agents prioritize project-level skills over global ones. If a project has its own skills directory, global skills may be hidden. Check with npx skills list or /plugin in Claude Code.

Resources

GitHub:
Keeper-Security/keeper-agent-kit

KSM CLI Docs:
Secrets Manager CLI

Commander CLI Docs:
Commander Overview

Keeper Notation:
keeper:// URI references

Issues & Features:
GitHub Issues

Support:
keepersecurity.com/support

Original source Report a problem

Automated security incident management for Jira to convert Keeper Security alerts into actionable tickets.

About

The Keeper Security ITSM Integration is a Forge-based application that automatically converts security alerts from Keeper Security into actionable Jira tickets. The integration enables security teams, IT administrators, and compliance officers to respond to security incidents immediately without manual ticket creation, ensuring no alert goes unnoticed and maintaining complete audit trails for compliance requirements.

Features

• Automated Ticket Creation: Receive security alerts from Keeper via webhooks and automatically create Jira issues with complete alert details including raw JSON payloads for full audit trails.
• Flexible Field Mapping: Map Keeper alert fields (alert_name, description, audit_event, username, remote_address, timestamp, etc.) to any Jira field including standard fields and custom fields.
• Priority Mapping: Automatically assign Jira priorities based on Keeper event categories (e.g., data breaches → Highest, routine audits → Low).
• Default Issue Type Selection: Configure a default Jira issue type (Epic, Story, Task, Bug, etc.) for all incoming Keeper alerts. Issue types are automatically populated based on the selected project.
• Cross-Project Support: Works with both Team-Managed and Company-Managed Jira projects for maximum flexibility.
• Development Tools: Built-in test functionality to verify webhook configuration and ticket creation before going live.
• Webhook Authentication: Secure your webhook endpoint with Bearer token authentication. Generate, regenerate, or revoke tokens directly from the admin interface to prevent unauthorized access.

Prerequisites

• Keeper Security Account: Keeper Enterprise or KeeperPAM subscription with ARAM (Advanced Reporting & Alerts), admin access to Keeper Security admin console for webhook configuration, and understanding of Keeper alert types and event categories.
• Jira Cloud Instance: Jira Cloud account, project administrator or Jira administrator permissions, and at least one Jira project with appropriate issue types configured.

Supported Platform

The integration runs on Atlassian Forge platform and supports Jira Cloud plans: Free, Standard, Premium, Enterprise; Project Types: Team-Managed and Company-Managed; Regions: All Atlassian Cloud regions (US, EU, APAC).

Supported Browsers

Desktop: Chrome 90+, Firefox 88+, Safari 14+, Edge 90+

Mobile: iOS Safari 14+, Chrome Mobile 90+

Requirements

Jira Requirements: Any Jira Cloud plan, REST API v3 enabled (default), Custom Fields available on Standard plan and above.

Keeper Security Requirements: Enterprise Plan required for webhook functionality, admin access required for webhook configuration, at least one configured alert type.

Installation

Step 1: Navigate to Marketplace at https://marketplace.atlassian.com/2082843324

Step 2: Install the App by clicking "Get it now" or "Try it free", select your Jira site, click "Install app", and wait for installation to complete.

Step 3: Grant Permissions by accepting requested permissions (read:jira-work, write:jira-work, read:jira-user, storage:app).

Step 4: Verify Installation by checking "Keeper Security ITSM" appears in installed apps list.

Authentication

The integration uses Forge's built-in authentication system. No additional authentication configuration is required.

Configuration

Step 1: Access the Admin Interface via Jira Settings → Apps → Keeper Security ITSM.

Step 2: Configure Target Project by selecting the Jira project and default issue type for incoming Keeper alerts.

Step 3: Configure Webhook by copying the Web Trigger URL and saving it securely for Keeper configuration. Configure webhook authentication with Bearer token.

Step 4: Configure Keeper Security Webhooks in Keeper Admin Console under Reporting & Alerts → Alerts → Add Alert, entering details including webhook URL and token.

Step 5: Test the Connection using built-in test button or curl command with authentication token.

Usage

Basic Workflow: Keeper Security Alert → Webhook + Auth Token → Forge App → Jira Ticket Created.

The app validates and processes payloads, maps fields, applies priority mapping, and creates Jira tickets automatically.

Creating Custom Fields

Custom fields capture Keeper-specific data not fitting standard Jira fields. Recommended fields include Remote IP Address, Event Category, Security Event Type, Device Name, Alert Timestamp, Alert Severity.

Field Mapping Configuration

Map Keeper alert data to Jira fields for automatic population via Advanced Configuration → Field Mapping.

Priority Mapping

Configure automatic priority assignment based on Keeper event categories.

Complete Workflow Example

Scenario: Audit Alert Resumed → Automated Jira Ticket

Workflow phases include setup, alert triggers, webhook sent, auth validated, app processes, ticket created, and team responds.

Supported Alerts

The integration supports over 300 detailed Keeper Security event types.

Role-Based Access Control

Implements RBAC to protect configuration settings with permission levels for Jira Administrator (full access), Project Administrator, and Regular User (view access denied screen).

Troubleshooting

Includes solutions for common issues such as repeated "Allow access" button, custom fields not appearing, test webhook failures, empty ticket fields, app not found in Jira, admin access denied, webhook authentication failures, and lost tokens.

Resources

Links to Reporting, Alerts & SIEM, Keeper Webhooks, and Keeper Enterprise Guide.

Original source Report a problem

Overview

This release introduces In-Console Checkout, allowing eligible administrators to purchase licenses and add-ons directly within the Admin Console. It also delivers the KEPM+PAM Bundle offering for all Enterprise customers, with a KeeperPAM consumption billing model available for MSP/MC accounts that is consistent with the existing KEPM (Keeper Endpoint Privilege Manager) experience.

New Features

In-Console Checkout - Subscriptions

• EM-7634: In-Console Checkout is a new feature that streamlines the process of purchasing additional licenses, upgrading your plan, or adding on new products. Instead of being redirected to an external checkout page, eligible administrators can complete purchases directly inside the Admin Console when a valid credit card is on file.
• In-Console checkout is available for Root Administrators or Non-Root Administrators with the Billing Admin permission assigned to your role.

Additional Features & Improvements

• EM-8178: MSP Administrators can now activate the PAM add-on from the Subscriptions page using a consumption billing model, with configurable maximum license limits and an unlimited (∞) option — consistent with the existing KEPM experience.
• EM-8293 / EM-8294 / EM-8295: Extended the KEPM+PAM Bundle offering to cover MSP/MC subscription scenarios, consumption information display, and in-console purchase options.
• EM-8212: Implemented KeeperPAM license logic for KSM/KCM within the In-Console Checkout experience.
• EM-7424: Redesigned the Secure Add-Ons page to improve layout, button behavior, and overall usability.
• EM-8369: Added search functionality when adding a user to a team from the Edit User modal.
• EM-8388: Added a "Turn On Now" button when KEPM is on an active free trial.
• EM-8350: Fixed failing BI tracking events for accounts with a Renewal billing status.
• EM-8181: Added ARAM event support for MSP/MC PAM consumption seat changes, including syslog messages that reflect whether seat counts increased or decreased at the MSP or Managed Company level.
• EM-7696: Added BI tracking events for purchases made from within the enterprise console.

Bug Fixes

• EM-8535: Fixed an issue in GovCloud where KeeperChat was not properly hidden for MSP and MC accounts.
• EM-8525: Fixed the Approvers Request Type column not translating when using a non-English language.
• EM-8511: Resolved timing issues with Add/Remove Roles to User and Add/Remove Users from Role operations.
• EM-8497: Fixed vendor Enterprise accounts freezing upon login.
• EM-8494: Fixed an error when attempting to add a second user to the admin role on a free trial account.
• EM-8471: Fixed the Approvals tab name and Approver Configuration modal containing untranslated text.
• EM-8283: Fixed a scrollbar appearing on the console login page left pane in Firefox.
• EM-8268: Fixed a "Too Many Objects Specified" error in Compliance Reports.
• EM-8222: Fixed a small blue box appearing in the Enable Endpoint Privilege Manager modal.
• EM-8217: Fixed a white screen on the KSM Gateways page.
• EM-8206: Fixed alignment issues on the Subscriptions page for Sub-Admins without Billing Admin privileges.
• EM-8186: Fixed the Keeper Administrator role incorrectly displaying the Endpoint Manager tag when the add-on was not active.
• EM-8027: Fixed the "Enforce least privilege policy on managed devices" Risk Management item incorrectly showing as "Completed" after re-login.
• EM-8008: Updated the "Users with 2FA protected vaults" Risk Management calculation.
• EM-8005: Fixed the "Users with 2FA protected vaults" Risk Management item disappearing after logout.
• EM-8002: Fixed a white screen appearing when MSP administrators selected the KEPM tab.

Original source Report a problem

New Features

• Introduced a new effective license calculation system for KEPM and PAM add-ons, ensuring accurate bundled seat tracking across all environments.
• Introduced new security features to block "impossible travel" login scenarios when using "stay logged in" session resumption.
• Updated Admin Console logout enforcement to manage Web Vault, Browser Extension, and Admin Console sessions separately, giving enterprises more granular security control.
• Enhanced MSP, MC, and B2B add-on endpoints to ensure that enabling PAM automatically and consistently provisions KEPM licensing within a unified bundle framework.
• Improved audit logging, enforcement messaging, and device/session security to provide clearer admin visibility and stronger protection against unauthorized access.

Improvements

• KA-7086: Device login using session resumption (eg. "stay logged in") is now blocked by KeeperAI threat detection if the geographic distance between previous login session and the current location exceeds the policy settings. This advanced security measure, typically referred to as "Impossible Travel" helps prevent unauthorized session takeovers of a compromised device. A corresponding event unusual_location_activity_logout has been added to the Advanced Reporting & Alerts module ("ARAM") for Enterprise customers. The next Admin Console release will include the UI elements to control the policy settings.
• KA-7860: Currently, the Web Vault and Admin Console logout enforcement policy are tied together. With this release, the Admin Console will have the ability to specify a separate logout timer that only affects Admin Console logins. This update now separates logout timer enforcement across Web Vault, Browser Extension, Admin Console, Commander CLI and KeeperChat. The UI updates will take effect on the next Admin Console release.
• KA-8002: Updated the PAM add-on endpoint for B2B customers to include KEPM features. Seat counts and add-on management are now unified for both products.
• KA-8003: The PAM add-on endpoint now includes KEPM functionality for MSP/MC accounts. Enabling PAM automatically enables KEPM, streamlining add-on management.
• KA-8024: PAM seat count validation now uses the new effective seats database table. This change supports more accurate seat management for all licensing models.

Bug Fixes

• KA-7257: Fixed a privacy issue where changing email could reveal enterprise names if the domain was reserved. User privacy is now better protected during email changes.
• KA-7630: Updated Admin Console messaging for PAM licenses to remove hardcoded MSP/MC references. Messaging now accurately reflects the user's licensing context.
• KA-8104: Fixed missing BI consumption ARAM events for MSP PAM add-on toggles. Also addressed duplicate events under concurrent requests for accurate reporting.
• KA-8106: Resolved duplicate ARAM add/remove events when managing users in multiple PAM roles. Event logging is now streamlined for admin actions.
• KA-8157: Improved error messaging when adding add-ons in MSP environments. Users now receive clearer feedback if an add-on cannot be added.
• KA-8184: Fixed an issue where devices requesting approval were missing from the device list in account summary API requests. Device approval workflows now display all relevant devices.
• KA-8186: Updated enterprise region transfer logic to support recent licensing changes. This ensures accurate region transfer handling for affected accounts.
• KA-8193: Addressed a problem where unapproved devices were not listed in account summary API requests. All relevant devices now appear as expected in the summary response.
• KA-8226: Resolved an issue where ARAM events for active seat count changes were incorrectly generated for MSP accounts. Event generation now aligns with intended licensing actions.
• KA-8241: Fixed an issue where audit logs for adding PAM to MSP included incorrect unlimited values. Audit events now accurately reflect changes for KCM removal.
• KA-8330: Notification center and build references updated for improved reliability. This ensures smoother integration and future compatibility.

Original source Report a problem

Keeper Browser Extension version 17.8.0 includes several security and usability improvements including an option to disable your browser's built-in password manager to prevent conflicts, anti-phishing protection that warns you before pasting passwords on unrecognized sites, support for adding custom fields to store sensitive information and a quick-copy option for easily sharing a record's UID.

Option to Disable Your Browser's Password Manager

Upon logging into the KeeperFill Browser Extension for the first time (or on a fresh install) you will be prompted to choose Keeper as your default password manager and import any passwords you have saved in your browser.

This eliminates potential conflicts between your browser's built-in password manager (including Google Chrome, Microsoft Edge, Opera, Brave and Firefox) and Keeper, ensuring you receive the best possible autofill experience without the hassle of manual configuration.

For step-by-step instructions, visit our end-user guide here.

These set up steps are optional but highly recommended. Click "Skip For Now" at the bottom of the extension window if you'd like to skip this process at any point during the set up wizard. You can also manage these features at any time from Keeper's Settings menu.

If you are an existing user, this update may trigger the browser extension to register an error — if it does, just click "Turn on" or "Accept permissions" (depending on your browser) to re-enable Keeper. Accepting permissions allows Keeper the option to disable your browser's built-in password manager.

Verify Mode for Anti-Phishing Protection

Verify Mode helps protect you from accidentally entering your passwords on fake or malicious websites. When enabled, the extension monitors paste actions and warns you before your credentials are submitted to an unrecognized site.

How it works

When you paste a password into a login form, Keeper checks whether the site matches any of your vault records. If it doesn't, you'll see a real-time warning before anything is submitted, showing which site triggered the alert, with the option to proceed or cancel.

Protection levels

You can customize how aggressively the extension monitors your activity:

• Medium: You'll only be warned if you copy a password from your vault and paste it into a different site than the one it's saved for.
• High: You'll be warned any time you paste a password on a site that isn't saved in your vault at all, regardless of where the password came from.
• Maximum: You'll always be asked to confirm before pasting a password, even on websites you've already saved and trust.

Choose a higher level of protection if you want more peace of mind, or a lower one if you prefer fewer interruptions during your normal browsing.

Added Support for Custom Fields

You can now add Custom Fields directly to your records from the browser extension — no need to switch to the web vault to make edits.

Click Add Custom Field within a record to create a Hidden Field for storing sensitive information such as security questions, PINs, or private notes alongside your login. This field type is masked by default to keep your data private.

Add as many custom fields as you'd like and simply reorder them with drag-and-drop. This functionality works the same across the Keeper web and mobile apps, so it should feel familiar.

Quick-Copy a Record UID

When viewing a saved record in the browser extension, click the info icon to reveal the record's unique Record ID (UID). From there, you can copy the UID or a shareable link by selecting the icons alongside it. Note that the link does not grant access to the record. The recipient must already have access rights for the link to work.

Passkey-Based Data Encryption Support

Keeper now supports an advanced passkey feature (WebAuthn PRF extension) that allows compatible websites to use your passkey for both authentication and data encryption. When a site supports this capability, Keeper handles it automatically on the backend with no extra steps required from you.

Important: If you attempt to delete a passkey that is being used for encryption by a website, Keeper will display a warning before you proceed. Deleting a passkey could prevent you from accessing your encrypted data on that site, so it's important to review this warning carefully before removing it.

Improvements

• BE-6626: The Keeper browser extension now responds in real time to session management actions taken in the mobile app (lock, unlock, logout and remove). Any active extension sessions on other devices will update automatically.
• BE-6910: Adding a passkey to a saved login record automatically upgrades it to the latest record format (v2→v3). Your existing credentials and notes are preserved throughout, and any errors are clearly surfaced. This works consistently across all supported browsers.

Bug Fixes

• BE-5736: Adapt form filler height to fit in reduced viewport with zoomed scaling.
• BE-6144: Password field regenerates in the Create Record (toolbar) mode if user manually enters one.
• BE-6224: V3 Record custom security question and answer do not populate in context menu.
• BE-6302: Autofill unintentionally populating the "email" attribute in the SSO configuration when a matching record is detected.
• BE-6441: Verkada passkey setup blocked by <dialog>.
• BE-6715: Delete button fails when text in Password field is highlighted.
• BE-6889: Company ID field fails to fill.
• BE-6943: Fixed corrupted Themes.
• BE-6948: Domain specific password generator check does not comply with Match on Subdomains.
• BE-7023: Master Password screen - Remember Email checkbox is present.
• BE-7051: Top search result is truncated.
• BE-7149: Search bar fails to clear when switching accounts.
• BE-7152: "invalidfromSessionToken" error message appears when adding an SSO account from a different region.
• BE-7155: Unable to login to SSO account via Master Password method.
• BE-7219: Browser Extension suggests website domain without port to save to vault.
• BE-7224: Webauthn dialog not dismissed if logged in via other means.
• BE-7227: UI issues with Add URL button.
• BE-7231: Use HPKE transmission for Cloud SSO payload.
• BE-7239: Save Password prompt disappears after redirect (SurveyMonkey login).
• BE-7250: "Something Went Wrong" error modal on app.ynab.com.
• BE-7257: Investigate autofill inconsistency eresources.rmmservice.com.au/auth/.
• BE-7260: Update Node.js.
• BE-7261: Browser extension adds empty line and space to copied unmasked TOTP codes.
• BE-7262: Unmasking password (with a distinct set of steps) breaks password generator functionality.
• BE-7276: Snapshot issues on dev.azure.com
• BE-7282: Firefox XPI not reproducible across build environments — hardcoded absolute path from onxruntime-web.
• BE-7283: Keeper lock pop-up issue in Twitch chat (whitelist only for fixinator).
• BE-7291: Safari - Clicking "Add to Keeper" button causes white screen.
• BE-7298: Add Account page is blank when switching browser tabs then going back to browser extension.
• BE-7301: Use Domain Only not enabled on initial Create Record.
• BE-7313: Save Password prompt appears in Admin Console when in the EPM tab.
• BE-7314: Custom Record Type, Text and Multi-line Field type have size restriction of viewable characters.
• BE-7341: Login Screen - email dropdown arrow missing.
• BE-7350: Site-specific fixes / improvements to auto-submit detection.
• BE-7358: New Record tab - password generator symbols overlapping Use/Copy password.
• BE-7364: Overflow button in login screen design inconsistency.
• BE-7367: AutoFill fails to trigger when Passkey prompt appears first.

Original source Report a problem

New Features

Workflow API for KeeperPAM - This feature enables a KeeperPAM admin to mandate approval requests before initiating a connection or tunnel.

Expanded workflow notifications so requestors and approvers get timely updates on access status and check-in/check-out events.

Added new ARAM event messages and logging for workflow actions, approvals, denials, session changes, and escalations to improve audit ability and compliance reporting.

Introduced new API endpoints and enforcement options to manage who can configure workflow settings and to support bulk approval-status updates.

Enhanced two‑factor authentication workflows with new router-based 2FA operations and audit events for failed 2FA attempts.

Improvements

KA-7750: Added new API endpoints to support 2FA operations via the Keeper Router, including push, validation, and WebAuthn challenge to support Workflow capabilities.

KA-7814: Added notifications for access request workflows and check-in/check-out events. Both requestors and approvers receive timely updates about access status and resource availability.

KA-7962: Introduced standardized ARAM event messages for workflow actions such as approvals, denials, and session changes. These events enhance monitoring and compliance reporting for workflow activities.

KA-8025: Share approval notifications now include the "request" category tag. This ensures that user action-required items appear correctly in the Notification Center "Requests" tab.

KA-8042: Added a role enforcement policy for managing workflow settings under the Privileged Access enforcement screen. Admins can now assign or remove this permission to control workflow configuration access.

KA-8099: Implemented a new API endpoint to update Notification Center approval statuses. Supports bulk updates and improves notification handling for workflow approvals and denials.

KA-8295: Upgraded Netty libraries to address recent security vulnerabilities. This update resolves CVE-2026-33870 (HTTP smuggling) and CVE-2026-33871 (HTTP/2 DoS).

KA-4870: Enhanced ARAM to generate events for failed two-factor authentication attempts. This provides better visibility for security-related login failures.

Bug Fixes

KA-7729: Improved Notification Center to ensure all relevant notifications, including account creation, are displayed. This update enhances user awareness of important account events.

KA-7798: Fixed an issue where sharing requests did not trigger notification syncs. Notifications for sharing actions now appear instantly without manual refresh.

KA-8023: Resolved an issue where re-sending the "last read" status for a notification caused errors. Notifications now handle repeated read status updates gracefully.

Original source Report a problem

Terraform provider that interacts with Keeper Commander for tenant management

About

Terraform Provider for Commander lets you manage Keeper Security enterprise and MSP configuration as infrastructure-as-code. The provider uses the Keeper Commander Service Mode REST API to manage your Keeper resources from Terraform, so you get declarative config, version control, and a clear audit trail while staying on Keeper’s zero-knowledge infrastructure. See Available resources and data sources for the full list.

Features

• Resources: Create and manage your Keeper resources from Terraform.
• Import: Most resources support import state so you can bring existing keeper resources under Terraform management with terraform import.
• Data sources: Read the existing resource data via data sources.
• MSP support: Use the optional managed_company attribute on enterprise resources and data sources to scope operations to a specific managed company.

Available resources and data sources

Full resources and data sources documentation on the Terraform Registry.

Resources

• commander_enterprise_node: Create and manage enterprise nodes (MSP or enterprise account).
• commander_enterprise_role: Create and manage enterprise roles and policies (MSP or enterprise account).
• commander_enterprise_team: Create and manage enterprise teams (MSP or enterprise account).
• commander_enterprise_user: Create and manage enterprise users (MSP or enterprise account).
• commander_managed_company: Create and manage managed companies (MSP only).

Data sources

• commander_enterprise_node: Look up an enterprise node by name or ID (MSP or enterprise account).
• commander_enterprise_role: Look up an enterprise role by name or ID (MSP or enterprise account).
• commander_enterprise_team: Look up an enterprise team by name or ID (MSP or enterprise account).
• commander_enterprise_user: Look up an enterprise user by email or ID (MSP or enterprise account).
• commander_managed_company: Look up a managed company by name or ID (MSP only).

Prerequisites

• Keeper Commander Service Mode: A service account running Commander Service Mode REST API. Make sure you are running Commander version 17.2.9 or later before starting Service Mode.
• Terraform >= 1.0

Setup and Installation

In order to communicate between Terraform and Keeper, the customer is responsible for hosting a Keeper Commander Service Mode instance. This can be accomplished many ways depending on your IT requirements. Commander Service Mode can run as a foreground service on any machine, or it can be run in a Docker container locally or remotely on a server.

Step 1. Commander Setup

Follow the setup steps documented in the Commander Service Mode REST API section to install Keeper Commander and start the service. Commander Service Mode can run directly in the CLI, in the background on a local machine, on a remote server as a service, or under a Docker container. Using Docker is the recommended method.

Important Items:

1. The Request Queue System (API v2) must be enabled, e.g. -q=y
2. Make sure the following commands are in the list:

this-device,sync-down,switch-to-mc,switch-to-msp,msp-add,msp-down,msp-info,msp-remove,msp-update,enterprise-info,enterprise-node,enterprise-user,enterprise-role,enterprise-team,enterprise-down,enterprise-push,team-approve,record-add,record-update,rm,get,list,record-type-info

If you encounter a 429 Too Many Requests error due to rate limiting, you can configure rate-limit for your service mode using the -rl or --ratelimit flag. This allows you to configure the allowed number of requests per endpoint per IP address, for example:

• 1000/minute
• 100000/hour
• 2000000/day

Adjust these limits based on your expected traffic and system capacity.

After service creation, the API key will be displayed in the console output. Make sure to copy and store it securely. If you are using Docker, you can pull the API key from the logs with this command:

docker compose logs | grep -i "generated api key"

When the Commander service is up and running, you should be able to submit a curl request to the endpoint. For example:

curl -X POST 'https://localhost:8080/api/v2/executecommand-async' \
--header 'Content-Type: application/json' \
--header 'api-key: <your-api-key>' \
--data '{"command": "this-device"}'

If the tunnel is running and the API key is correct, you should get a response like this:

{
"success": true,
"request_id": "550e8400-e29b-41d4-a716-446655440000",
"status": "queued",
"message": "Request queued successfully..."
}

Now that the service is up and running, you can use Service Mode URL and API Key in provider configuration.

Keep the Commander Service Mode running in order to stay connected.

Step 2. Provider Installation

Registry install

To install this provider, add the following code to your Terraform configuration and run terraform init:

terraform {
  required_providers {
    commander = {
      source = "keeper-security/commander"
    }
  }
}

provider "commander" {
  # Configuration options
}

Manual Installation

Download the latest version of the Terraform Provider for your platform from our GitHub release page and copy the archive to the corresponding Terraform plugin folder (creating any missing folders in the path). Initialise source with full provider URL: source = "github.com/keeper-security/commander"

Usage

Configure the Provider

The provider needs to be configured with commander service mode url and api key before it can be used.

terraform {
  required_providers {
    commander = {
      source = "keeper-security/commander"
    }
  }
}

provider "commander" {
  service_mode_url     = "http://localhost:8080/api/v2/"
  service_mode_api_key = "XXXXXXXXXXXXXX"
}

Note: Using managed companies (MSP accounts)

Many resources and data sources support an optional managed_company attribute. When your account is an MSP, set managed_company to a managed company name or ID to manage that resource inside that company. Omit it to work in the logged-in account context (MSP or enterprise account).

Note: MSP - Using both a managed company and your main account in the same config

If you use some resources or data sources with managed_company (operations run inside that company) and others without it (operations run in the logged-in account context), Terraform may run them in parallel. Commander processes requests one at a time in a queue, so an action can run in the wrong context and fail (e.g. "resource not found").

Fix:

Add dependencies between those resources or data sources (e.g. depends_on or referencing one from the other) so they are not executed in parallel.

Example:

# Runs in managed company "Acme"
resource "commander_enterprise_team" "mc_team" {
  name = "MC Team"
  node = "Root"
  managed_company = "Acme"
}

# Runs in logged-in account; depends on mc_team so it doesn't run in parallel
resource "commander_enterprise_team" "main_team" {
  name    = "Main Team"
  node    = "Root"
  # no managed_company = main account
  depends_on = [commander_enterprise_team.mc_team]
}

Examples

Manage Enterprise Team

Below example explain how you can manage your enterprise team with help of "commander_enterprise_team" resource.
Use this resource to create and manage teams in the MSP or Enterprise account

terraform {
  required_providers {
    commander = {
      source = "keeper-security/commander"
    }
  }
}

provider "commander" {
  service_mode_url     = "http://localhost:8080/api/v2/"
  service_mode_api_key = "XXXXXXXXXXXXXX"
}

resource "commander_enterprise_team" "example" {
  name                     = "Backend Developers"
  node                     = "Engineering"
  users                    = ["[email protected]", "[email protected]"]
  roles                    = ["Developer"]
  restrict_record_edit     = true
  restrict_record_re_share = true
  enable_privacy_screen    = false
  # Optional, MSP Account only
  # managed_company = "Acme Corp"
}

Read Enterprise Team

Below example explain how you can read your existing enterprise team with help of "commander_enterprise_team" data source.
Use this data source to look up an enterprise team by name or ID. Returns the team's ID, name, users, and roles so you can reference them in other resources.

terraform {
  required_providers {
    commander = {
      source = "keeper-security/commander"
    }
  }
}

provider "commander" {
  service_mode_url     = "http://localhost:8080/api/v2/"
  service_mode_api_key = "XXXXXXXXXXXXXX"
}

data "commander_enterprise_team" "example" {
  team = "Backend Developers"
  # Optional, MSP only
  # managed_company = "Acme Corp"
}

output "team_id" {
  value = data.commander_enterprise_team.example.id
}

output "team_name" {
  value = data.commander_enterprise_team.example.name
}

output "team_users" {
  value = data.commander_enterprise_team.example.users
}

output "team_roles" {
  value = data.commander_enterprise_team.example.roles
}

For more examples on different resources and data sources, check out the detailed provider documentation.

Release Schedule and Roadmap

This all new Terraform Provider for Commander has a roadmap of features planned. Below is the current high level plan of features we are implementing:

• Shared Folders
• Shared Records
• SCIM
• Record Types
• SSO Cloud Integrations
• Keeper Gateways

Issues

Please open a Github issue with bugs, feature requests or any questions.

Original source Report a problem

Enhancements

• iOS-7594: Introduced a new centralized Notification Center that allows you to manage vault activity and requests in one place. You can now filter notifications by all or unread, approve or deny access requests, and stay informed with unread message indicators. This streamlined system ensures you never miss a time-sensitive update while making it easy to mark items as read and navigate back to your records without losing your place.

• iOS-7811: Implemented Quantum Resistant Cryptography (QRC) to future-proof your vault's security. By integrating advanced "Kyber" encryption, we are protecting your sensitive session data against the future threat of quantum computing. This update ensures that your encrypted information remains secure even as computing power evolves.

• iOS-7063: Redesigned the Security Audit experience with a new, easy-to-understand Security Score and actionable dashboard. You can see your overall security health at a glance and use the new action cards to quickly improve your score by updating weak passwords, enabling Two-Factor Authentication, or rotating reused passwords. The updated records list now features clear strength icons and improved sorting and filtering, helping you prioritize and manage your most critical security items.

• iOS-7041: Improved the accuracy of Security Audit scores by ensuring calculations are consistent with other platforms. The app now correctly identifies reused and unique passwords and excludes shared records from your personal score. Additionally, security scores are now properly updated immediately following a record transfer to a new owner.

• iOS-7234: Updated the app's internal security protocols to support the latest system improvements. This backend optimization ensures a seamless and stable connection with our authentication services, providing you with a more reliable experience.

• iOS-7852: Introduced partial search support for record sharing to better support large organizations. Users in enterprises with more than 500 members can now easily find and add specific colleagues to shared records by typing just a few characters of their name or email address, ensuring reliable discoverability across large datasets.

• iOS-7955: Improved the Account screen by integrating the Sync button directly into the main menu row for quicker access.

• iOS-7960: Enhanced device security with real-time push notification responses for upcoming remote management. The app will react to administrative actions—such as remote locking or account removal—by automatically logging out active sessions and clearing sensitive local data to protect your vault if a device is lost or compromised.

• iOS-7959: Expanded our device registration to include more detailed hardware information in preparation for an upcoming feature. The app now provides specific platform details (such as "iPhone 15 Pro" or "iPad Air") to the backend.

Bugs

• iOS-7940: Resolved a stability issue within the Autofill extension that could cause the app to close unexpectedly when interacting with the password generator.

• iOS-7949: Fixed an issue where users were not notified of an expired File Storage subscription when attempting to download or view attachments. The app now correctly displays a renewal prompt to ensure uninterrupted access to your stored files.

• iOS-7951: Addressed an issue in the Autofill extension where an incorrect "Security Key Not Recognized" alert could appear even after a successful security key login.

• iOS-7952: Corrected a visual bug in the Autofill extension where hidden password fields would always display an ellipsis, regardless of the text length.

• iOS-7953: Smoothed out the user interface when switching between different records in the Autofill extension, eliminating "janky" transitions and ensuring a more polished experience when navigating records with varying configurations.

• iOS-7954: Resolved an issue where long custom labels in certain record types would cause the field value to be truncated while in edit mode.

• iOS-7962: Fixed a bug where an unexpected error was displayed during login when the client version was unrecognized; users are now correctly prompted with the appropriate client check message.

• iOS-7964: Resolved an issue where accessing debug logs from the side menu would incorrectly launch the Safari browser instead of opening the system sharing menu.

• iOS-7965: Resolved a critical crash in the KeeperFill extension that occurred when logging into accounts with very large record sets.

• iOS-7966: Fixed an issue where the app would display an infinite loading spinner when attempting an unsupported folder move between shared folders; users are now correctly presented with an informative alert instead.

• iOS-7967: Addressed a bug that prevented users with empty vaults from logging into the KeeperFill extension.

• iOS-7968: Resolved a UI issue where the quick-action menu would appear in the wrong part of the screen after a text field was recently used.

• iOS-7969: Fixed an issue in the Notification Center where rapidly interacting with notification requests could cause multiple error alerts to overlap on the screen.

• iOS-7970: Resolved a synchronization issue where shared folders would appear duplicated in two locations after being moved until a manual sync was performed.

• iOS-7971: Fixed a navigation error in the side menu where selecting the "Debug Logs" option would incorrectly open the "Refer a Friend" screen for certain account types.

• iOS-7972: Corrected a layout issue on iPad where the Security Audit filters modal was improperly sized, ensuring all filter options and titles are fully visible.

• iOS-7973: Improved the Notification Center layout for iPad users by right-aligning approval buttons, providing a more intuitive and visually consistent experience on larger screens.

• iOS-7975: Fixed a timing issue where the "Create Your First Record" onboarding alert could incorrectly appear for existing users when navigating through the app quickly after logging in.

• iOS-7976: Resolved a visual bug in the Security Audit dashboard where description text was being truncated when the iPad was used in landscape orientation.

• iOS-7977: Resolved a critical login failure specifically affecting devices running iOS 18, ensuring compatibility and clear messaging during the authentication process.

• iOS-7978: Fixed several issues in the Record History screen, including improving the hit targets for navigation controls near the home indicator and resolving a bug where selecting a version would leave the screen unresponsive.

• iOS-7979: Optimized network performance by reducing excessive background pings to the account switching endpoint, ensuring more efficient data usage and better alignment with session activity.

• iOS-7981: Resolved a UI bug where the "Done" button could disappear from the Shared Folder edit view when interacting with the folder's overflow menu.

• iOS-7982: Corrected a visual alignment issue in the Autofill extension where username and password fields were improperly padded, ensuring they now align correctly with other UI elements and icons.

• iOS-7983: Fixed a UI issue in the Autofill extension where the text cursor was invisible on the initial tap when launched in certain light-mode contexts.

• iOS-7984: Resolved a stability issue where the app would crash immediately after a user emptied the Deleted Items folder.

• iOS-7985: Improved the visibility of third-party app icons within the Autofill extension when using Dark Mode. Dark icons (such as Peloton) are now placed in a clear container with a light background to ensure they remain distinct and visible against dark system themes.

• iOS-7986: Adjusted the vault's List view layout to prevent the truncation of record numbers, ensuring that counts for large vaults (even those exceeding 17,000 records) remain fully visible.

• iOS-7988: Resolved an issue where removing "restrict edit" enforcements from a team failed to immediately restore edit permissions for shared folder records, ensuring local permissions correctly sync with administrative changes.

• iOS-7989: Fixed a bug in the KeeperFill extension where the Password Generator (dice icon) was missing when creating or editing records, restoring full functionality to the generation tool.

• iOS-7990: Fixed an incorrect placeholder value in the Wi-Fi record type where the Title field was incorrectly labeled as "Network Name (SSID)."

• iOS-7992: Resolved a UI displacement issue where folder context menus would shift upward and obscure the folder row after a record was saved.

• iOS-7524: Fixed an issue in the Record History screen where the "Restore" button remained active when viewing the record's current version. The button is now correctly disabled when the displayed version matches the current revision, preventing unintended restore attempts.

• iOS-7993: Corrected a navigation error in the Record History screen where using the left/right arrows or the bottom-right button to browse versions could display a version number greater than the total number of available revisions.

• iOS-7994: Resolved a visual bug in the account switcher where two accounts sharing the same account UID would both display the active account checkmark simultaneously.

• iOS-7997: Fixed an issue where changing the Master Password of a secondary (non-active) account would unexpectedly log out the currently active session.

• iOS-7998: Resolved a bug where removing an account from the login menu would disable biometric authentication (Face ID / Touch ID) for other accounts stored on the same device.

• iOS-7999: Fixed a localization issue in the Security Audit dashboard where the "No Weak Passwords" status message was not translated and displayed in English for users running non-English language settings.

• iOS-8001: Addressed an issue where the vault would remain stuck on loading placeholders after closing the Notification Center, requiring a manual sync to display records correctly.

• iOS-8002: Corrected an alert that incorrectly appeared when attempting to attach files while offline under an IP-restricted policy. The app now displays the appropriate restriction message instead of an unrelated error.

• iOS-8003: Fixed a layout issue where the Notification Center bell icon was positioned too close to the "Done" button in the vault edit view, improving tap target separation.

• iOS-8004: Resolved a compatibility issue with Passkey authentication by ensuring the required field is always present in the passkey data, improving reliability with third-party services that validate this field.

Original source Report a problem