API Key Authorization

Note: API key authorization requires Tenable.sc 5.13.x or later. For earlier versions of Tenable.sc, use the authentication token as described in Token in the Tenable.sc API Guide.

You can generate a unique set of API keys for each user account. These keys allow your application to authenticate to the Tenable.sc API without a user authentication token.

To authorize your application to use the Tenable.sc API, you must include the x-apikey header element in your HTTP request messages.

Before submitting a request, configure the user account you want to use to submit the requests, as follows:

  • Enable API key authentication, as described in Enable API Key Authentication in the Tenable.sc User Guide.
  • Generate API keys for a user with sufficient permissions for your request, as described in Generate API Keys Keys in the Tenable.sc User Guide.

For more information about Tenable.sc API keys, see API Key Authentication in the Tenable.sc User Guide.

x-apikey Header Element

The x-apikey header element has the following format:

x-apikey: accesskey=ACCESS_KEY; secretkey=SECRET_KEY;

The ACCESS_KEY and SECRET_KEY parameters correspond to the API keys that Tenable.sc generates for each system user. For more information, see Generate API Keys in the Tenable.sc User Guide.

Example HTTP Request

curl -X GET -k --header "x-apikey: accesskey=4def6bc216f14c1ab86dfba8738ff4a5; secretkey=a47d1d3a071443449a75821129526b96" https://Tenable.sc/rest/currentUser

Error States

Code Status Description
400 Bad Request Returned if your request specified both an authentication token and API keys.
400 Bad Request Returned if your request specified API keys, but API key authentication is disabled for your Tenable.sc. For more information, see Enable API Key Authentication in the Tenable.sc User Guide.
400 Bad Request

Returned if your request specified invalid API keys. API keys are invalid if they meet any of the following criteria:

  • The access key and secret key do not have a combined length of 64 characters.
  • The access key does not exist in the Tenable.sc database (for example, the access key has been deleted).
  • The user associated with the API key is locked from exceeding the maximum number of login attempts.
  • The user associated with the API key has insufficient permissions for the request.
  • The secret key does not match the specified access key.
400 Bad Request

Returned if Tenable.sc encounters any database errors during the API key recognition process.

Note: If you encounter this error, resubmit your request. If the error does not resolve on resubmit, contact Tenable Support.