Fortinet black logo

Online Help

FortiCASB APIs

Copy Link
Copy Doc ID 6214e17c-9e13-11eb-b70b-00505692583a:770555

FortiCASB APIs

FortiCASB service endpoints supports HTTP requests through the use of REST APIs. This section contains documentation for FortiCASB REST API service endpoints. FortiCASB provides one endpoint with single authentication token to simplify developer experience. All the service endpoints can be accessed through a single access/bearer token. The HTTP requests provide access to valuable FortiCASB cloud resources. All FortiCASB REST APIs, such as Get, POST, etc. require access/bearer token in assembling HTTPS requests.

Request Authorization Methods

There are 3 methods of acquiring the access/bearer token from FortiCASB to assemble a REST API request to access FortiCASB resources.

1. Client Credential

Client credential can be used to generate access/bearer token to form request headers. First, you will need to log into FortiCASB and generate a FortiCASB credential, please follow the guide in Generate Credential. This is only a one-time process, and only one credential is necessary to generate access/bearer token.

After you have acquired a client credential, it can be used permanently to assemble the request header to obtain an access/bearer token as long as the client credential is not revoked.

Follow the example in Get Credentials Token to use client credential to assemble HTTPS POST request header to acquire access/bearer token.

2. Username and Password

Another method of acquiring access/bearer token is through your FortiCASB account username and password. Follow the example in Get Authorization Token to assemble HTTPS POST request header to acquire access/bearer token using your username and password.

3. Refresh Token

The use of refresh token requires one of the two methods above. Once you get the response through client credential or username/password, you may use the refresh token in the response body to acquire more bearer tokens without using client credential or user/name password. Follow the example in Get Refresh Token to generate access/bearer token using refresh token. The refresh token will expire 8 hours after generated.

Fabricate Request Header and Body

After acquiring access/bearer token, use the bearer token to assemble a REST API request. Like all other REST APIT requests, FortiCASB operate through a secured channel: URI request with HTTPS protocol. The details of the request parameters are determined by the specific REST API specification.

You may take a closer look in each REST API specification to determine what additional fields are necessary to fulfill the request. Request body is an optional field, depending on the API specification, some parameters may be required and others are optional.

Send Request

There are 5 request headers that are often used in FortiCASB REST API requests. The first 3 are default request headers.

Request Header

Description

Host The domain name of the REST service endpoint or the IP address

Authorization

Access/bearer token generated earlier through one of the get token methods
Content-Type This default header is set as "application/json"
Company ID The company ID of the company which the username or the credential is originated from. Company ID can be obtained from Get Resource Map.

Business Unit ID

Business unit ID is the ID of the business unit which the user is entitled to access. Business unit ID can be obtained through . Alternatively, it can also be obtained from the REST API Get Resource Map

When you have assembled the request header and body, the request is ready to be sent to the REST endpoint. Here is a GET request example in HTTPS:

GET /api/v1/country/list? HTTP/1.1

Host: www.forticasb.com

Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzY29wZSI6IkFQSSIsImlzcyI6ImZhdXRoLXNlcnZlciIsImhvc3QiOlsiRkNXUCJdLCJleHAiOjE1ODY5MTUxNjQsImFpZCI6InFhLmNhc2IxQGdtYWlsLmNvbSJ9.Hh2yVHEEd73BJ31rEjB2C-iclodmMigEPIwtuRwCObo

Content-Type: application/json

REST API Response

After you sent the request to FortiCASB service endpoint, you will receive a response header and a response body. The above request calls for the list of countries, and here is a part of the response in JSON format:

[

{

"id":"US",

"country":"United States of America"

}

]

API Throttling

API throttling refers to the limit that FortiCASB sets on the number of requests in a range of time to prevent the application sending too many requests. The API throttling of FortiCASB is 100TPM (times per minute), meaning there can have 100 requests in one minute.

FortiCASB APIs

FortiCASB service endpoints supports HTTP requests through the use of REST APIs. This section contains documentation for FortiCASB REST API service endpoints. FortiCASB provides one endpoint with single authentication token to simplify developer experience. All the service endpoints can be accessed through a single access/bearer token. The HTTP requests provide access to valuable FortiCASB cloud resources. All FortiCASB REST APIs, such as Get, POST, etc. require access/bearer token in assembling HTTPS requests.

Request Authorization Methods

There are 3 methods of acquiring the access/bearer token from FortiCASB to assemble a REST API request to access FortiCASB resources.

1. Client Credential

Client credential can be used to generate access/bearer token to form request headers. First, you will need to log into FortiCASB and generate a FortiCASB credential, please follow the guide in Generate Credential. This is only a one-time process, and only one credential is necessary to generate access/bearer token.

After you have acquired a client credential, it can be used permanently to assemble the request header to obtain an access/bearer token as long as the client credential is not revoked.

Follow the example in Get Credentials Token to use client credential to assemble HTTPS POST request header to acquire access/bearer token.

2. Username and Password

Another method of acquiring access/bearer token is through your FortiCASB account username and password. Follow the example in Get Authorization Token to assemble HTTPS POST request header to acquire access/bearer token using your username and password.

3. Refresh Token

The use of refresh token requires one of the two methods above. Once you get the response through client credential or username/password, you may use the refresh token in the response body to acquire more bearer tokens without using client credential or user/name password. Follow the example in Get Refresh Token to generate access/bearer token using refresh token. The refresh token will expire 8 hours after generated.

Fabricate Request Header and Body

After acquiring access/bearer token, use the bearer token to assemble a REST API request. Like all other REST APIT requests, FortiCASB operate through a secured channel: URI request with HTTPS protocol. The details of the request parameters are determined by the specific REST API specification.

You may take a closer look in each REST API specification to determine what additional fields are necessary to fulfill the request. Request body is an optional field, depending on the API specification, some parameters may be required and others are optional.

Send Request

There are 5 request headers that are often used in FortiCASB REST API requests. The first 3 are default request headers.

Request Header

Description

Host The domain name of the REST service endpoint or the IP address

Authorization

Access/bearer token generated earlier through one of the get token methods
Content-Type This default header is set as "application/json"
Company ID The company ID of the company which the username or the credential is originated from. Company ID can be obtained from Get Resource Map.

Business Unit ID

Business unit ID is the ID of the business unit which the user is entitled to access. Business unit ID can be obtained through . Alternatively, it can also be obtained from the REST API Get Resource Map

When you have assembled the request header and body, the request is ready to be sent to the REST endpoint. Here is a GET request example in HTTPS:

GET /api/v1/country/list? HTTP/1.1

Host: www.forticasb.com

Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzY29wZSI6IkFQSSIsImlzcyI6ImZhdXRoLXNlcnZlciIsImhvc3QiOlsiRkNXUCJdLCJleHAiOjE1ODY5MTUxNjQsImFpZCI6InFhLmNhc2IxQGdtYWlsLmNvbSJ9.Hh2yVHEEd73BJ31rEjB2C-iclodmMigEPIwtuRwCObo

Content-Type: application/json

REST API Response

After you sent the request to FortiCASB service endpoint, you will receive a response header and a response body. The above request calls for the list of countries, and here is a part of the response in JSON format:

[

{

"id":"US",

"country":"United States of America"

}

]

API Throttling

API throttling refers to the limit that FortiCASB sets on the number of requests in a range of time to prevent the application sending too many requests. The API throttling of FortiCASB is 100TPM (times per minute), meaning there can have 100 requests in one minute.