https://live.paloaltonetworks.com/t5/automation-api-discussions/query-api-with-user-reader/m-p/197972#M1564 <P>Super user (read only) should work for API calls. Can you share your curl script after sanitizing the passwords.</P><P>&nbsp;</P><P>You can always use curl -k&nbsp; to ignore the cert issues.&nbsp;</P> Wed, 31 Jan 2018 17:03:29 GMT SuryaR 2018-01-31T17:03:29Z https://live.paloaltonetworks.com/t5/automation-api-discussions/query-api-with-user-reader/m-p/195599#M1544 Hi, I have created some curl plugins to access via xml api to our Pa-500 and make queries. For that right now I use the admin user to get the id: https: //X.X.X.X/api/? type = keygen &amp; user = admin &amp; password = password The problem that I see that this is very insecure because the key is in the plugin and with it could change the configuration. I tried to create a reader user with the role (superadmin read only and device administrator read only). But both give me error when running the plugin. it tells me I do not have access. My plugins what they do is make monitor / threat / data filtering / system queries, etc. Can someone guide me how to do it safely and why do not read-only high stick users work? Version pa-500 is 7.1.6 Thank you Wed, 17 Jan 2018 20:50:29 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/query-api-with-user-reader/m-p/195599#M1544 Sistemas_SanLucar 2018-01-17T20:50:29Z https://live.paloaltonetworks.com/t5/automation-api-discussions/query-api-with-user-reader/m-p/197972#M1564 <P>Super user (read only) should work for API calls. Can you share your curl script after sanitizing the passwords.</P><P>&nbsp;</P><P>You can always use curl -k&nbsp; to ignore the cert issues.&nbsp;</P> Wed, 31 Jan 2018 17:03:29 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/query-api-with-user-reader/m-p/197972#M1564 SuryaR 2018-01-31T17:03:29Z