REST and Authentication
If you want to call REST endpoints on the Panopticon server programmatically, you typically need to authenticate. You have a few options for this:
- API Tokens
- Basic Authentication
- Session
- Authentication Cookie
API Tokens
This is the recommended option. Log in to Panopticon in the web UI as an administrator user, go to the System > API Tokens tab, and generate a new token. Copy the displayed value and paste in a secured location as it cannot be recovered later, and use it as a bearer token in your REST call:
curl http://company.org/panopticon/server/rest/server/myself \
-H "Authorization: Bearer <api-token-value>"
Basic Authentication
This works only if you use username and password authentication, either against <appdata>/users.xml or against LDAP. This mode also enables basic authentication, so you can either:
curl http://company.org/panopticon/server/rest/server/myself \
-H "Authorization: Basic <base64-credentials>"
Or use the cURL shortcut:
curl http://company.org/panopticon/server/rest/server/myself \
-u <username>:<password>
Session
This option works for any authentication method and is useful if you want to impersonate a normal user or simulate an entire session. Some authentication methods, like OAuth and SAML, are designed to prevent automated logins, so this option is less useful for them. For instance, you would need to interactively log on to a browser first.
An authentication is valid for the duration of the user session, so an alternative to passing the username and password on every call is to authenticate once and then keep track of the session ID cookie:
curl -i http://company.org/panopticon/login \
-d "username=<username>&password=<password>"
The response is a redirect, but you can ignore that, all you need is the session ID:
HTTP/1.1 302
...
Set-Cookie: SESSION=YjUxN2JhNmMtOGFmNy00YWRiLTgzNmUtNDYzMDhmNGQyYzdm; Path=/panopticon; HttpOnly; SameSite=Lax
Location: /panopticon/login_success_info
...
Then pass that on subsequent REST calls:
curl http://company.org/panopticon/server/rest/server/myself \
-H "Cookie: SESSION=YjUxN2JhNmMtOGFmNy00YWRiLTgzNmUtNDYzMDhmNGQyYzdm"
The server can be configured to rotate session IDs occasionally, so for lengthy sessions you should look for new Set-Cookie headers with a new ID.
Authentication Cookie
This option should be avoided, but the server considers a valid authentication JWT cookie to be proof of identity too. Because these cookies expire and can get invalidated by server for a number of reasons, you should only use them if you are trying to impersonate a normal user and you are not using username and password authentication. Just grab one from a browser where you are already logged in against Panopticon.
(c) 2013-2024 Altair Engineering Inc. All Rights Reserved.