SecurityCenter API: Overview

This is the reference document for the REST API and resources provided by SecurityCenter. The REST APIs are for developers who want to integrate SecurityCenter with other standalone or web applications, and administrators who want to script interactions with the SecurityCenter server. For more information about a particular endpoint, click on its namein the navigation bar. You’ll be taken to the endpoint’s documentation page, which includes what query parameters the endpoint will accept, what the JSON object’s parameters will be in the response, and an example query/response.

Please note that whenever Tenable extends the protocol or implementation, we may not be able to maintain backward compatibility; consequently, some APIs will change in either structure or functionality. Therefore, this document comes with NO GUARANTEE OF FUTURE COMPATIBILITY. Additionally, since these APIs are used for customizations, Tenable cannot support customers with their specific implementations. If you require assistance with design or implementation, please contact your account manager for information on how Tenable Professional Services can provide assistance.

If you are interested in using the API to provide a joint solution for customers, please consider becoming a Tenable Alliance Partner; you can find details at

Getting Started

Because the REST API is based on open standards, you can use any web development language to access the API.

Structure of the REST URIs

SecurityCenter's REST APIs provide access to resources (data entities) via URI paths. To use a REST API, your application will make an HTTP request and parse the response. The SecurityCenter REST API uses JSON as its communication format, and the standard HTTP methods like GET, PUT, POST and DELETE (see API descriptions below for which methods are available for each resource). URIs for SecurityCenter's REST API resource have the following structure:



Most SecurityCenter API REST calls require authentication. A successful call to /token POST will return the token and session cookie to be included with subsequent requests. The token should be included as an HTTP header field with name 'X-SecurityCenter' and value of '<token>' where <token> is the returned value from the /token POST call. A 'Content-Type' header field should be set to 'application/json' and the cookie should also be set to the one returned from /token POST.