Tenable.sc API: Overview


This is the reference document for the REST API and resources provided by Tenable.sc (formerly SecurityCenter). The REST APIs are for developers who want to integrate Tenable.sc with other standalone or web applications, and administrators who want to script interactions with the Tenable.sc server. For more information about a particular endpoint, click on its namein the navigation bar. You’ll be taken to the endpoint’s documentation page, which includes what query parameters the endpoint will accept, what the JSON object’s parameters will be in the response, and an example query/response.

Please note that whenever Tenable extends the protocol or implementation, we may not be able to maintain backward compatibility; consequently, some APIs will change in either structure or functionality. Therefore, this document comes with NO GUARANTEE OF FUTURE COMPATIBILITY. Additionally, since these APIs are used for customizations, Tenable cannot support customers with their specific implementations. If you require assistance with design or implementation, please contact your account manager for information on how Tenable Professional Services can provide assistance.

If you are interested in using the API to provide a joint solution for customers, please consider becoming a Tenable Alliance Partner; you can find details at www.tenable.com/partners.

Getting Started

Because the REST API is based on open standards, you can use any web development language to access the API.

Structure of the REST URIs

Tenable.sc REST APIs provide access to resources (data entities) via URI paths. To use a REST API, your application will make an HTTP request and parse the response. The Tenable.sc REST API uses JSON as its communication format, and the standard HTTP methods like GET, PUT, POST and DELETE (see API descriptions below for which methods are available for each resource).

URIs for SecurityCenter's REST API resource have the following structure:


Return all available objects of type resource. All non-expansion fields are included:


Return object with ID. All non-expansion fields are included:


Appended to GET requests, reply should only include the listed fields:


Return all editable fields for requested object:


Appended to GET requests, reply should include requested expansion data, in addition to normally returned data:


Possible expansion data includes shares for shareable objects, IP data for assets, i.e. data that is not normally needed.


Most Tenable.sc API REST calls require authentication. A successful call to /token POST will return the token and session cookie to be included with subsequent requests. The token should be included as an HTTP header field with name 'X-SecurityCenter' and value of '<token>' where <token> is the returned value from the /token POST call. A 'Content-Type' header field should be set to 'application/json' and the cookie should also be set to the one returned from /token POST.