You are here: Overview


This is the reference document for the REST API and resources provided by SecurityCenter. The REST APIs are for developers who want to integrate SecurityCenter with other standalone or web applications, and administrators who want to script interactions with the SecurityCenter server. For more information about a particular endpoint, click on its namein the navigation bar. You’ll be taken to the endpoint’s documentation page, which includes what query parameters the endpoint will accept, what the JSON object’s parameters will be in the response, and an example query/response.

Please note that whenever Tenable extends the protocol or implementation, we may not be able to maintain backward compatibility; consequently, some APIs will change in either structure or functionality. Therefore, this document comes with NO GUARANTEE OF FUTURE COMPATIBILITY. Additionally, since these APIs are used for customizations, Tenable cannot support customers with their specific implementations. If you require assistance with design or implementation, please contact your account manager for information on how Tenable Professional Services can provide assistance.

If you are interested in using the API to provide a joint solution for customers, please consider becoming a Tenable Alliance Partner; you can find details at

Getting Started

Because the REST API is based on open standards, you can use any web development language to access the API.

Structure of the REST URIs

SecurityCenter's REST APIs provide access to resources (data entities) via URI paths. To use a REST API, your application will make an HTTP request and parse the response. The SecurityCenter REST API uses JSON as its communication format, and the standard HTTP methods like GET, PUT, POST and DELETE (see API descriptions below for which methods are available for each resource). URIs for SecurityCenter's REST API resource have the following structure:



Most SecurityCenter API REST calls require authentication. A successful call to /token POST will return two comma-delimited tokens and session cookies, the second of which needs to be included with subsequent requests.

The token should be included as an HTTP header field with name 'X-SecurityCenter' and value of '<token>' where <token> is the returned value from the /token POST call. A 'Content-Type' header field should be set to 'application/:' and the cookie should also be set to the second comma-delimited value (starting with TNS_SESSIONID) returned from /token POST.

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.