Skip to main content
Question

PRA and API call to force check in for all Vault accounts

  • January 16, 2026
  • 5 replies
  • 68 views
C

Hi All

I am trying to find a way to use the API to force check in of vault accounts which have had their password checked out for over 7 days,

I think it is crazy to allow the PRA and the vault account members to checkout their password and allow it to stay checked out (this could be over a year) therefore they could use the password and put it into some automated tasks where it is in plain text and as it is never checked in this will always stay the same.

It seems a lot safer if there was an option within PRA to force check in ( a tick box or something ) and a correct schedule that could be set that would check in all passwords on a set day and time and rotate them. Instead I am having to mess about with APIs which are not very well documented in my opinion.

Therefore has anyone needed to do this and if so how did they go about it?

Thank you in advance.

    5 replies

    J
    BeyondTrust Employee
    • jchandler
    • BeyondTrust Employee
    • January 19, 2026

    Hello ​@CBlackadder

    Please have a look at this API call. 

    https://docs.beyondtrust.com/pra/reference/apiconfigvaultaccountforce-check-in

    Is this what you are looking for?

    Regards,

    John

      C
      • CBlackadder
      • Author
      • Apprentice
      • January 19, 2026

      Yes, however I thought i could use the BYTAPI call and do it that way, instead it looks like i have to do something a bit different than what i had previously thought. Tanks for the steer on this.

      I would be a nice added feature on the system to have an option to force checkin on specific days.

      instead of using API calls, it would be just nice to have it there within the system

       

        C
        Forum|alt.badge.img+4
        • cschaller
        • Veteran
        • March 31, 2026

        Hi All

        I am trying to find a way to use the API to force check in of vault accounts which have had their password checked out for over 7 days,

        I think it is crazy to allow the PRA and the vault account members to checkout their password and allow it to stay checked out (this could be over a year) therefore they could use the password and put it into some automated tasks where it is in plain text and as it is never checked in this will always stay the same.

        It seems a lot safer if there was an option within PRA to force check in ( a tick box or something ) and a correct schedule that could be set that would check in all passwords on a set day and time and rotate them. Instead I am having to mess about with APIs which are not very well documented in my opinion.

        Therefore has anyone needed to do this and if so how did they go about it?

        Thank you in advance.

        We are having the exact same issue and think this would be a powerful feature to automatically check-in vault accounts that are left in status checked-out after a configurable time (“Max checkout threshold”) with a notification sent to users (first notifcation that soon account will be checked in - graceful notification period; second notification that account was forced checked-in).

         

        The entire benefit of BT’s proposal for a Zero-Trust PAM solution is somehow broken, since a user knows the password and rotation can be prevented. User’s are smart and found that shortcut very quickly in our case:-) We have to allow that certain users checkout of passwords because injection sometimes does not work for certain apps.

         

        We now are trying to write a script. However the /vault/account endpoint does not provide the runtime status of an account (e.g. checked out) but seems to be only the static configuration of the account.

        We would like only to force check-in via API for accounts filteres in checked-out status (e.g. /vault/account?status=checked_out).

         

        How can this be achived?

          C
          Forum|alt.badge.img+4
          • cschaller
          • Veteran
          • March 31, 2026

          Hello ​@CBlackadder

          Please have a look at this API call. 

          https://docs.beyondtrust.com/pra/reference/apiconfigvaultaccountforce-check-in

          Is this what you are looking for?

          Regards,

          John

          This would be a starting point but it seems that the API is not providing “run-time” status information about the account. We would first only filter on checked-out accounts and those force check-in something like $AccountsUri = "$BaseUrl/api/config/v1/vault/account?status=checked-out"

          ChrisDailey
          Forum|alt.badge.img
          • ChrisDailey
          • Apprentice
          • March 31, 2026

          It does seem odd that there does not seem to be a way in the application to force check-in a vault account. I can set a max password age, but with no way to enforce check-in that is meaningless.

          Badge Earners

          Show all badges
          Terms & ConditionsCookie settingsAccessibility statement