There are many channels for asking questions about KeyProtect and this client.
- Ask a question on Stackoverflow and tag it with `key-protect` and `ibm-cloud`
- Open a [Github Issue](https://github.com/IBM/keyprotect-go-client/issues)
- If you work at IBM and have access to the internal Slack, you can join the `#key-protect` channel and ask there.
## Usage
This client expects that you have an existing IBM Cloud Key Protect Service Instance. To get started, visit the [IBM KeyProtect Catalog Page](https://cloud.ibm.com/catalog/services/key-protect).
Build a client with `ClientConfig` and `New`, then use the client to do some operations.
For users of the original `key-protect-client` that is now deprecated, this library is a drop in replacement. Updating the package reference to `github.com/IBM/keyprotect-go-client` should be the only change needed. If you are worried about new incompatible changes, version `v0.3.1` of `key-protect-client` is equivalent to version `v0.3.3` of `keyprotect-go-client`, so pinning `v0.3.3` of the new library should be sufficient to pull from the new repo with no new functional changes.
## Authentication
The KeyProtect client requires a valid [IAM API Key](https://cloud.ibm.com/docs/iam?topic=iam-userapikey#create_user_key) that is passed via the `APIKey` field in the `ClientConfig`. The client will call IAM to get an access token for that API key, caches the access token, and reuses that token on subsequent calls. If the access token is expired, the client will call IAM to get a new access token.
Alternatively, you may also inject your own tokens during runtime. When using your own tokens, it's the responsibilty of the caller to ensure the access token is valid and is not expired. You can specify the access token in either the `ClientConfig` structure or on the context (see below.)
To specify authorization token on the context:
```go
// Create a ClientConfig and Client like before, but without an APIKey
// List keys with our injected token via the context
keys, err := api.GetKeys(ctx, 0, 0)
```
For information on IAM API Keys and tokens please refer to the [IAM docs](https://cloud.ibm.com/docs/iam?topic=iam-manapikey)
## Finding a KeyProtect Service Instance's UUID
The client requires a valid UUID that identifies your KeyProtect Service Instance to be able to interact with your key data in the instance. An instance is somewhat like a folder or directory of keys; you can have many of them per account, but the keys they contain are separate and cannot be shared between instances.
The [IBM Cloud CLI](https://cloud.ibm.com/docs/cli?topic=cloud-cli-getting-started) can be used to find the UUID for your KeyProtect instance.
```sh
$ ic resource service-instances
OK
Name Location State Type
Key Protect-private us-south active service_instance
Key Protect-abc123 us-east active service_instance
```
Find the name of your KeyProtect instance as you created it, and the use the client to get its details. The Instance ID is the GUID field, or if you do not see GUID, it will be the last part of the CRN. For example:
```sh
$ ic resource service-instance "Key Protect-private"
