Tenable Security Center API: Overview

This is the reference document for the REST API and resources provided by Tenable.sc (formerly SecurityCenter). The REST APIs are for developers who want to integrate Tenable.sc with other standalone or web applications, and administrators who want to script interactions with the Tenable.sc server. For more information about a particular endpoint, click on its namein the navigation bar. You’ll be taken to the endpoint’s documentation page, which includes what query parameters the endpoint will accept, what the JSON object’s parameters will be in the response, and an example query/response.

Please note that whenever Tenable extends the protocol or implementation, we may not be able to maintain backward compatibility; consequently, some APIs will change in either structure or functionality. Therefore, this document comes with NO GUARANTEE OF FUTURE COMPATIBILITY. Additionally, since these APIs are used for customizations, Tenable cannot support customers with their specific implementations. If you require assistance with design or implementation, please contact your account manager for information on how Tenable Professional Services can provide assistance.

If you are interested in using the API to provide a joint solution for customers, please consider becoming a Tenable Alliance Partner; you can find details at www.tenable.com/partners.

Getting Started

Because the REST API is based on open standards, you can use any web development language to access the API.

Structure of the REST URIs

Tenable.sc REST APIs provide access to resources (data entities) via URI paths. To use a REST API, your application will make an HTTP request and parse the response. The Tenable.sc REST API uses JSON as its communication format, and the standard HTTP methods like GET, PUT, POST and DELETE (see API descriptions below for which methods are available for each resource).

URIs for SecurityCenter's REST API resource have the following structure:


Return all available objects of type resource. All non-expansion fields are included:


Return object with ID. All non-expansion fields are included:


Appended to GET requests, reply should only include the listed fields:


Return all editable fields for requested object:


Appended to GET requests, reply should include requested expansion data, in addition to normally returned data:


Possible expansion data includes shares for shareable objects, IP data for assets, i.e. data that is not normally needed.


Most Tenable.sc API REST calls require authentication via a unique set of API keys. The 'x-apikey' header element is used to pass your API keys in HTTP request messages.

The 'x-apikey' header element has the following format, where the 'ACCESS_KEY' and 'SECRET_KEY' parameters correspond to the API keys that Tenable.sc generates for each system user:

x-apikey: accesskey=ACCESS_KEY; secretkey=SECRET_KEY;

For more information about API key authorization, see API Key Authorization in the Tenable.sc API Best Practices Guide.