Some flows depend on your specific configuration. Not all flows are always needed.
Requests served
All servers also serve OPTIONS requests on all URLs to facilitate CORS as configured in the properties file.
Requests served by Email Key Manager (EKM)
EKM should only be available on local LAN or over VPN:
| Source | Path | Notes |
|---|---|---|
| client |
/v1/keys/privateMethods: GET, PUT |
|
| WKD |
/v1/keys/public/{query}Method: GET |
(For WKD Pull Sync) |
| EAP |
/v1/admin/statsMethod: GET |
|
| EAP |
/v1/admin/administratorsMethod: GET |
|
| EAP |
/v1/admin/end-usersMethod: GET |
|
| EAP |
/v1/admin/end-users/{email}Methods: GET, DELETE, POST, PUT |
|
| EAP |
/v1/admin/key-pairsMethods: GET, PUT |
|
| EAP |
/v1/admin/key-pairs/fingerprintsMethod: GET |
|
| EAP |
/v1/admin/key-pairs/publicMethod: PUT |
|
| EAP |
/v1/admin/key-pairs/key-genMethod: POST |
|
| EAP |
/v1/admin/key-pairs/bulk-modificationMethod: PUT |
|
| EAP |
/v1/admin/key-pairs/wkd-push-sync-laterMethod: PUT |
(For WKD Push Sync) |
| EAP |
/v1/admin/key-pairs/{fingerprint}Methods: GET, PUT |
|
| EAP |
/v1/admin/key-pairs/{fingerprint}/usersMethod: PUT |
|
| EAP |
/v1/admin/key-pairs/{fingerprint}/privateMethod: GET |
|
| EAP |
/v1/admin/key-pairs/{fingerprint}/expirationMethod: PUT |
|
| EAP |
/v1/admin/key-pairs/{fingerprint}/revocationMethod: PUT |
|
| EAP |
/v1/admin/key-pairs/{fingerprint}/rotationMethods: GET, POST |
|
| EAP |
/v1/admin/key-pairs/{fingerprint}/automatic-lifecycle-actionsMethod: PUT |
|
| EAP |
/v1/admin/key-pairs/{fingerprint}/key-uidsMethod: PUT |
|
| EAP |
/v1/admin/key-pairs/{fingerprint}/historyMethod: GET |
|
| EAP |
/v1/admin/key-pairs/{fingerprint}/history/{historyId}Method: GET |
|
| EAP |
/v1/admin/key-pairs/{fingerprint}/history/{historyId}/privateMethod: GET |
|
| EAP |
/v1/admin/orchestrator-historyMethod: GET |
|
| EAP |
/v1/admin/key-pairs/{fingerprint}/wkd-push-sync-now Method: PUT |
(For WKD Push Sync) |
If you configure EKM/WKD with Pull Sync, you may ignore Push Sync requests and vice versa.
Requests served by Web Key Directory (WKD)
WKD should be available on the public internet on predictable URLs:
| Source | Path | Notes |
|---|---|---|
| public |
/.well-known/openpgpkey/policyMethod: GET |
Direct method |
| public |
/.well-known/openpgpkey/hu/{hash}Method: GET, HEAD |
Direct method |
| public |
/.well-known/openpgpkey/{domain}/policyMethod: GET |
Advanced method |
| public |
/.well-known/openpgpkey/{domain}/hu/{hash}Methods: GET, HEAD |
Advanced method |
| EKM |
/v1/push-syncMethod: PUT |
For WKD Push Sync |
You may choose to deploy only Direct Method (on your domain https://<domain>/.well-known/...) or only Advanced Method (on https://openpgpkey.<domain>/.well-known/...), or both.
The advanced method is recommended if you foresee the need to handle more than one email domain with a single deployment.
Requests served by FlowCrypt External Service (FES)
FES should be available on the public internet on a predictable URL fes.<domain> for single-tenant deployments. Alternatively, to simplify the deployment, this functionality may be handled by a shared-tenant server flowcrypt.com/api:
| Source | Path | Notes |
|---|---|---|
| public |
/Method: GET |
Optional |
| public |
/static/**Method: GET |
Web portal |
| public |
/message/*Method: GET |
Web portal |
| public |
/apiMethod: GET |
|
| public |
/api/healthMethod: GET |
Optional |
| public |
/api/v1/accountMethod: GET |
|
| public |
/api/v1/client-configurationMethod: GET |
|
| public |
/api/v1/log-collector/exceptionMethod: POST |
Unused |
| public |
/api/v1/log-collector/eventMethod: POST |
Unused |
| public |
/api/v1/messageMethod: POST |
Web portal |
| public |
/api/v1/message/{externalId}/gatewayMethod: POST |
Web portal |
| public |
/api/v1/message/{externalId}Method: GET |
Web portal |
| public |
/api/v1/message/{externalId}/downloadMethod: GET |
Web portal |
| public |
/api/v1/message/new-reply-tokenMethod: POST |
Web portal |
| public |
/api/v1/message/{externalId}/replyMethod: POST |
Web portal |
| EAP |
/api/v1/admin/client-configurationMethod: GET |
Requests served by Enterprise Admin Panel
| Source | Path |
|---|---|
| admin |
/Method: GET |
| admin |
/static/**Method: GET |
| admin |
/apiMethod: GET |
| admin |
/api/healthMethod: GET |
| admin |
/loginMethods: GET, POST |
| admin |
/login/idp/{provider}Method: GET |
| admin |
/login/finalizeMethod: POST |
| admin |
/login/cookie-testMethod: GET |
| admin |
/login/expiredMethod: POST |
| admin |
/login/log-outMethod: POST |
| admin |
/dashboardMethod: GET |
| admin |
/statsMethod: GET |
| admin |
/orchestratorMethod: GET |
| admin |
/end-usersMethod: GET |
| admin |
/end-users/addMethods: GET, POST |
| admin |
/end-users/{email}/key-pairs-csvMethod: GET |
| admin |
/end-users/{email}Method: GET |
| admin |
/end-users/{email}/deleteMethod: POST |
| admin |
/end-users/{email}/renameMethod: POST |
| admin |
/key-pairsMethod: GET |
| admin |
/key-pairs/privateMethod: POST |
| admin |
/key-pairs/publicMethod: POST |
| admin |
/key-pairs/generateMethods: GET, POST |
| admin |
/key-pairs/bulk-modificationMethod: POST |
| admin |
/key-pairs/{fingerprint}Method: GET |
| admin |
/key-pairs/{fingerprint}/usersMethods: GET, POST |
| admin |
/key-pairs/{fingerprint}/key-uidsMethod: POST |
| admin |
/key-pairs/{fingerprint}/publicMethod: GET |
| admin |
/key-pairs/{fingerprint}/privateMethod: GET |
| admin |
/key-pairs/{fingerprint}/history/{historyId}Method: GET |
| admin |
/key-pairs/{fingerprint}/history/{historyId}/publicMethod: GET |
| admin |
/key-pairs/{fingerprint}/history/{historyId}/privateMethod: GET |
| admin |
/key-pairs/{fingerprint}/change-expirationMethods: GET, POST |
| admin |
/key-pairs/{fingerprint}/revokeMethod: POST |
| admin |
/key-pairs/{fingerprint}/rotateMethod: POST |
| admin |
/key-pairs/{fingerprint}/automatic-lifecycle-actionsMethod: POST |
| admin |
/key-pairs/{fingerprint}/wkd-push-sync-nowMethod: POST |
| admin |
/key-pairs/wkd-push-sync-laterMethod: POST |
| admin |
/client-configurationMethod: GET |
| admin |
/documentationMethod: GET |
| admin |
/elementsMethod: GET |
Initiated Requests (except requests above)
| URL Pattern (Method) | Description |
|---|---|
The URL from auth.enduser.openid.jwks in the properties file or jwks_uri in openid-configuration (GET)Response type: application/json Target: External |
Use to fetch JWKs to verify the end-user OIDC token signature. Source: FES and EKM
|
URL from auth.admin.openid.jwks in the properties file or jwks_uri in openid-configuration (GET)Response type: application/json Target: External |
Use to fetch JWKs to verify the admin OIDC token signature. Source: FES, EAP, and EKM
|
https://<enduser-issuer>/.well-known/openid-configuration (GET)Response type: application/json Target: External |
Use to fetch JWKs URL for end-users if auth.enduser.openid.jwks isn’t present in the properties file.Source: FES and EKM
|
https://<admin-issuer>/.well-known/openid-configuration (GET)Response type: application/json Target: External |
Use to fetch JWKs and login URLs for admins if auth.admin.openid.jwks or auth.admin.openid.authorize.url isn’t present in the properties file.Source: FES, EKM, and EAP
|
WKD RDBMS host (TCP)Response type: Socket-based Target: Internal |
RDBMS server for the storage of end-user public keys. Source: WKD
|
EKM RDBMS host (TCP)Response type: Socket-based Target: Internal |
RDBMS server for the storage of end-users and their keys. Source: EKM
|
KMIP host (TCP)Response type: Socket-based Target: Internal optional |
KMS or HSM server for storing Database Encryption Key. Source: EKM
|
| Depends on logging configuration ( - ) Response type: Logging calls are expected when StackdriverLogger or SplunkHttpLogger is configured. Not needed for StdoutLogger and FileLogger.Target: - |
- Source: FES, EAP, EKM, andWKD
|