Keeper Operations Console
A real-time zero-trust operations dashboard for Keeper Security enterprise deployments. Surfaces KPIs, security event feeds, device inventory, incident queues, and API health — all wired to the Keeper Security Commander REST API v2.
What Is This Tool
The Keeper Operations Console is a standalone HTML dashboard for MSP engineers and security teams managing Keeper Security enterprise accounts. It replaces the need to navigate the Keeper Admin Console GUI for routine monitoring by presenting security events, device status, user activity, and platform health in a single continuously-refreshing view.
It is part of the KrawTech Stack Dashboard Suite — per-vendor dashboards sharing a common proxy-ready API wiring pattern, 30-second auto-refresh lifecycle, and design system. All dashboards run in DEMO mode (realistic mock data, no external calls) until a live API token is configured.
Integration Status
The dashboard runs in DEMO mode by default. No network calls are made. When DEMO_MODE is set to false and a valid API token is provided, the four live Keeper Commander REST API calls activate automatically.
| Data Source | Status | Real API Endpoint | Notes |
|---|---|---|---|
| Enterprise Summary | PROXY READY | POST /api/public/v2/node/get_enterprise_node | Include nodes, users, teams, roles, licenses. Activates when proxy is live. |
| Security Events / Alerts | PROXY READY | POST /api/public/v2/audit_log/get_audit_log | Polling only — no streaming. Rate-limited. Activates when proxy is live. |
| Device Inventory | PROXY READY | POST /api/public/v2/device/get_enterprise_devices | Compliance status derived client-side from device metadata. Activates when proxy is live. |
| Policy Count | NO NATIVE ENDPOINT | — | Keeper has no REST endpoint for policy counts. Demo data only — will not go live. |
| Events (Security Event Feed) | AUDIT LOG ONLY | POST /api/public/v2/audit_log/get_audit_log | Both Alerts and Events come from the same audit_log endpoint filtered by type. |
| API Health | INFERRED | Latency measured on authenticated calls | Keeper has no /health ping endpoints. Health is inferred from response success & timing. |
| Team / Directory | PROXY READY | POST /api/public/v2/team/get_teams_by_enterprise | Activates when proxy is live. |
| Enterprise Users | PROXY READY | POST /api/public/v2/user/get_enterprise_users | Activates when proxy is live. |
Architecture
The console is a single-file static HTML application. All logic, styles, and mock data generators live in one file with no external dependencies beyond Google Fonts. The Keeper REST API requires a Bearer token — the file uses a configurable KEEPER_API_TOKEN constant. For production use, a local reverse proxy is recommended to avoid embedding credentials in browser-accessible files.
Header Bar
The sticky header bar sits at the top of the viewport at 52px height. It shows the console identity, live refresh state, and a clock.
| Element | Value Source | Live? |
|---|---|---|
| ⬡ Keeper logo + label | Static HTML | N/A |
| "Operations Console · Zero-Trust Platform" | Static HTML subtitle | N/A |
| Refresh dot (green/spinning) | Animated during loadDashboard() — .spinning class added/removed | YES |
| LIVE / DEMO / FETCHING label | Set to DEMO when DEMO_MODE=true, LIVE when false, FETCHING during load | YES |
| Timestamp (HH:MM:SS) | JavaScript Date, updated every 1 second via tickClock() | N/A |
| Loading overlay (boot screen) | Animates progress bar then hides after loadDashboard() resolves | YES |
KPI Row
Six KPI tiles displayed in a grid below the section label. Each shows a primary value, sub-label, and a delta badge comparing the current value to the previous refresh cycle. Delta badges color-code intelligently — rising alerts are red (bad), rising health is green (good).
| Tile | Value Key | Format | Live Source |
|---|---|---|---|
| Total Assets | summary.total_assets | toLocaleString() | get_enterprise_node → node.number_of_users + devices |
| Active Alerts | summary.active_alerts | integer | get_audit_log → count of open security events |
| Critical Alerts | summary.critical_alerts | integer | get_audit_log → count filtered by high-severity types |
| System Health | summary.system_health | value + "%" | Derived metric — Keeper has no health score endpoint. Computed from API response rates. |
| Active Users | summary.active_users | toLocaleString() | get_enterprise_users → users[].status = "active" count |
| Devices Online | summary.devices_online | toLocaleString() | get_enterprise_devices → devices count |
Delta values compare each KPI to its value from the previous refresh cycle stored in prevKPIs. Alert/critical deltas invert color logic: +1 alert = red (down), -1 alert = green (up). Asset/user/device/health deltas follow standard direction: positive = green.
API Health Panel
The left panel in the middle row. Displays six Keeper service endpoints with latency, a proportional bar, and an OK/WARN/ERR status dot. Timestamp shows last check time.
Keeper Security does not expose any /health or ping endpoints. In the original dashboard, the API health panel used six completely fabricated paths (/api/keeper/auth/health, etc.) that do not exist in Keeper's API. These have been corrected to the real authenticated endpoints. In DEMO mode, latency and status are randomized. In live mode, health is inferred from the success and response time of actual API calls.
| Display Name | Real Endpoint Monitored | Method |
|---|---|---|
| Auth API | /api/public/v2/auth/request_login | POST |
| Admin API | /api/public/v2/node/get_enterprise_node | POST |
| Device API | /api/public/v2/device/get_enterprise_devices | POST |
| Events API | /api/public/v2/audit_log/get_audit_log | POST |
| Directory API | /api/public/v2/team/get_teams_by_enterprise | POST |
| Users API | /api/public/v2/user/get_enterprise_users | POST |
Platform Summary Cards
Six cards in a 3-column grid in the right portion of the middle row. Each card shows an icon, label, primary value, two sub-metrics, and a fill bar. All cards share data from the renderPlatCards(summary, alerts, apiHealth) function.
| Card | Value Source | Sub-Metrics | Live? |
|---|---|---|---|
| 👥 Users | summary.active_users | Admin count (demo-only), Provisioned = total_assets | PARTIAL — provisioned from live, admin count demo-only |
| 💻 Devices | summary.devices_online | Compliant = 94% of online, At Risk = 6% of online | PROXY READY — percentages are approximations pending compliance field |
| 📋 Policies | rnd(42,56) — MOCK ONLY | Active, Violations — both mock | NO KEEPER ENDPOINT — demo data only, always |
| 🚨 Alerts | summary.active_alerts | Critical = summary.critical_alerts, Ack'd = count of ack'd in alerts array | PROXY READY |
| 📡 Events | rnd(12,18) + "K" | Auth, Policy — both demo-only counts | DEMO — live value should come from audit_log total_count field |
| 💚 Sys Health | summary.system_health + "%" | Uptime hardcoded 99.9%, APIs OK = computed from apiHealth array | PARTIAL — APIs OK now computed live; health score is derived |
Alert Strip
A horizontal strip showing the 6 most recent alerts from the alerts array. Each row is color-coded by severity on the left edge, and shows age, message text, source service name, and status pill.
Incident Table
The full incident/alert table with filter buttons and row count badge. Filterable by status: ALL / OPEN / ACK / RESOLVED. Clicking a filter re-renders the table in-place without a data refetch.
Event & Device Feeds
Two side-by-side panels in the bottom row. Left: Security Event Feed. Right: Device Status Overview. Both show the top 10 items from their respective arrays.
API Endpoints
All endpoints verified against the Keeper Security Commander REST API documentation at docs.keeper.io/secrets-manager/commander-cli/commander-rest-api. Six endpoints in the original file were completely fabricated — all have been replaced with verified paths.
All Keeper REST API calls require Authorization: Bearer <session_token>. Session tokens are obtained via POST /api/public/v2/auth/request_login followed by POST /api/public/v2/auth/validate_auth_hash. For automated/service use, generate a Commander Service Account token from the Keeper Admin Console under Keeper Secrets Manager or via Commander CLI (keeper connect). All requests are POST with JSON body — Keeper's REST API does not use GET for data retrieval.
| Purpose | Endpoint | Request Body | Key Response Fields |
|---|---|---|---|
| Enterprise Node / Summary | POST /api/public/v2/node/get_enterprise_node | {"include":["nodes","users","teams","roles","licenses"]} | node.number_of_users, node.number_of_devices, node.licenses |
| Security Audit Log (alerts + events) | POST /api/public/v2/audit_log/get_audit_log | {"limit":100,"filter":{"event_type":[...]}} | audit_event[].event_type, .created, .username, .geo_location |
| Enterprise Devices | POST /api/public/v2/device/get_enterprise_devices | {} | devices[].client_version, .os_version, .device_name, .username |
| Enterprise Users | POST /api/public/v2/user/get_enterprise_users | {"include_deleted":false} | users[].username, .status, .node_id, .roles |
| Teams / Directory | POST /api/public/v2/team/get_teams_by_enterprise | {} | teams[].team_uid, .name, .users |
| Auth / Session Token | POST /api/public/v2/auth/request_login | {"username":"...","include":["keys"]} | login_token (proceed with validate_auth_hash) |
Vendor Limitations
These are genuine Keeper Security API constraints — not implementation gaps. All are documented in code comments in the dashboard file. These panels will remain on demo data even when the proxy is live.
/health, /ping, or status endpoints. The original dashboard used six completely fabricated paths (/api/keeper/auth/health etc.) that return 404 on any real Keeper instance. API health is now inferred from response success and latency on real authenticated calls. In DEMO mode, latency and status are randomized for display purposes.get_audit_log. For near-real-time alerting, use Keeper's native webhook integration to push events to an intermediate aggregation service.get_audit_log endpoint is rate-limited by Keeper. Do not reduce the refresh interval below 30 seconds when calling this endpoint. If both the Alerts and Events feed draw from the same endpoint (as they do in this dashboard), consider batching them into a single call with different type filters applied client-side.get_enterprise_devices endpoint does not return a compliance_warn or risk-level field directly. Compliance status must be derived client-side from device metadata — OS version, last-seen time, client version. The dashboard currently applies hardcoded 94%/6% compliant/at-risk ratios as approximations. A proper compliance engine requires additional business logic layered on top of the raw device data.Config Fields
All configuration lives at the top of the <script> block in stack-keeper.html. No external config file required.
| Variable | Type | Default | Description |
|---|---|---|---|
| DEMO_MODE | Boolean | true | When true, all data comes from mock generators. Set false to activate keeperFetch() live path. |
| KEEPER_BASE_URL | String | https://keepersecurity.com/api/rest | Base URL for Keeper Commander REST API. If using a local proxy, point to localhost proxy URL instead. |
| KEEPER_API_TOKEN | String | '' | Bearer token from Keeper Commander Service Account. Only needed if not using a proxy that injects the header. |
| REFRESH_INTERVAL | Number (ms) | 30000 | Auto-refresh interval. Do not set below 30000 — Keeper audit_log endpoint is rate-limited. |
Proxy Activation Checklist
Complete in order to switch from DEMO to live Keeper data. No rendering or UI code changes required.
In the Keeper Admin Console: go to Secrets Manager > Applications > Create New Application. Copy the generated token — shown once only. Alternatively, use
keeper shell > connect to authenticate and retrieve a session token. Store in your credential vault.Test with:
curl -X POST https://keepersecurity.com/api/rest/api/public/v2/node/get_enterprise_node -H "Authorization: Bearer YOUR_TOKEN" -H "Content-Type: application/json" -d '{"include":["nodes"]}'. Expect a JSON response with node data. A 401 means invalid token. A 403 means the service account lacks admin permissions.The service account needs read access to: Enterprise Nodes, Users, Devices, Audit Log, and Teams. In Keeper Admin Console, assign the "Auditor" role or a custom role with equivalent read permissions. Write permissions are not required for this dashboard.
Keeper's API may block cross-origin browser requests. Use nginx, Caddy, or a minimal Node.js proxy to relay requests and inject the Authorization header. Example nginx block:
location /api/ { proxy_pass https://keepersecurity.com/api/rest/api/; proxy_set_header Authorization "Bearer YOUR_TOKEN"; proxy_set_header Content-Type "application/json"; }Set
DEMO_MODE = false. Set KEEPER_BASE_URL to your proxy URL or https://keepersecurity.com/api/rest. Set KEEPER_API_TOKEN if not injecting via proxy header.Find the
// ── LIVE path ── comment block inside keeperFetch(). Uncomment the try/catch block and the fetch() call. Leave the mock fallback below it — it activates on fetch failure.Keeper's API response shapes may differ from the mock generator's field names. After first live load, open DevTools Network tab, inspect the actual response JSON from each endpoint, and update the render functions to access correct paths. Key fields to check: enterprise node structure, audit_log event fields, device object schema.
Open DevTools Network tab. On load, 3 POST requests should appear (enterprise_node, audit_log, enterprise_devices). All should return 200 with JSON. If the header label still shows "DEMO" after setting DEMO_MODE=false, clear cache and hard-refresh.
Policy count (no endpoint), Events feed aggregate count, and System Health score are permanently demo-derived. Document this clearly if the dashboard is used in a client-facing context. Consider adding a "⚠ ESTIMATED" badge to those specific cards.
Troubleshooting
Access-Control-Allow-Origin headers for browser requests from arbitrary origins. Set up the local reverse proxy (see checklist step 4) and point KEEPER_BASE_URL to your localhost proxy URL. The proxy adds the CORS header on responses without the browser ever seeing a cross-origin request.