API Key Lifetime functionality - Giving different keys within the Lifetime period itself.

Showing results for 
Show  only  | Search instead for 
Did you mean: 

API Key Lifetime functionality - Giving different keys within the Lifetime period itself.

L1 Bithead

Hi Team,


We have API Key Lifetime configured to 20 mins. But if we are trying to get the API key within 5 mins gap (for example) it is giving different keys. Kindly help me to understand this function. I am trying to view the keys using the below URL, its giving the different keys but always first few and last few string are same.






L5 Sessionator

Hi @ArunkumarDurais, that API command is a "keygen" command, for API key generation. Every time you call it, you generate a new key, so this is expected behaviour. If you have already done a keygen command, I would suggest to store the key in a variable (in whatever language/script/tool you are using) so that you can reuse it for the next 19 minutes. Hope that helps...

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

L1 Bithead

Hi JimmyHolland,


Thanks for the update, even i suspected the same. Is there any way to see the current key in the firewall using any API command without any external scripts.

We have a compliant for Firemon integration that the firewall is rejecting the connection even if the Firemon is presenting same key within the API Key lifetime. So we are trying to confirm whether the firewall is holding the same within the Key lifetime period or not.

Hi @ArunkumarDurais, I don't believe there is a way to see generated keys (which is not uncommon for API keys in various systems), hence whatever system does the keygen needs to store the key, for the lifetime it is valid per your config. I would run the keygen manually with the API command you quoted at the start of this thread, then use it a few minutes later for a simple info query API command e.g. 


It should work, and should work at 19 minutes, and should then stop working by 21 minutes (if you have lifetime set to 20 minutes.) That should prove that PAN-OS is working correctly; if that fails, open a TAC case. It if works, something Firemon is doing is not correct. Hope that helps?

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

L4 Transporter

@ArunkumarDurais There is a bit of misconception about how the API keys work on firewalls/Panorama.

The keys are not "generated" and thus not saved. The key a hash function of the account username, password and time/date of generation (and this is the reason you get different key every time).

The key lifetime was introduced in PanOS9. Before 9, the API key was only a function of the username and password and you used to get the same every time you "generate" it. 

So when you send the key to firewall, it user its algorithm to convert it to the date/time of generation, username and password. If the time is within you API configured lifetime, then the username and password will be used for authentication. If not or if you changed the password, then authentication will fail. 

  • 4 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!