Working with the API

PAM provides a full suite of REST based APIs that can be used to interact with all aspects of the software using custom code or through integration with third-party systems.

To view the full, interactive REST API documentation utilizing OpenAPI formatting, navigate to Administration > Settings > Application Nodes and click the API Documentation link.

To see additional examples of API scripts, commands and examples in different languages (PowerShell, Shell, VBScript and Python), we encourage you to visit our online help site to search the API documentation. 

There are several detailed articles that explain advanced topics when working with the PAM APIs.

Authentication Tokens

Authentication Tokens allow users to work with the API, without having to hardcode usernames and passwords into their code, to create secure communication channels.

In addition to the benefit of using authentication tokens rather than user and password values in your code, tokens also:

  • Have an expiration date to provide temporary usage to internal or external resources.

  • Are associated to an actual PAM user account to more easily correlate API functions back to the user.

  • Can be restricted to a certain IP filter to limit their use from specific locations.

  • Include a comment field to describe their intended usage.

  • Can be disabled (and eventually enabled again) or permanently deleted.

NOTE: The use of Authentication Tokens in PAM requires certain pre-requisites to be installed and configured on the host server. Please review our online Authentication Token article regarding these requirements.

Managing Tokens

  1. To work with new or existing authentication tokens, navigate to Administration > Tokens. 

  2. Only System Administrators can create and manage Tokens.

  3. To generate a new token, click the Generate Token button and populate the fields as described below.

  4.  When finished, click the Generate button to generate the token. 

  5. Once generated, the actual token will appear in the read-only Token field on this form.

Principal

Enter a user to be associated to this token. A token cannot be assigned to multiple users or groups.

Expiration (mins)

Token expiration time in minutes. Leave this field empty to generate a token that will not expire.

IP Filter

Token access location given as a comma-separated list of IPv4 or IPv6 addresses or masks, optionally preceded by dash to indicate valid IP space outside of the specified mask.

Examples of IP Filter:

10.0.0.0/24

-10.0.0.0/24

10.0.0.0/24,10.1.1.0/24,10.2.2.122

Comment

Brief comment about the token’s intended purpose or use.

Token

Displays the token value (read only) once the Generate button is clicked.

 

Tokens with an expiration date will display this time in the token’s row. Expired tokens will be shown with this time struck out.

To enable or disable an existing token, click the appropriate Enable or Disable button shown in the token’s row. 

Disabled tokens will be shown with the token value struck out and the Copy to Clipboard option removed.

To permanently delete an existing token, click the Delete button shown in the token’s row.