API Tokens
Until release 3.7.0
, the only available means of authenticating the API
calls from outside were either:
- username and password (to be able to login),
- or short-lived UI tokens generated by API sent as JWT along the requests. There is also a refresh token used to renew the short-lived UI tokens.
The information about the user, along with the user’s permissions, are encoded in the token itself, so once the UI token is issued, it cannot be revoked (that’s why the tokens are typically short-lived).
Starting from 3.7.0
, the API tokens (long-lived) were introduced for
authenticating API calls. They are a bit slower than UI tokens as the
token is verified in DB with each API call, but they can be revoked easily.
To use API tokens, you need to generate them in the UI or using the API.
Please note that the token string is only visible when you create the token in the UI or in the returned API JSON response. For this reason, please make sure you copy the token string when creating the API token in the UI.
Starting from 6.3.0
the API Token must be auto-generated from IP Fabric and
cannot be a custom string. This is a breaking change when posting to
/api/v6.3/api-tokens
which no longer accepts the token
argument when
creating a new token using the API.
To use the token, send it in the X-API-Token
HTTP header along with the
request:
curl -v -H "X-Api-Token: ${YOUR_TOKEN}" https://${IPF_HOST_PORT}/api/v5.0/api-tokens