API Token
Currently public REST API calls authenticate to FortiSIEM using username and password. In this release, more secure OAuth Token based authentication is introduced. Instead of creating user name and passwords, user needs to create an OAuth Token in FortiSIEM GUI and use that token in the API. Internal REST APIs use OAuth Token, while public REST API calls can use either username and password or OAuth Token for backward compatibility. To use this feature, ensure your role has OAuth Token Create permission, see Adding a New Role for details. Username and password support for public REST API calls may be deprecated at a future date.
Creating/Editing API Token
You can create/edit an API Token by taking the following steps:
- Navigate to Admin > Settings > System > API Token.
- Click + to create a new token. To edit an existing icon, select one, then click Edit (
). - In the Name field, enter/edit the token name.
- Click Save.
The following information is provided if creating a new API Token.
Client ID, Client Secret, Access Token, Refresh Token. Click Copy All to record this information then paste it in a secure location. - If creating a new API Token, click Close when done, then click Yes to confirm.
Reset Secret / Reissue Token / Revoke
You can perform one of the following actions (reset secret, reissue token, revoke), by taking the following steps.
-
Navigate to Admin > Settings > System > API Token.
-
Select the API Token you wish to take the action on.
-
Select the action you wish to execute (Reset Secret, Reissue Token, Revoke Token).
-
Click Yes to confirm.
-
Record any information if needed, then click Close when done for resetting a secret or reissuing a token.
Deleting API Token
To delete an API Token, select it, then click the Delete (
) icon.
Viewing API Token Table
Use the API Token table to view existing API Tokens. Use the Search... field to locate token(s) automatically by Token Name and Owner. To change column table headings, click on the Column (
) drop-down, and add/remove the ü for any column heading you wish to include/remove from the table.
|
Heading |
Description |
|---|---|
| Token Name | The name of the token. |
| Organization | The Organization under which the token was created. |
| Owner | The user that created the token. |
| Access Token Expiry | The expiration date and time of the access token. |
| Refresh Token Expiry | The date and time deadline to get a new access token. |
| Client ID | The Client ID associated with the token. |
| Status | The current token status. |
Examples using OAuth Token in Public REST API Calls
-
Get user ( admin) context-GET API
Input URL: https://<FortiSIEM-IP>/phoenix/rest/context/user?value=admin
Input Credentials:Bearer <token>
Response Status: Success ( Status code: 200)
Response example:
{"contexts":[{"parameter":"user","value":"admin","location":{"latitude":0.0,"longitude":0.0},"userInfo":{"groups":["FortiSIEM Users"]},"incidents":[{"incidentId":7,"ruleName":"FortiSIEM User Created","incidentTitle":"admin created FortiSIEM user auto-user on super19867.fortinet.com","firstSeenTime":"11/04/2025 07:59:45 PST","lastSeenTime":"11/04/2025 07:59:45 PST","severityCat":"MEDIUM"},{"incidentId":8,"ruleName":"FortiSIEM User Created","incidentTitle":"admin created FortiSIEM user team_queue_auto-team on super19867.fortinet.com","firstSeenTime":"11/04/2025 08:00:00 PST","lastSeenTime":"11/04/2025 08:00:00 PST","severityCat":"MEDIUM"}],"topEventTypes":[{"eventType":"Generic_Unix_Successful_Switch_User","eventName":"Successful privilege escalation","count":100}],"risk":{"score":35.80429,"explanation":{"name":"FortiSIEM User Created","incidentId":"7,8","severity":7,"rarity":0.7071067811865476,"count":"1,1"}}}]}
-
Update incident status-POST API
Input URL: https://<FortiSIEM-IP>/phoenix/rest/pub/incident/update/{incidentId}
Input Credentials:Bearer <token>
Request Body: Content-Type: application/json
Request Body example:
{"incidentStatus": {incidentStatus}}
Response Status: Success ( Status code: 200)