https://live.paloaltonetworks.com/t5/automation-api-discussions/pan-os-10-2-api-key-acquisition-without-password-in-url/m-p/513764#M3103 <P>Giving the authentication information via body in a POST is still supported in PAN-OS v10.2.&nbsp; Both the pan-os-python and pango libraries do it this way, and still supply the API key as part of the body in API requests.</P> Thu, 01 Sep 2022 17:58:24 GMT gfreeman 2022-09-01T17:58:24Z https://live.paloaltonetworks.com/t5/automation-api-discussions/pan-os-10-2-api-key-acquisition-without-password-in-url/m-p/513743#M3101 <P>Is it possible to request an API key via&nbsp;"<SPAN>/api/?type=keygen"</SPAN> without providing the account password in the URL? This seems like a notable security issue since the URL is not encrypted. These pages suggest it is possible:&nbsp;<A href="https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/authenticate-your-api-requests" target="_blank" rel="noopener">Authenticate Your API Requests</A>,&nbsp;<A href="https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-panorama-api/about-the-pan-os-xml-api/structure-of-a-pan-os-xml-api-request/api-authentication-and-security#id12582d9a-f80e-42c3-a028-2fdbb5ff0bdd" target="_blank" rel="noopener">API Authentication and Security</A>. However, my testing of the "Authentication: Bearer" header via "<SPAN>/api/?type=keygen"&nbsp;</SPAN>results in an error about a missing user parameter.</P><P>&nbsp;</P><P>Edit: Typing from memory - bad. That header should be "Authorization: Basic ..."</P> Thu, 01 Sep 2022 18:43:56 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/pan-os-10-2-api-key-acquisition-without-password-in-url/m-p/513743#M3101 SSargent_ICTWA 2022-09-01T18:43:56Z https://live.paloaltonetworks.com/t5/automation-api-discussions/pan-os-10-2-api-key-acquisition-without-password-in-url/m-p/513764#M3103 <P>Giving the authentication information via body in a POST is still supported in PAN-OS v10.2.&nbsp; Both the pan-os-python and pango libraries do it this way, and still supply the API key as part of the body in API requests.</P> Thu, 01 Sep 2022 17:58:24 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/pan-os-10-2-api-key-acquisition-without-password-in-url/m-p/513764#M3103 gfreeman 2022-09-01T17:58:24Z https://live.paloaltonetworks.com/t5/automation-api-discussions/pan-os-10-2-api-key-acquisition-without-password-in-url/m-p/513776#M3104 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/46544">@gfreeman</a>&nbsp;Thanks for mentioning the POST/body option. I found the specifics in the third example here:&nbsp;<A href="https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-panorama-api/about-the-pan-os-xml-api/structure-of-a-pan-os-xml-api-request" target="_blank">Structure of a PAN-OS XML API Request</A></P> Thu, 01 Sep 2022 19:00:02 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/pan-os-10-2-api-key-acquisition-without-password-in-url/m-p/513776#M3104 SSargent_ICTWA 2022-09-01T19:00:02Z