How API session authentication works

Authentication is a required part of issuing every API call. However, rather than providing the user credentials on each call, you must first obtain an authentication token. This token is initially generated based on a user name and password; the token must be supplied on all of the subsequent API calls.

The management API can be accessed in several ways, including using the product's native browser interface, Swagger page, or a programming language (such as Python). In each case, there is a common logic flow or pattern of usage related to authentication. The general flow that you must use when accessing the API is as follows:

  1. Create an API session by providing a user name and password
  2. Extract the authentication token and other information from the HTTP response
  3. Optionally perform one or more additional API calls as needed to complete the desired task, supplying the authentication token as well as other information on each call
  4. Delete the session which resets the authentication token

Therefore, regardless of how the management API is accessed, using the API always begins by generating an authentication token and ends with resetting the token.