Palo Alto Networks · OAuth Scopes

Palo Alto Networks OAuth Scopes

OAuth 2.0 searched

Palo Alto Networks publishes 1 OAuth 2.0 scope via the clientCredentials flow. Scopes are the fine-grained permissions an application requests at authorization time to act against the Palo Alto Networks API on a user’s behalf.

Tokens are issued from https://auth.apps.paloaltonetworks.com/oauth2/access_token.

This index is generated from the provider’s OpenAPI security definitions (and, where available, its documented scope reference) and refreshes on every APIs.io network build. Browse every provider’s scopes at scopes.apis.io.

Cloud SecurityCybersecurityFirewallNetwork SecuritySASESOARThreat IntelligenceXDR
Scopes: 1 Flows: clientCredentials Method: searched

OAuth endpoints

Token URL
https://auth.apps.paloaltonetworks.com/oauth2/access_token
Flows
clientCredentials

Scopes (1)

ScopeDescriptionFlows
tsg_id: Scopes the access token to a single Tenant Service Group (TSG), identified by its 10-digit TSG ID (e.g. scope=tsg_id:1838006364). The service account used to authenticate must belong to the named TSG or an ancestor of it; all API requests made with the token are routed to that tenant. This is the only scope form the Prisma SASE Authentication Service documents.

Source

OAuth Scopes

palo-alto-networks-scopes.yml Raw ↑
generated: '2026-07-11'
method: searched
docs: https://pan.dev/sase/docs/scope/
source: openapi/palo-alto-autonomous-dem-api-openapi-original.yml, openapi/palo-alto-prisma-access-api-openapi-original.yml,
  openapi/palo-alto-prisma-sd-wan-api-openapi-original.yml
schemes:
- name: oauth2
  source: openapi/palo-alto-autonomous-dem-api-openapi-original.yml
  flows:
  - flow: clientCredentials
    tokenUrl: https://auth.apps.paloaltonetworks.com/oauth2/access_token
  description: OAuth 2.0 client credentials flow for obtaining an access token. Requires a client
    ID and client secret from the Palo Alto Networks SASE identity provider.
- name: oauth2
  source: openapi/palo-alto-prisma-access-api-openapi-original.yml
  flows:
  - flow: clientCredentials
    tokenUrl: https://auth.apps.paloaltonetworks.com/oauth2/access_token
  description: OAuth 2.0 client credentials flow for obtaining an access token. Requires a client
    ID and client secret from the Palo Alto Networks SASE identity provider.
- name: oauth2
  source: openapi/palo-alto-prisma-sd-wan-api-openapi-original.yml
  flows:
  - flow: clientCredentials
    tokenUrl: https://auth.apps.paloaltonetworks.com/oauth2/access_token
  description: OAuth 2.0 client credentials flow for obtaining an access token. Requires a client
    ID and client secret from the Palo Alto Networks SASE identity provider.
scopes:
- scope: tsg_id:<TSG_ID>
  description: Scopes the access token to a single Tenant Service Group (TSG), identified by its
    10-digit TSG ID (e.g. scope=tsg_id:1838006364). The service account used to authenticate must
    belong to the named TSG or an ancestor of it; all API requests made with the token are routed
    to that tenant. This is the only scope form the Prisma SASE Authentication Service documents.
  sources:
  - https://pan.dev/sase/docs/scope/
  - https://pan.dev/sase/docs/access-tokens/
note: Prisma SASE OAuth 2.0 (client_credentials) uses the scope field solely to name the target
  Tenant Service Group (tsg_id:<TSG_ID>); there is no catalog of named permission scopes, and API
  permissions are instead governed by IAM roles assigned to the service account
  (https://pan.dev/sase/docs/scope/).