About Cerby
Cerby is an identity, access, and password management platform for “disconnected” applications - apps without SSO or SCIM support, and seat-licensed social and marketing tools. Connecting Cerby to Serval lets workflows read your account inventory and MFA state, retrieve passwords and TOTP codes from Cerby-managed vaults, manage users, teams, collections, and secrets, and drive user provisioning and entitlement changes in Cerby’s connected business hub integrations. Serval talks only to your own workspace’s Cerby address (for example acme.cerby.com) and attaches your API token to every request. The integration is currently marked Beta, so the Cerby tile appears with a Beta label in the connect catalog. Authentication: API key (a Cerby workspace API token plus your workspace name) Data sync: On-demand only. There is no background sync, resource import, or scheduled polling - Serval calls Cerby only when a workflow runs, and verifies the connection with lightweight read-only health checks.What the Cerby integration enables
Get your credentials
Serval needs a Cerby workspace API key. Under Cerby’s role-based access control, the key can do exactly what its selected scopes and its creator’s workspace role allow. Grant at minimum the four read scopes the connection’s health checks exercise - Read vaults, Read users, Read items, and Read integrations. Add Read accounts if your workflows will read accounts, passwords, or TOTP codes, Read secrets for secret reads, and write scopes (for example Write accounts, Write collections, Write secrets, Write integrations) only if your workflows will make changes. Create the key as a user with at least an Admin workspace role (Admin, Super Admin, or Owner) - Cerby’s teams area requires it, so a key created by a lower-role user fails the teams health check. Cerby’s developer documentation is here: Cerby API documentation.Open the API Keys page in Cerby
Create the key
Select scopes
Copy the key immediately
Note your workspace name
Connect in Serval
Open the Cerby connect form in Serval
Enter the Workspace name
Paste the API Token
Save the connection
Verifying the connection
The Cerby connection ships with five health checks. Each one exercises a different permission, so a failure pinpoints exactly which scope (or role) the key is missing. The four list checks append your workspace total when Cerby returns one - for example “Successfully listed users from Cerby (workspace total: 42).” They also run again automatically whenever you save changes to the connection’s settings.- Validate Cerby API connection - confirms the token can reach the Cerby API by listing vaults (a lightweight read that exercises the Read vaults scope). On success: “Successfully connected to the Cerby API.” On failure: “Unable to connect to the Cerby API. Verify the workspace subdomain and that the API token has the Read vaults scope.”
- List Cerby users - confirms the Read users scope by listing a single user. On success: “Successfully listed users from Cerby.” On failure: “Unable to list users from Cerby. Verify the API token has the Read users scope.”
- List Cerby teams - confirms the token can read teams. On success: “Successfully listed teams from Cerby.” On failure: “Unable to list teams from Cerby. Verify the API token has the Read users scope and that the user has at least an Admin role.”
- List Cerby integrations - confirms the Read integrations scope by listing one connected business hub integration. On success: “Successfully listed integrations from Cerby.” On failure: “Unable to list integrations from Cerby. Verify the API token has the Read integrations scope.”
- List Cerby collections - confirms the Read items scope by listing one collection. On success: “Successfully listed collections from Cerby.” On failure: “Unable to list collections from Cerby. Verify the API token has the Read items scope.”
Gotchas and troubleshooting
The workspace name is the bare slug, not a URL or domain
The workspace name is the bare slug, not a URL or domain
Teams checks fail while user checks pass
Teams checks fail while user checks pass
Password reads only work for accounts in an AWS KMS vault
Password reads only work for accounts in an AWS KMS vault
The API key is displayed only once
The API key is displayed only once
The integration is marked Beta
The integration is marked Beta
Need help? Contact support@serval.com for assistance with your Cerby integration.

