Skip to content

API Tokens

Until release 3.7.0, the only available means of authenticating the API calls from outside were either:

  • username and password (to be able to login),
  • or short-lived UI tokens generated by API sent as JWT along the requests. There is also a refresh token used to renew the short-lived UI tokens.

The information about the user, along with the user’s permissions, are encoded in the token itself, so once the UI token is issued, it cannot be revoked (that’s why the tokens are typically short-lived).

Starting from 3.7.0, the API tokens (long-lived) were introduced for authenticating API calls. They are a bit slower than UI tokens as the token is verified in DB with each API call, but they can be revoked easily.

To use API tokens, you need to generate them in the UI or using the API.

Please note that the token string is only visible when you create the token in the UI or in the returned API JSON response. For this reason, please make sure you copy the token string when creating the API token in the UI.

Starting from 6.3.0 the API Token must be auto-generated from IP Fabric and cannot be a custom string. This is a breaking change when posting to /api/v6.3/api-tokens which no longer accepts the token argument when creating a new token using the API.

To use the token, send it in the X-API-Token HTTP header along with the request:

curl -v -H "X-Api-Token: ${YOUR_TOKEN}" https://${IPF_HOST_PORT}/api/v5.0/api-tokens