Skip to main content

REST APIs for 23.2

API Keys

API keys provide a persistent means of authenticating with the PCE and are recommended for scriptwriting.

This Public Stable APIs allow local users to create user API keys and use them as credentials to access the PCE.

All API keys are organization-based.

There are two categories of API keys:

  • User Based API Keys.

    These keys are based on specific owners and owners so that they can make API calls to the PCE.

Working with API Keys

When you create an API key, you receive an api_username and secret, which function as the username and password for making API calls. An API key is permanent and does not expire (unless when deleted).

Important

Any tooling that parses the HTTP headers should be changed to allow case-insensitive header name matching in order to retain compatibility with future PCE releases. Refer to RFC 7230, section 3.2, "Header Fields," which states that field names should be case insensitive.

Use API keys to write scripts that run automatically, without requiring a human user to authenticate the API call. Unless you are a read-only user, you can create multiple API keys and make API calls in your scripts.

You can also create different API keys for different functions. For example, you might use an API key for scripting automatic workload pairing, and another API key for collecting system events from Illumio.

When you create an API key, the response returns both the auth_username and the secret needed for authenticating other API calls:

  • API username: "auth_username":"api_xxxxxxxxxxx29" (represented in the code examples in this document as $KEY)

  • API key secret: "secret":"xxxxxxx5048a6a85ce846a706e134ef1d4bf2ac1f253b84c1bf8df6b83c70d95" (represented in the code examples in this document as $TOKEN)

Get a Collection of all API keys

You can now get a list of all API keys, both user-based and service account-based.

To query API keys regardless of their type, use this API:

GET /api/v2/orgs/:xorg_id/api_keys
Query Parameters for API Keys

Some parameters have been renamed or deprecated to allow differentiation between the type userand service_account:

  • query parameter nameis retained for the type service_account

  • query parameter nameis changed to username for the type user

  • query parameter service_account_name was deprecated and consolidated to name

  • query parameter api_key_name was deprecated and removed as not needed

Special Characters in API Calls

If a usernameor name in an API call contains special characters, these have to be encoded for the call to be successful.

For example, for a service account name sa&1, instead of

api/v2/orgs/1/api_keys?type=service_account&name=sa&1

enter the call as

api/v2/orgs/1/api_keys?type=service_account&name=sa%261
User-Based API Keys

This Public Stable API allows you to manage API keys and make API calls to the PCE.

Working with User-based API Keys
User API Key Methods

Functionality

HTTP

URI

Get a collection of API keys

GET

[api_version][user_href]/api_keys

Get an individual API key

GET

[api_version][api_key_href]

Create an API key

POST

[api_version][user_href]/api_keys

Update an API key

PUT

[api_version][api_key_href]

Delete an API key

DELETE

[api_version][api_key_href]

Parameters

Parameter

Description

Type

user_id

The user ID in the form of an HREF (e.g., 'users/6') of the user who created the API key.

String

api_key_id

This is the actual API key ID. Used only for DELETE.

String

org_id

Organization ID

Integer

max_results

Maximum number of api keys to return.

Integer

username

Username of the user to filter by

String

name

(POST, PUT, GET) The key name - just a label to be used

String

role

Role URI (JSON-encoded string) to filter on

Sring

state

State of api keys - active or expired

Sring

type

Type of principal - User or Service Account

String

Response Properties

Property

Description

Type

key_id

This is the actual API key ID. Use this query parameter only for a GET instance call.

String

auth_username

Username required for authentication

String

created_at

Timestamp when this key was first created (RFC 3339)

String

name

The key name - just a label to be used

Sring

href

URI of the key

date/time

List User-Based API Keys

When you GET an individual API key or a collection of API keys, the response only returns those API keys created by the user that has authenticated with the PCE for the session.

This API gets one API key or a collection of API keys that a specific user has created. To get a single API key, you need to know the API key’s URI, which is returned in the form of an HREF path when you create an API key, as well as the HREF of the user who created the key.

You can query the user API keys as follows:

GET /api/v2/orgs/:xorg_id/api_keys?type=user

You can also query the user-based API keys based on their expiration:

GET /api/v2/orgs/:xorg_id/api_keys?type=user&state=active
GET /api/v2/orgs/:xorg_id/api_keys?type=user&state=expired
GET [api_version][user_href]/api_keys

Curl Command to Get a Key

The API key is identified in the form of an HREF path property:

"/users/11/api_keys/a034248fbcdd60b4"
curl -i -X GET https://pce.my-company.com:8443/api/v2/users/11/api_keys/a034248fbcdd60b4 -H "Accept: application/json" -u $KEY:$TOKEN

Get a Collection of Keys

To use an API key, store the key and secret safely. Anyone with access to both has access to your organization's API.

Due to security concerns, external users are not allowed to create an API Key even if their roles allow it.

curl -i -X GET https://pce.my-company.com:8443/api/v2/users/11/api_keys -H "Accept: application/json" -u $KEY:$TOKEN

Response Body

An API key is represented by its HREF path, as shown here:

/users/29/api_keys/1e9bb1787883639d5

For example:

[
  {
    "href": "/users/29/api_keys/1e9bb1787883639d5",
    "key_id": "1e9bb1787883639d5",
    "auth_username": "api_1e9bb1787883639d5",
    "created_at": "2020-01-27T01:30:22.274Z",
    "name": "my_api_key",
    "description": "my_scripting_key"
  },
  {
    "href": "/users/29/api_keys/1793df73a99255f7e",
    "key_id": "1793df73a99255f7e",
    "auth_username": "api_1793df73a99255f7e",
    "created_at": "2016-03-14T16:20:43.603Z",
    "name": "MyKey",
    "description": "My Special Key"
  }
]

Get All Labels with a Key

If you use an API key to get a collection of labels in an organization, and your API key uses these credentials:

  • api_xxxxxxx64fcee809 is the API key

  • xxxxxxx09137412532289d6ecd10bc89c6b1f608c9a85482e7a573 is the secret (API key password)

curl -i -X GET https://pce.my-company.com:8443/api/v2/orgs/3/labels -H "Accept: application/json" -u api_xxxxxxx64fcee809:'xxxxxxx09137412532289d6ecd10bc89c6b1f608c9a85482e7a573'

Session and persistent (API key) credentials are represented in this document as the constants $KEY:$TOKEN (with no spaces).

curl -i -X GET https://pce.my-company.com:8443/api/v2/orgs/3/labels -H "Accept: application/json" -u $KEY:$TOKEN
Create a User-based API Key

This API creates a unique API key and returns an API key ID and secret, which you can use to get, update, or delete the key, and to make other API calls.

To create an API key, you first need to authenticate either using a session token or another API key. To obtain a session token, use the Users API and authenticate with the PCE. You will receive your user ID, user HREF, and a session token that you can use when you call this API to create an API key.

Important

If you use an API key, safely store the key and the secret. Anyone with access to both will have access to the API for your organization.

Important

Due to security concerns, external users are not allowed to create an API Key even if their roles allow it.

URI

POST [api_version][user_href]/api_keys

An example user HREF looks like this:

/users/99
{
     "name": "my_api_key",
     "description": "my_scripting_key"
}

To create a user-based API key

In this curl command, the user authentication (-u) uses the session credentials returned from calling the Login API to log in a user. The API key is passed as a JSON object formatted inside of double quotes in the command:

curl -i -X POST https://pce.my-company.com:8443/api/v2/users/14/api_keys -H "Content-Type:application/json" -u user_14:'xxxxxxx563199f92af7b705ddca2685'-d "{ "name":"my_api_key","description":"my_scripting_key" }"

Response Body

This example shows the response from creating an API key, which you can use for making other API calls. These values do not expire. The auth_username functions as the username, and the secret functions as the password when making other API calls:

{
     key_id: "xxxxxxx6654188229"
     secret: "xxxxxxxxxxxa6a85ce846a706e134ef1d4bf2ac1f253b84c1bf8df6b83c70d95"
     auth_username: api_xxxxxxx6654188229
}

These values can now be use authenticate with the API as follows:

  • Username: api_xxxxxxx29api_xxxxxxx6654188229

  • Password: xxxxxxxxxxxa6a85ce846a706e134ef1d4bf2ac1f253b84c1bf8df6b83c70d95

Use the PCE Web Console

You can also create API keys in the PCE web console with the User Menu.

  1. In the drop-down User menu, select My API Keys.

    A list of configured API keys is displayed.

    If no API keys are configured, the message "No API Keys" is displayed.

  2. To add a new API key, click Add.

  3. In the Create API Key pop-up window, enter a name for the API key in the Name field. Optionally, enter a description in the Description field.

  4. Click Save to save your API key or click Cancel to close the pop-up window without saving your changes.

  5. When the API Key Created window appears, click the > button next to "Show credentials" to display the credentials for your API key.

    The following information is displayed:

    • Key ID: The unique ID of the API key

    • Authentication Username: The username that authenticates the API calls

    • Secret: The password for the API key

  6. Click Download Credentials to download the credentials as a text file. Make sure that you have saved the credential information before clicking Done.

After you click Done, the API Keys page displays a summary of your new API key, including the following information:

  • Name

  • Description

  • Key ID

  • Authentication Username

  • Created On

Note

The credential information is displayed only once. Make sure to save it in a secure location because it is used to access the API for your organization. If the credential information is lost, you must create a new API key.

Update a User-Based API Key

This API allows you to update an API key name or description. To make this call, you need the API key URI, which is returned in the form of an HREF path when you create a User-Based API Key.

Update a User-based API Key

PUT [api_version][api_key_href

Example Payload

{
     "name": "my_api_key1",
     "description": "my_scripting_key v2"
}
curl -i -X POST https://pce.my-company.com:8443/api/v2/users/99/api_keys/a034248fbcdd60b4 -H "Content-Type:application/json" -u $KEY:$TOKEN -d '{ "name": "my_key_1", "description": "my_scripting_key v2" }'
Delete a User-based API Key

To delete an API key, you need the unique API key ID, which is returned in the form of an HREF path property when you either create a new API key, or when you get a single or a collection of API keys.

URI to Delete a User-based API Key

DELETE [api_version][api_key_href]
Service Account-based API Keys

Service account-based APIs allow for the creation and management of API keys based on a service account. You can manage the expiration of service account-based API keys.

Note

Service account API keys cannot be used to operate on service account APIs and on user and service account api_key related APIs.

And for that purpose, you still need a local user API Key to accomplish those tasks.

Service accounts are always organization-based and specific to a PCE. While creating a service account, users create their permissions, and an api_key implicitly gets created. Deleting a service account removes its permissions and all associated API keys.

Methods

Functionality

HTTP

URI

List all service account API keys

GET

[api_version][org_href]/api_keys?type=service_account

To retrieve a specific service account

GET

[api_version][org_href]/service_accounts/:service_account_id

To retrieve all API keys, regardless of the account

GET

api_keys

Create a new service account API key

POST

[api_version][org_href]/service_accounts

To create a new service account API key after performing the required validation

POST

[api_version][org_href]/service_accounts/:service_account_id/api_keys

Update a service account

PUT

[api_version][org_href]/service_accounts/:service_account_id

Delete a service account API key

DELETE

[api_version][org_href]/service_accounts/:service_account_id/api_keys/:key_id

Delete a service account including any associated API keys

DELETE

[api_version][org_href]/service_accounts/:service_account_id

Parameters for Service-based API Keys

Parameter

Description

Type

Required

org_id

Organization ID.(GET, POST, PUT, DELETE)

Integer

Yes

max_results

Maximum number of service accounts to return (GET)

Integer

No

name

Name of service account to filter by

String

No(GET)

Yes(POST)

role

Role URI (JSON-encoded string) to filter on(GET)

String

No

service_account_id

Service account UUID (GET account info, DELETE, PUT, POST)

String

Yes

api_key_id

API Key ID (DELETE)

String

Yes

Response Properties for Service-based API Keys

Property

Description

Type

Required

name

Service account name

String

Yes

href

Yes

created at

Timestamp when this service account was first created (RFC 3339)

date/time

Yes

updated_at

Timestamp when this service account was last updated

date/time

Yes

created_by

User who originally created this service account

Required: href

Object

Yes

updated_by

User who last updated this service account

Struing

Yes

permissions

List of permissions:

required: role, scope

Array

Yes

role

Reference to common/orgs_roles.schema.json

scope

Reference to org_scope.schema.json

api_keys

List of associated api_keys

Reference to api_keys_get.schema.json

Yes

api_key

required: "expires_in_seconds"

"type": "integer",

"minimum": -1,

"maximum": 2147483647

Object

access_restriction

Access restriction assigned to the keys created under this service_account

Object, Null

No

href

URI of service_account

String

api_keys

List of associated api_keys

Reference to api_keys_get.schema.json

Array

No

expires_in_seconds

Validity of the api_key, in seconds

"type": "integer",

"minimum": -1,

"maximum": 2147483647

String

No

last_login_on

Timestamp when this key was last used

date/time

account

required:

"href": Associated identity

"type": Type of the account

"name": Name of the account

Yes

Yes

Yes

service_account_id

Service account UUID (GET account info, DELETE, PUT, POST)

String

No

api_key_id

API Key ID (DELETE)

String

Yes

Parameters for api_keys_get (all API keys)

Parameter

Description

Type

Required

key_id

Key ID

String

Yes

auth_username

Username required for authentication

String

Yes

name

The key name - just a label to be used

String

Yes

role

Role URI (JSON-encoded string) to filter on(GET)

String

No

service_account_id

Service account UUID (GET account info, DELETE, PUT, POST)

String

No

api_key_id

API Key ID (DELETE)

String

No

Response Properties for api_keys_get (all API keys)

Property

Description

Type

Required

key_id

Key ID

String

Yes

auth_username

Username required for authentication

String

Yes

created at

Timestamp when this service account was first created (RFC 3339)

date/time

Yes

name

Service account name

String

Yes

Yes

href

URI of the key

String

Yes

state

State of the api_key

String

No

expires_in_seconds

Validity of the api_key, in seconds

String

No

created_by

User who originally created this api key

String

No

last_login_on

Timestamp when this key was last used

Examle: "last_login_on": "2023-04-22T03:54:25Z"

date/time

account

required:

"href": Associated identity

"type": Type of the account

"name": Name of the account

Yes

Yes

Yes

access_restriction

Access restriction assigned to the keys created under this service_account

Object, Null

permissions

List of permissions:

required: role, scope

Array

Yes

role

Reference to common/orgs_roles.schema.json

scope

Reference to org_scope.schema.json

Service account-based API keys' expiration is defined by owners who can specify the default expiration time.

The key expiration time is specified with a default value specified in the settings, where the expiration date of an existing API key cannot be modified.

When an API request is authenticated by an expired API key, the request is rejected and the audit event triggered by this failure includes the API key's Key ID and the expired status of the API Key. The details also include the expiration date and the last_used_at date.

Query Keys by Expiration

To retrieve the API keys based on the expiration (active or expired) used these APIs:

GET /api/v2/orgs/:xorg_id/api_keys?type=service_account&state=expired

This query lists all expired API keys.

GET /api/v2/orgs/:xorg_id/api_keys?type=service_account&state=active

This query lists all active API keys.

Settings

Settings for service account-based API keys specify the default expiration period for service account keys and retention period for expired keys.

The Public Experimental APIs that manage API keys settings are based on the role of the organization administrator (this_org_admin) and are ad follows:

  • GET /api/v2/orgs/:xorg_id/settings

    Support for viewing api_key settings for an organization.

  • PUT /api/v2/orgs/:xorg_id/setting

    Support for updating api_key settings for an organization.

    API key expiration is now set between -1and 2147483647 seconds and expired key retention is a minimum of 0 seconds.

    The settings_put.schema.json schema looks as follows:

    {
	"$schema": "http://json-schema.org/draft-04/schema#",
	"type": "object",
	"additionalProperties": false,
	"properties": {
	   "max_api_key_expiration_in_seconds": {
		"description": "Validity of api_key in seconds; -1 specifies api_keys never expire",
		"type": "integer",
		"minimum": -1,
		"default": 7776000,
		"maximum": 2147483647
	    },
	  "expired_api_keys_retention_in_seconds": {
	   	"description": "Retention of expired api_keys in the database",
		"type": "integer",
		"default": 7776000,
		"minimum": 0,
		"maximum": 31536000
	    },
	   "advanced_ruleset_display": {
		"description": "When true, the UI will display rulesets in advanced mode. This means that scopes will be displayed for any unscoped rulesets, including newly added rulesets.",
		"type": "boolean",
		"default": true
		},
	    "ven_maintenance_token_required": {
		"description": "Identifies if the tampering protection for the VEN and endpoints is enabled or not.",
		"type": "boolean",
		"default": false
		}
	}
}

The new property ven_maintenance_token identifies if the tampering protection for the VEN and endpoints is enabled. The default is "not enabled".

Create a new Service Account API Key

Request

{
	"name": "key3",
	"description": "testing key 3",
	"access_restriction": {
		"href": "/orgs/1/access_restrictions/2"
		},
	"permissions": [
		{
		"role": { "href": "/orgs/1/roles/ruleset_manager"},
		"scope": [
		{
			"label": {
			"href": "/orgs/1/labels/9",
			"key": "env",
			"value": "Development"
		}
	}
	]
},
{
		"role": { "href": "/orgs/1/roles/owner" },
		"scope":  []
	}
],
	"api_key": {
	"expires_in_seconds": 86400
	}
}

Response

{
	"name": "service_account1",
	"description": "testing service_account",
	"href": "/orgs/1/service_accounts/33ed7e04-9b25-4c9a-a031-a6b1bd437807",
	"access_restriction": {
		"href": "/orgs/1/access_restrictions/2"
		},
	"permissions": [
		{
		"href": "/orgs/1/permissions/84e5541f-3349-41c9-8fdb-9756faf96baa",
		"role": {"href": "/orgs/1/roles/ruleset_manager"
			},
		"scope": [
			{
			"label": {
			"href": "/orgs/1/labels/9"
		}
	}
	]
},
{
		"role": {
			"href": "/orgs/1/roles/owner"
		},
		"scope": []
		}
	],
	"api_key": {
		"auth_username": "api_135c247aa6e3b654e",
	"secret": "ab80cc497f7556e0cd72703c5229d814322c301d14d2d8d8c7060d516990097b"
	}
}