Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • REST API Solution Guide

    Home FortiAuthenticator 6.0.5 REST API Solution Guide
    6.0.5
    6.6.2
    6.6.1
    6.6.0
    6.5.5
    6.5.4
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.2
    6.2.1
    6.2.0
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.5.0
    5.4.0
    5.3.0
    5.2.0
    5.1.0
    5.0.0

    OAuth server token (/oauth/token/)

    OAuth server token (/oauth/token/)

    URL: https://[server_name]/api/v1/oauth/token/

    This endpoint is used to verify a user's identity and upon confirming that identity, issue a token that allows access to resources protected by the Bearer token. Tokens are issued per application and user, and you can configure applications in the GUI. As long as the access token expiry of the application is not zero, these tokens can expire and can be refreshed. This endpoint can also be used to refresh a previously issued token.

    Supported fields

    Field Display name Type Required Other restrictions
    username User username string If grant_type is password
    password User password string If grant_type is password
    realm User realm string If grant_type is password, and user is not local The default realm is the realm selected as the default under Authentication > Self-Service Portal > Access Control > Realms. If you are authenticating a user from the default realm, you do not need to specify a realm.
    refresh_token Token used to refresh access_token string If grant_type is refresh_token
    grant_type OAuth grant type string Yes
    client_id String ID of client or application string Yes
    client_secret Hash client secret string If application client_type is 'confidential'
    challenge The type of multi-factor authentication challenge string If responding to multi-factor authentication challenge with challenge response Can be 'otp', 'radius', etc. Reuse the challenge you received from the token endpoint.
    challenge_response String code challenge response string If responding to challenge
    method The method of challenge response string Yes Required if responding with an OTP challenge
    session OAuth grant type string If responding with an OTP challenge with ftm-push method

    Allowed methods

    HTTP method Resource URI Action
    POST /api/v1/oauth/token/ Get token, or refresh token.

    Response codes

    In addition to the general codes defined in General API response codes, a POST request to this resource can also result in the following return codes:

    Code Response content Description
    200 OK Valid credentials
    401 Unauthorized Invalid credentials, or user improperly configured
    406 Not Acceptable Challenge, method, status, and optional session Initial credentials are valid, but the user requires more information. Send additional information.

    Example

    Get token:

    curl -k -v -X POST \

    https://[FortiAuthenticator_IP]/api/v1/oauth/token/ \

    -H 'Content-Type: application/json' \

    -d '{

    "username": "luser1",

    "password": "12345678",

    "client_id": "client_id",

    "grant_type": "password"

    }'

    Response:

    {

    "access_token": "shrWNdu1xJRUgpcUi2bhYRX1Sl8pXe",

    "expires_in": 0,

    "message": "successfully authenticated",

    "refresh_token": "tU85BMdOoV3pktSSiLaABJN7ySiADZ",

    "scope": "read",

    "status": "success",

    "token_type": "Bearer"

    }

    Refresh a token:

    curl -k -v -X POST \

    https://[FortiAuthenticator_IP]/api/v1/oauth/token/ \

    -H 'Content-Type: application/json' \

    -d '{

    "grant_type": "refresh_token",

    "refresh_token": "tU85BMdOoV3pktSSiLaABJN7ySiADZ"

    }'

    Response:

    {

    "access_token": "fzMK69MdyA0vRJXh2CWnuHRcpuQrpL",

    "expires_in": 0,

    "message": "Token has been refreshed successfully",

    "refresh_token": "UqCV1xEPSoq4vSLE0YgXAkF2zzMGO5",

    "scope": "read",

    "status": "success",

    "token_type": "Bearer"

    }

    Get a token with FTM push:

    curl -k -v -X POST \

    https://[FortiAuthenticator_IP]/api/v1/oauth/token/ \

    -H 'Content-Type: application/json' \

    -d '{

    "username": "luser1",

    "password": "12345678",

    "client_id": "client_id",

    "grant_type": "password"

    }'

    Response:

    {

    "challenge": "otp",

    "method": "ftm-push",

    "session": "480dccc0f6bf4ed69ba484320ef92781",

    "status": "pending"

    }

    Check for FTM-PUSH approval:

    curl -k -v -X GET \

    'https://[FortiAuthenticator_IP]/api/v1/pushpoll/?s=480dccc0f6bf4ed69ba484320ef92781' \

    -H 'Content-Type: application/json' \

    Response if status is 'pending':

    {

    "challenge": "otp",

    "method": "ftm-push",

    "session": "480dccc0f6bf4ed69ba484320ef92781",

    "status": "pending"

    }

    Response if status is 'success' (The push request was approved):

    {

    "challenge": "otp",

    "challenge_response": "3njPWHp6LgXtRwwXabEN",

    "method": "ftm-push",

    "session": "480dccc0f6bf4ed69ba484320ef92781",

    "status": "success"

    }

    Use the successful push session code to get a token:

    curl -k -v -X POST \

    https://[FAC_IP]/api/v1/oauth/token/ \

    -H 'Content-Type: application/json' \

    -d '{

    "username": "luser1",

    "password": "12345678",

    "client_id": "client_id",

    "grant_type": "password",

    "challenge": "otp",

    "challenge_response": "3njPWHp6LgXtRwwXabEN",

    "method": "ftm-push",

    "session": "480dccc0f6bf4ed69ba484320ef92781"

    }'

    Response:

    {

    "access_token": "c1t2I989RnZCn7xFNsDGLtGShdeSL6",

    "expires_in": 36000,

    "refresh_token": "nP0Fq74huju4gDLCR5jXHSxerDAXD3",

    "scope": "read",

    "status": "success",

    "token_type": "Bearer"

    }

    Previous
    Next

    OAuth server token (/oauth/token/)

    OAuth server token (/oauth/token/)

    URL: https://[server_name]/api/v1/oauth/token/

    This endpoint is used to verify a user's identity and upon confirming that identity, issue a token that allows access to resources protected by the Bearer token. Tokens are issued per application and user, and you can configure applications in the GUI. As long as the access token expiry of the application is not zero, these tokens can expire and can be refreshed. This endpoint can also be used to refresh a previously issued token.

    Supported fields

    Field Display name Type Required Other restrictions
    username User username string If grant_type is password
    password User password string If grant_type is password
    realm User realm string If grant_type is password, and user is not local The default realm is the realm selected as the default under Authentication > Self-Service Portal > Access Control > Realms. If you are authenticating a user from the default realm, you do not need to specify a realm.
    refresh_token Token used to refresh access_token string If grant_type is refresh_token
    grant_type OAuth grant type string Yes
    client_id String ID of client or application string Yes
    client_secret Hash client secret string If application client_type is 'confidential'
    challenge The type of multi-factor authentication challenge string If responding to multi-factor authentication challenge with challenge response Can be 'otp', 'radius', etc. Reuse the challenge you received from the token endpoint.
    challenge_response String code challenge response string If responding to challenge
    method The method of challenge response string Yes Required if responding with an OTP challenge
    session OAuth grant type string If responding with an OTP challenge with ftm-push method

    Allowed methods

    HTTP method Resource URI Action
    POST /api/v1/oauth/token/ Get token, or refresh token.

    Response codes

    In addition to the general codes defined in General API response codes, a POST request to this resource can also result in the following return codes:

    Code Response content Description
    200 OK Valid credentials
    401 Unauthorized Invalid credentials, or user improperly configured
    406 Not Acceptable Challenge, method, status, and optional session Initial credentials are valid, but the user requires more information. Send additional information.

    Example

    Get token:

    curl -k -v -X POST \

    https://[FortiAuthenticator_IP]/api/v1/oauth/token/ \

    -H 'Content-Type: application/json' \

    -d '{

    "username": "luser1",

    "password": "12345678",

    "client_id": "client_id",

    "grant_type": "password"

    }'

    Response:

    {

    "access_token": "shrWNdu1xJRUgpcUi2bhYRX1Sl8pXe",

    "expires_in": 0,

    "message": "successfully authenticated",

    "refresh_token": "tU85BMdOoV3pktSSiLaABJN7ySiADZ",

    "scope": "read",

    "status": "success",

    "token_type": "Bearer"

    }

    Refresh a token:

    curl -k -v -X POST \

    https://[FortiAuthenticator_IP]/api/v1/oauth/token/ \

    -H 'Content-Type: application/json' \

    -d '{

    "grant_type": "refresh_token",

    "refresh_token": "tU85BMdOoV3pktSSiLaABJN7ySiADZ"

    }'

    Response:

    {

    "access_token": "fzMK69MdyA0vRJXh2CWnuHRcpuQrpL",

    "expires_in": 0,

    "message": "Token has been refreshed successfully",

    "refresh_token": "UqCV1xEPSoq4vSLE0YgXAkF2zzMGO5",

    "scope": "read",

    "status": "success",

    "token_type": "Bearer"

    }

    Get a token with FTM push:

    curl -k -v -X POST \

    https://[FortiAuthenticator_IP]/api/v1/oauth/token/ \

    -H 'Content-Type: application/json' \

    -d '{

    "username": "luser1",

    "password": "12345678",

    "client_id": "client_id",

    "grant_type": "password"

    }'

    Response:

    {

    "challenge": "otp",

    "method": "ftm-push",

    "session": "480dccc0f6bf4ed69ba484320ef92781",

    "status": "pending"

    }

    Check for FTM-PUSH approval:

    curl -k -v -X GET \

    'https://[FortiAuthenticator_IP]/api/v1/pushpoll/?s=480dccc0f6bf4ed69ba484320ef92781' \

    -H 'Content-Type: application/json' \

    Response if status is 'pending':

    {

    "challenge": "otp",

    "method": "ftm-push",

    "session": "480dccc0f6bf4ed69ba484320ef92781",

    "status": "pending"

    }

    Response if status is 'success' (The push request was approved):

    {

    "challenge": "otp",

    "challenge_response": "3njPWHp6LgXtRwwXabEN",

    "method": "ftm-push",

    "session": "480dccc0f6bf4ed69ba484320ef92781",

    "status": "success"

    }

    Use the successful push session code to get a token:

    curl -k -v -X POST \

    https://[FAC_IP]/api/v1/oauth/token/ \

    -H 'Content-Type: application/json' \

    -d '{

    "username": "luser1",

    "password": "12345678",

    "client_id": "client_id",

    "grant_type": "password",

    "challenge": "otp",

    "challenge_response": "3njPWHp6LgXtRwwXabEN",

    "method": "ftm-push",

    "session": "480dccc0f6bf4ed69ba484320ef92781"

    }'

    Response:

    {

    "access_token": "c1t2I989RnZCn7xFNsDGLtGShdeSL6",

    "expires_in": 36000,

    "refresh_token": "nP0Fq74huju4gDLCR5jXHSxerDAXD3",

    "scope": "read",

    "status": "success",

    "token_type": "Bearer"

    }

    Previous
    Next