Connecting your application to KEEP

Any programming language is able to connect to a REST API. Depending on your approach, there are some particularities to observe:

Client based or server based

We distinguish between client and server based applications. Client based applications can access databases that have been marked for Open Access, while server based applications can provide an application id/application secret and get a different level of access

Browser based applications

Browser based applications (ReactJS, Angular, Vue, VanillaJS) are usually hosted on a different server than the URL of the KEEP API. To enable access to KEEP (besides the user’s credential), CORS need to be configured to allow access from the server providing the static files to KEEP. This is configured in the security.json in the CORS section. You need to add your domain and set it to true. To simplify corporate deployment we check domain endings only, so covers, or even

The default entry in security.json is like this:

"CORS": {
        "localhost": true,
        "": true,
        ".local": true

Let’s say you want to disable the preset and enable, you create a security.json with this content:

  "CORS": {
          "localhost": false,
          "": false,
          ".local": false,
          "": true  

Check the detail in Security Configuration

Server based applications

In the Admin Client we can define an “application” which consists of:

  • AppID: Application ID
  • AppSecret: The secret defined for the app
  • Databases: The keep database names this application wants to access

The application, when presenting AppID and AppSecret in the header of any request, then can access those databases, even when they are not defined as “Open Access”. So an application server can have more access than a simple browser.

!!! note “No security bypass” The access to the databases is still governed by their ACL, so when a user accesses databases via the app and has no access, access will be denied.

Desktop applications

Good old Java, or dotNet, or Elektron or shell scripts with curl

Since desktop applications can’t keep secrets, we treat them like browser applications. They only can access Domino databases that are flagged for “Open Access”. At least you don’t need to worry about CORS setup, unless you run a local http server. That’s why localhost is in the default CORS permission list