API Token

API tokens provide a more secure way to execute public REST API calls compared to using passwords. This feature was introduced in version 7.5.0 with support for the Refresh Token grant. The current release adds support for the simpler Client Credentials grant, allowing callers to obtain an access token directly using a Client ID and Client Secret.

To use this feature, ensure that your role has the appropriate OAuth Token permissions. Refer to the section below for details on permissions required for creating API tokens and managing API token privileges.

For backward compatibility, public REST API calls can still be made using a username and password. However, this method may be deprecated in a future release.

• Permissions for Creating API Token

• API Token Privileges

• Creating/Editing API Token

• Using Token in Public REST API

• Viewing API Token Table

• Reset Client Secret / Revoke Token

• Deleting API Token

• Examples using OAuth Token in Public REST API Calls

• MCP Service

Permissions for Creating API Token

Please note the following:

• Only Full Admin users within each organization have built-in permission to create API tokens.

• Full Admin users can grant other users permission to create API tokens by enabling OAuth Tokens in the user’s role profile.

• Super/Global users cannot create API tokens for an organization by switching organizations. You must log in as a user belonging to the target organization to create an API token for that organization.

API Token Privileges

API calls executed using a token inherit the same privileges as the user who created the token. For example:

• Tokens created by a Network Admin user can access only network devices and related logs.

• Tokens created by a Full Admin user can access all logs.

• Token created by Org1 Full Admin user can access Org1 logs.

• Token created by Super-global Full Admin user can access logs belonging to all Organizations.

Creating/Editing API Token

If your FortiSIEM Role has permission to create API Token, then take the following steps:

1. Navigate to Admin > Settings > System > API Token.
2. Click + to create a new token. To edit an existing icon, select one, then click Edit ().
3. In the Name field, enter/edit the token name.
4. From Access Token Expiry, configure the token expiration time period.
5. From Client Secret Expiry, configure the client secret expiration time period.
   

6. Click Save.
   

   Client ID and Client Secret information will be provided if creating a new API Token.
   Click Copy All to record this information then paste it in a secure location.

7. If creating a new API Token, click Close when done, then click Yes to confirm.

Using Token in Public REST API

Overview is as follows. See FNDN for API details.

Step 1: Get Access Token using Client ID and Client Secret

GET /phoenix/rest/pub/security/oauth/token

Request body:

  grant_type (set to client_credentials)
   client_id
   client_secret

Response looks like this:

{
  "access_token": "abc123",
  "token_type": "Bearer",
  "expires_in": 3600
}

Step 2: Use Access Token in API Calls

Input URL: GET /phoenix/rest/context/user?value=admin

Input Credentials: Bearer <access_token>

Step 3: Access Token Expired or Lost

If Access Token is expired, or Access Token is lost but Client Secret has not expired, then get a new Access Token using the API in Step 1. You can always get a new Access Token until Client Secret is expired.

Step 4: Client Secret is Expired

If Client Secret has expired, then you need to get a new (Client ID, Client Secret) pair and then use it to get a new Access Token.

Viewing API Token Table

Use the API Token table to view existing API Tokens. Use the Search... field to locate token(s) automatically by Token Name and Owner. To change column table headings, click on the Column () drop-down, and add/remove the ü for any column heading you wish to include/remove from the table.

Heading	Description
Token Name	The name of the token.
Organization	The Organization under which the token was created.
Owner	The user that created the token.
Client ID	The Client ID associated with the token.
Client Secret Expiry	The Client Secret expiration date.
Status	The current token status.

Reset Client Secret / Revoke Token

You can manually reset a Client Secret. FortiSIEM will issue a new Client Secret. You can use this Client Secret to get an Access Token.

You can revoke a token. In that case, the currently in use access token becomes invalid immediately. A new Access Token must be obtained using the /phoenix/rest/pub/security/oauth/token API.

Follow these steps:

1. Navigate to Admin > Settings > System > API Token.

2. Select the API Token you wish to take the action on.

3. Select the action you wish to execute (Reset Secret, Revoke Token).

4. Click Yes to confirm.

5. Record any information if needed, then click Close when done for resetting a secret or reissuing a token.

Deleting API Token

To delete an API Token, select it, then click the Delete () icon.

Examples using OAuth Token in Public REST API Calls

1. Get user ( admin) context-GET API

   Input URL: https://<FortiSIEM-IP>/phoenix/rest/context/user?value=admin

   Input Credentials:Bearer <token>

   Response Status: Success ( Status code: 200)

   Response example:

   {"contexts":[{"parameter":"user","value":"admin","location":{"latitude":0.0,"longitude":0.0},"userInfo":{"groups":["FortiSIEM Users"]},"incidents":[{"incidentId":7,"ruleName":"FortiSIEM User Created","incidentTitle":"admin created FortiSIEM user auto-user on super19867.fortinet.com","firstSeenTime":"11/04/2025 07:59:45 PST","lastSeenTime":"11/04/2025 07:59:45 PST","severityCat":"MEDIUM"},{"incidentId":8,"ruleName":"FortiSIEM User Created","incidentTitle":"admin created FortiSIEM user team_queue_auto-team on super19867.fortinet.com","firstSeenTime":"11/04/2025 08:00:00 PST","lastSeenTime":"11/04/2025 08:00:00 PST","severityCat":"MEDIUM"}],"topEventTypes":[{"eventType":"Generic_Unix_Successful_Switch_User","eventName":"Successful privilege escalation","count":100}],"risk":{"score":35.80429,"explanation":{"name":"FortiSIEM User Created","incidentId":"7,8","severity":7,"rarity":0.7071067811865476,"count":"1,1"}}}]}
   
   

2. Update incident status-POST API

   Input URL: https://<FortiSIEM-IP>/phoenix/rest/pub/incident/update/{incidentId}

   Input Credentials:Bearer <token>

   Request Body: Content-Type: application/json

   Request Body example:

   {"incidentStatus": {incidentStatus}}

   Response Status: Success ( Status code: 200)

MCP Service

The Model Context Protocol (MCP) is an open-source standard that enables AI models to securely connect to external tools, data sources, and software systems. For more information about MCP, see Anthropic's Model Context Protocol documentation.

Starting in 7.5.1, FortiSIEM introduces an MCP service that enables customers to build their own AI Agents by accessing information stored in the FortiSIEM CMDB, including devices, users, and incidents, as well as the FortiSIEM event database hosted on ClickHouse.

AI agents can connect to https://{Supervisor}/phoenix/mcp over port 443 by using an API token obtained through the FortiSIEM GUI.

The following MCP tools are available for AI Agents to use. An AI Agent needs to use LLM to determine the appropriate MCP tool for answering user's request.

• append_incident_comment_by_id

• clear_incident_by_id

• get_context_by_entity

• get_incident_by_id

• get_incidents_by_entity

• get_iocs_by_incident_ids

• get_related_incidents_by_id

• get_top_10_risky_devices_incidents

• get_top_10_risky_users_incidents

• get_trigger_events_by_incident_id

• query_fsm_clickhouse

• query_fsm_clickhouse_prompts

• query_fsm_postgres

• query_fsm_postgres_prompts

• update_incident_resolution_by_id

• update_incident_severity_by_id