> ## Documentation Index
> Fetch the complete documentation index at: https://docs.serval.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Absolute

> Connect Serval to Absolute Secure Endpoint so workflows can query and manage devices, run remote actions, and call the Absolute v3 API with asymmetric token authentication.

## About Absolute

Absolute Secure Endpoint (formerly Absolute Visibility / Persistence) is endpoint resilience and security software for laptops, desktops, and Chromebooks. The Serval Absolute integration connects to your Secure Endpoint Console using an asymmetric API token. Serval signs each API call with your EC P-256 private key and sends it to the regional Absolute API host you select. There is no browser sign-in and no long-lived bearer token stored in workflows.

**Authentication:** Asymmetric API token (Token ID + EC P-256 private key PEM). Serval constructs a JSON Web Signature for every request and posts it to Absolute's `/jws/validate` endpoint on your configured API domain.

**Data sync:** On demand only. Workflows call the Absolute API when they run; there is no background sync or asset ingestion.

## What the Absolute integration enables

| Capability           | Description                                                                                                                                                                                                                      |
| -------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Absolute API request | Typed access to the Absolute v3 REST API from custom workflows — devices, device groups, users, applications, freeze/unfreeze, messaging, geofences, and other Secure Endpoint operations supported by your token's permissions. |
| Regional API routing | Choose the API domain that matches your Secure Endpoint Console login URL (Global, US, EU, India, or US Gov). Serval only sends signed requests to the five supported Absolute API hosts.                                        |

Anything defined in the [Absolute API documentation](https://api.absolute.com/) for your region can be accessed through Serval, subject to the permissions on your API token.

## Get your credentials

Serval needs four values from Absolute Secure Endpoint Console: an instance name (for your own labeling), the matching API domain, a Token ID, and the PEM-encoded EC P-256 private key that pairs with the public key uploaded when the token was created.

<Steps>
  <Step title="Sign in to Secure Endpoint Console">
    Open the console URL your organization uses (for example `https://secure.absolute.com` or a regional variant) and sign in with an account that can manage API tokens.
  </Step>

  <Step title="Create an asymmetric API token">
    In Secure Endpoint Console, create a new API token using Absolute's asymmetric (public/private key) flow. Upload an EC P-256 public key in PEM format when prompted.
  </Step>

  <Step title="Copy the Token ID">
    When the token is created, copy its **Token ID**. Serval uses this as the JWS key identifier (`kid`) on every signed request.
  </Step>

  <Step title="Keep the matching private key">
    Use the EC P-256 private key PEM that corresponds to the public key you uploaded. Serval stores it encrypted and uses it only server-side to sign requests — it is never exposed to workflow code.
  </Step>

  <Step title="Note your API domain">
    Match the API domain to the console region you use. The connect form offers Global (`api.absolute.com`), US (`api.us.absolute.com`), EU (`api.eu2.absolute.com`), India (`api.in1.absolute.com`), and US Gov (`api.fr1.absolutegov.com`).
  </Step>
</Steps>

<Warning>
  If you rotate or replace the token in Absolute, update both the Token ID and private key in Serval. A mismatched key pair fails every API call with an authentication error.
</Warning>

## Connect in Serval

<Steps>
  <Step title="Open the Absolute connect form">
    In Serval, add the Absolute integration.
  </Step>

  <Step title="Instance Name (required)">
    Enter a label for this connection (for example `Production` or `Corporate`). This helps your team distinguish multiple Absolute installs.
  </Step>

  <Step title="API Domain (required)">
    Select the regional API host that matches your Secure Endpoint Console login URL.
  </Step>

  <Step title="Token ID (required)">
    Paste the Token ID from the asymmetric API token you created in Absolute.
  </Step>

  <Step title="Private Key (required)">
    Paste the full PEM-encoded EC P-256 private key, including the `-----BEGIN` / `-----END` lines.
  </Step>

  <Step title="Save the connection">
    Submit the form. Serval stores the private key encrypted and configures signing for your selected API domain.
  </Step>
</Steps>

<Note>
  When editing an existing connection, the stored private key is shown obfuscated. Re-paste the full PEM to rotate credentials; leave other fields unchanged to keep their stored values.
</Note>

## Gotchas and troubleshooting

<AccordionGroup>
  <Accordion title="Pick the API domain that matches your console region">
    Serval only attaches credentials to requests bound for the five supported Absolute API hosts. Choosing the wrong region causes authentication failures even when the Token ID and private key are correct.
  </Accordion>

  <Accordion title="Use an EC P-256 private key in PEM format">
    Absolute asymmetric tokens require an Elliptic Curve key on the NIST P-256 curve. PKCS#8 or SEC1 PEM encodings are both accepted. Other key types are rejected at signing time.
  </Accordion>

  <Accordion title="Token permissions gate every workflow action">
    The API token's permission set in Absolute determines which endpoints succeed. A 403 from a workflow usually means the token lacks the privilege for that resource — adjust the token in Secure Endpoint Console, not Serval.
  </Accordion>

  <Accordion title="Absolute may restrict tokens by source IP">
    If your token has an IP allowlist in Absolute, ensure Serval's outbound addresses are permitted or the allowlist is disabled for this token.
  </Accordion>
</AccordionGroup>

***

Need help? Contact **[support@serval.com](mailto:support@serval.com)** for assistance with your Absolute integration.
