When the step CLI is not available, you can manage EAB (External Account Binding) keys directly via the Admin API on your CA.
<aside> ℹ️
CA Admin API vs. Smallstep API
This guide references the CA Admin API (e.g. https://your-team.ca.smallstep.com/admin/...). This is a separate API from the Smallstep API (https://gateway.smallstep.com/...), which manages higher-level resources like authorities, teams, provisioner configuration, and, in this case, EAB key management.
</aside>
The /admin/ endpoints require mTLS with your admin certificate and key. These are the credentials provisioned when you set up your authority.
curl -X POST \\
"<https://your-team.ca.smallstep.com/admin/acme/eab/{provisioner_name}>" \\
--cert admin.crt \\
--key admin.key \\
-H "Content-Type: application/json" \\
-d '{"reference": "optional-tracking-id"}'
Response:
{
"id": "eab-key-id",
"hmacKey": "base64url-encoded-hmac-secret",
"provisioner": "my-acme-provisioner",
"reference": "optional-tracking-id",
"createdAt": "2026-02-26T10:30:45Z"
}
The id and hmacKey are the EAB credentials you pass to your ACME client. The reference field is optional and useful for correlating keys with records in your own systems.
<aside> ⚠️
The hmacKey is only returned at creation time. Subsequent GET/list calls will not include it.
</aside>
curl -X GET \\
"<https://your-team.ca.smallstep.com/admin/acme/eab/{provisioner_name}>" \\
--cert admin.crt \\
--key admin.key
Supports pagination via query parameters: ?cursor=...&limit=...
Look up by reference:
curl -X GET \\
"<https://your-team.ca.smallstep.com/admin/acme/eab/{provisioner_name}/{reference}>" \\
--cert admin.crt \\
--key admin.key
curl -X DELETE \\
"<https://your-team.ca.smallstep.com/admin/acme/eab/{provisioner_name}/{key_id}>" \\
--cert admin.crt \\
--key admin.key
Once you have the id and hmacKey, pass them to any ACME client that supports EAB (RFC 8555 Section 7.3.4).
certbot: