Rotate the Active Directory Import API Key

If the API key associated with a JumpCloud administrator used to configure the JumpCloud AD Import agent is rotated, or the admin is deleted, the AD Import service will stop working. This means password changes and new user imports will no longer work as expected.

This article outlines how to verify the status of AD Import agents in JumpCloud, as well as steps to take to resolve the issue on domain controllers.


Your organization will not receive any sort of communication or error about the breakage.

Verifying AD Import Status

To first verify if AD Import functionality is broken:

  1. Log in to the JumpCloud Admin Portal.
  2. Go to DIRECTORY INTEGRATIONS > Active Directory > select your Domain > Domain Agents tab.
  3. In the Agent Version column, if Import is listed with a red “!” then the import agent is broken and the API key needs to be updated.

Replacing the API Key (Overview)

The following is a high level overview of the steps required to replace the API key for AD Import:

  1. Log in to the JumpCloud Admin Portal and view the Import item(s) within Domain Agents tab. Identify each broken connector.


We recommend using a dedicated administrator account specific to this service.

  1. Then, on each impacted domain controller:
    1. Modify the hashed API key in the adint.config.json file on each domain controller.
    2. Stop/Start the JumpCloud AD Bridge Agent Windows service.
    3. View and verify the newly hashed API key in adint.config.json file.
  2. In the admin portal, view the Import item(s) within Domain Agents tab. Verify fixed connectors.

Replacing the API Key on the domain controller

To update the API key on an impacted domain controller:

  1. Log in to the domain controller as a local administrator. The domain controller can be identified by referencing the Host Name in the admin portal.
  2. Open C:\Program Files\JumpCloud AD Bridge\adint.config.json file as a local administrator.

  3. The hashed value that will need to be replaced with the new API key:

"JCAPI": {

  1. To retrieve your new API key:
    1. Go to the JumpCloud Admin Portal.
    2. Click your initials at the top of the screen.
    3. Then click My API Key.
    4. Click the string of letters and numbers to automatically copy the API key to the clipboard.
  2. In the adint.config.json configuration file on the domain controller, replace the existing hashed value with the new plain text API key between the quotation marks (” “).
  3. Save the adint.config.json file, then stop and start the JumpCloud AD Bridge Agent service in Windows Services.
  4. Reopen the adint.config.json file. The new API key will be hashed if the previous procedure was completed successfully.

The Import agent will check in with JumpCloud and a properly working Import service will be indicated as a green check mark "✅" in the admin portal:


Here's a guided simulation: Update the JumpCloud AD Import Agent API Key

List IconIn this Article

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case