API authentication

Depending on the permissions associated with your API token and the Absolute product licenses associated with your account, some API resources may not be available.

You can use Absolute's Application Program Interfaces (APIs) to directly access Absolute functionality and data without using the Secure Endpoint Console. Any business functionality invoked by the APIs is equivalent to the functionality available through the Secure Endpoint Console.

All Absolute API requests must be authenticated. To create and authenticate an API request, you need to generate an API token in the Secure Endpoint Console. You can create a token that uses either asymmetric or symmetric encryption.

Asymmetric encryption

Asymmetric encryption uses a key pair consisting of a public key and a private key. Only the public key is shared between parties. For this type of token, you generate a public and private key pair outside of the Secure Endpoint Console, and upload the public key to the Secure Endpoint Console. You are the only party that has access to the private key.

The API and the SCIM integration support asymmetric encryption.

Symmetric encryption

Symmetric encryption uses a key that's shared between parties. For this type of token, you generate a token ID with a secret key directly in the Secure Endpoint Console. The secret key is the shared key.

The API, and the SIEM, SCIM, and ServiceNow integrations support symmetric encryption.

Permissions

API token permissions are set when the token is created. By default, the token has the same permissions as your assigned user role. This means that if you have access to certain functionality in the Secure Endpoint Console, the token you create has equivalent access in the API. If your user account is assigned to one or more device groups when the token is created, the token is assigned those device groups. If your user account's device group assignment is updated in the future, the token isn't updated. The token is still assigned to the original device groups.

When you create the token, you can modify the token's permissions. You can't assign a token permissions that your user role doesn't have, but you can remove permissions. For added security, limit the API token to the minimum permissions required for its intended use. Once the token is created, the permissions for the token can't be changed.

If the user role associated with the API token is assigned dual approval limits, devices in requests created using the API token are included in the device total. Requests created using the Absolute APIs that exceed the daily threshold also require approval.

If the user account associated with the token is suspended, the token is also suspended and labeled Supended in API management. If the user account is reactivated, the token is also reactivated. Suspended tokens can't be modified but can be deleted.

If the user account associated with the token is deleted, the token also deleted.

Expiry

Newly created tokens must have an expiry date. By default, the expiry date is 90 days from the day the token is created. You can set the expiry date to be up to one year from the creation date. If you edit a token that doesn't have an expiry date, you are required to add an expiry date before you can save your changes. You can continue to use the token until 23:59:59 UTC on the day the token expires.

The user associated with the token and all users assigned to the default System Administrator role receive an email three days before the expiry date. Before a token expires, you can edit the expiry date of the token to be up to one year from the day that you are editing the token.

The user associated with the token and all users assigned to the default System Administrator role receive a second email when the token expires. An API Token expired event is logged to Event History. You can view expired tokens in the Secure Endpoint Console. Expired tokens are labeled Expired in API management and can't be modified.

For more information on authentication, see the following resources: