Skip to content

Payload Reference

The complete field reference for POST /api/transactions. Jump to a section: required · credentials · databases · RDP · Kubernetes · HTTP · command filtering · check-in. For copy-paste payloads see Examples by protocol.

Creating a checkout

Method / PathPOST /api/transactions
Who can call itAdministrators only. Authenticate with an admin session, or - for server-to-server automation - the cluster shared-secret header X-Bridge-Cluster-Token.
Bodyapplication/json (fields below)
Success201 Created{"status":"created","transaction_id":"…"}

There is no static “admin API key.” A caller is treated as an administrator when they hold an admin session (from your identity provider) or present the cluster token. See Authentication.

Required for every checkout

FieldTypeDescription
transaction_idstringYour unique ID for this checkout. Used to fetch or revoke it later, and in connect URLs.
usernamestringThe Britive user identity this checkout is for (the person connecting).
expires_atintegerExpiry as a Unix timestamp (seconds). After this, connections are refused and the grant is reaped.

Required for an access (user) checkout

FieldTypeDescription
protocolstringWhat to connect with: ssh, telnet, rdp, vnc, k8s (alias k8sexec), http, mysql, postgres, cockroachdb, mssql, redis, mongodb, cassandra, netconf, restconf, winrm.
target_hoststringThe backend host/IP to reach (not required for http).
target_usernamestringThe backend account to log in as (not required for vnc or http).
target_portintegerBackend port. Optional - defaults per protocol (see Protocol Reference).

Common options (any access checkout)

FieldTypeDefaultDescription
record_sessionbooleantrueRecord this session. Send false to opt out (also disables live-view for it).
tokenstring-Per-checkout credential issued by the Britive platform; enables token-authenticated connect/review flows. Stored hashed; never returned.
native_authstringserver defaultHow the connecting user proves who they are to Bridge for native connections: ldap or bridge_credentials.
bridge_auth_passwordstring-Required when native_auth: bridge_credentials - the credential the user presents to Bridge. Encrypted at rest; never returned.

Credentials (by protocol)

These are the secrets Bridge uses to reach the backend. They are encrypted at rest and never appear in any API response.

FieldTypeApplies toDescription
target_passwordstringrdp (optional), vnc, all databases, restconf, winrm; optional for sshBackend password.
private_keystring (PEM)ssh, netconfPrivate key for key-based backend login (use this or target_password).
user_public_keystringsshThe connecting user’s public key, used to authenticate them to Bridge for native SSH.
target_domainstringrdpWindows/AD domain.
kube_bearer_tokenstringk8sBearer token for the Kubernetes API (use this or the client cert pair).
kube_client_cert / kube_client_keystring (PEM)k8sClient certificate + key for mTLS to the Kubernetes API.
target_ca_certstring (PEM)databases, httpCA certificate to trust for the backend’s TLS.

Database options

FieldTypeApplies toDescription
target_databasestringmysql, postgres, mssql, redis (db index), cassandra (keyspace)Default database to connect to.
target_tlsbooleanmysql, postgres, mssqlConnect to the backend over TLS (e.g. RDS/Aurora).
target_tls_skip_verifybooleandatabases, httpDon’t verify the backend’s TLS certificate. Use only when you can’t supply a CA.

See also the Databases protocol reference.

Remote-desktop (RDP) options

RDP exposes the richest per-checkout controls - this is how you turn clipboard and file copy on or off per grant.

FieldTypeDefaultDescription
rdp_securitystringanySecurity mode: any, nla, tls, or rdp.
rdp_ignore_certbooleanfalseSkip backend RDP certificate validation.
rdp_enable_drivebooleanfalseAllow file copy via a redirected virtual drive.
rdp_disable_copybooleanfalseBlock copying out of the session (also applies to VNC).
rdp_disable_pastebooleanfalseBlock pasting into the session (also applies to VNC).
rdp_clipboard_save_filesbooleanfalseSave the content of copied files to the recording (otherwise only metadata is logged).
rdp_clipboard_max_file_mbinteger100Maximum size of a single clipboard file (MB).
lock_blocks_screenbooleanfalseWhen a reviewer locks the session, cover the screen instead of just blocking input.
rdp_color_depthinteger16Color depth: 8, 16, 24, or 32.
rdp_server_layoutstringen-us-qwertyKeyboard layout.
rdp_timezonestring-IANA timezone for the session clock (e.g. America/New_York).
rdp_enable_wallpaper, rdp_enable_theming, rdp_enable_font_smoothing, rdp_enable_full_window_drag, rdp_enable_desktop_composition, rdp_enable_menu_animationsbooleanfalseVisual-fidelity toggles (off by default for performance).
rdp_disable_bitmap_cachingbooleanfalseTurn off bitmap caching (caching is on by default for performance).

Kubernetes (k8s) options

FieldTypeDefaultDescription
kube_api_serverstring-Required. Kubernetes API address, e.g. k8s-api:6443.
kube_namespacestringdefaultTarget namespace.
kube_containerstring-Target container (defaults to the pod’s main container).
kube_commandarray-Command to run, e.g. ["/bin/bash"]. Empty attaches to the running process instead.
kube_ttybooleanfalseAllocate an interactive terminal.

Web (HTTP proxy) options

FieldTypeDescription
capture_hostsarrayExact hostnames the user may reach through the proxy. Supply this and/or capture_subdomains.
capture_subdomainsarrayDomain suffixes the user may reach (matches the domain and any subdomain).
blocked_methodsarrayHTTP methods to deny, e.g. ["DELETE","PUT"] (CONNECT can’t be blocked).
sanitize_headers_extendarrayAdds header names to the recording’s redaction list for this checkout.
sanitize_query_params_extendarrayAdds query-parameter names to redaction.
sanitize_body_fields_extendarrayAdds JSON body field names to redaction.

The sanitize_*_extend lists only add to the server’s base redaction lists - a checkout can never remove something the server already masks. Requests to a host not in your capture lists are blocked. See HTTP Proxy.

Command filtering (shell protocols)

Available for ssh, k8s, netconf, winrm, and restconf. Use an allowlist or a denylist (names and/or regular expressions).

FieldTypeDescription
allowed_commandsarrayOnly these base commands may run.
blocked_commandsarrayThese base commands are rejected.
allowed_patternsarrayRegex allowlist.
blocked_patternsarrayRegex denylist (e.g. "rm\\s+-rf").

Command filtering is not a security control. It is a convenience guardrail and an audit aid - a way to nudge well-intentioned users away from obvious mistakes and to flag notable commands in the recording. It must not be relied upon to prevent malicious or accidental damage to a target system.

Filtering inspects the command line as it is entered. Any user who reaches an interactive shell can defeat it through routine, well-understood techniques - subshells and pipelines, shell built-ins and aliases, scripts and interpreters (python, perl, sh -c …), an editor’s or pager’s shell escape, alternate paths or renamed binaries, and encoded or obfuscated input, among many others. Treating a command allow/deny list as a boundary would give a false sense of protection.

Protecting a target is the job of controls the target itself enforces: least- privilege accounts provisioned per checkout, network segmentation, the target OS/application’s own authorization, and time-boxed, fully recorded access. Use command filtering to complement those controls and improve the audit trail - never as a substitute for them.

Recording redaction override

FieldTypeDefaultDescription
redact_response_bodiesbooleaninherits server defaultFor winrm and restconf, force-on or force-off masking of secrets in recorded response/output bodies. Omit to inherit the server default.

Checking in (revoking)

Method / PathDELETE /api/transactions/{transaction_id}
Who can call itAdministrators only.
Success200 OK{"status":"deleted","transaction_id":"…"}

Revoking removes the grant so new connections are refused and any lingering session is reaped by the watcher. To immediately terminate connections that are still live, also call a disconnect endpoint:

terminal
# End every live session for a checkout (by transaction id)
curl -X POST https://bridge.example.com/api/auth/checkouts/<transaction_id>/disconnect

# End one specific session (by session id)
curl -X POST https://bridge.example.com/api/auth/sessions/<session_id>/end
Last updated on