Palo Alto Networks · Authentication Profile
Palo Alto Networks Authentication
Authentication
Palo Alto Networks secures its APIs with apiKey, http, and oauth2 across 13 declared security schemes, as derived from its OpenAPI definitions. OAuth 2.0 is offered via the clientCredentials flow(s).
Cloud SecurityCybersecurityFirewallNetwork SecuritySASESOARThreat IntelligenceXDR
Methods: apiKey, http, oauth2
Schemes: 13
OAuth flows: clientCredentials
API key in: header
Security Schemes
oauth2Bearer http
scheme: bearer
oauth2 oauth2
· flows: clientCredentials
awsSigV4 apiKey
· in: header (Authorization)
xdrAuth apiKey
· in: header (x-xdr-hmac-v2)
dnsApiKey apiKey
· in: header (X-DNS-API-APIKEY)
keyId apiKey
· in: header (X-Key-Id)
accessKey apiKey
· in: header (X-Access-Key)
apiKey apiKey
· in: header (X-PAN-KEY)
apiKeyAuth apiKey
· in: header (x-pan-token)
redlockAuth apiKey
· in: header (x-redlock-auth)
basicAuth http
scheme: basic
authKey http
scheme: Bearer
apiKey apiKey
· in: header (X-API-KEY)
Source
Authentication Profile
generated: '2026-07-11'
method: derived
source: openapi/palo-alto-aiops-ngfw-bpa-api-openapi-original.yml, openapi/palo-alto-autonomous-dem-api-openapi-original.yml,
openapi/palo-alto-cloud-ngfw-api-openapi-original.yml, openapi/palo-alto-cortex-xdr-api-openapi-original.yml,
openapi/palo-alto-cortex-xpanse-api-openapi-original.yml, openapi/palo-alto-cortex-xsiam-api-openapi-original.yml,
openapi/palo-alto-cortex-xsoar-api-openapi-original.yml, openapi/palo-alto-dlp-api-openapi-original.yml,
openapi/palo-alto-dns-security-api-openapi-original.yml, openapi/palo-alto-email-dlp-api-openapi-original.yml,
openapi/palo-alto-iot-security-api-openapi-original.yml, openapi/palo-alto-pan-os-rest-api-openapi-original.yml
...
summary:
types:
- apiKey
- http
- oauth2
api_key_in:
- header
oauth2_flows:
- clientCredentials
schemes:
- name: oauth2Bearer
type: http
scheme: bearer
bearerFormat: JWT
description: OAuth 2.0 Bearer token for SASE platform authentication. Obtain using the client_credentials
grant with your SASE service account client ID and client secret.
sources:
- openapi/palo-alto-aiops-ngfw-bpa-api-openapi-original.yml
- openapi/palo-alto-dlp-api-openapi-original.yml
- openapi/palo-alto-email-dlp-api-openapi-original.yml
- openapi/palo-alto-prisma-access-browser-api-openapi-original.yml
- openapi/palo-alto-prisma-access-insights-api-openapi-original.yml
- openapi/palo-alto-prisma-airs-ai-red-teaming-api-openapi-original.yml
- openapi/palo-alto-prisma-cloud-compute-api-openapi-original.yml
- openapi/palo-alto-prisma-cloud-cspm-api-openapi-original.yml
- openapi/palo-alto-prisma-cloud-dspm-api-openapi-original.yml
- openapi/palo-alto-prisma-cloud-mssp-api-openapi-original.json
- openapi/palo-alto-saas-security-api-openapi-original.yml
- openapi/palo-alto-sase-5g-api-openapi-original.yml
- openapi/palo-alto-sase-aggregate-monitoring-api-openapi-original.yml
- openapi/palo-alto-sase-config-orchestration-api-openapi-original.yml
- openapi/palo-alto-sase-iam-api-openapi-original.yml
- openapi/palo-alto-sase-multitenant-notifications-api-openapi-original.yml
- openapi/palo-alto-sase-subscription-api-openapi-original.yml
- openapi/palo-alto-sase-tenancy-api-openapi-original.yml
- openapi/palo-alto-sspm-api-openapi-original.yml
- openapi/palo-alto-strata-cloud-manager-api-openapi-original.yml
- openapi/palo-alto-strata-logging-service-api-openapi-original.yml
- openapi/palo-alto-ztna-connector-api-openapi-original.yml
- name: oauth2
type: oauth2
flows:
- flow: clientCredentials
tokenUrl: https://auth.apps.paloaltonetworks.com/oauth2/access_token
scopes: 0
description: OAuth 2.0 client credentials flow for obtaining an access token. Requires a client
ID and client secret from the Palo Alto Networks SASE identity provider.
sources:
- openapi/palo-alto-autonomous-dem-api-openapi-original.yml
- openapi/palo-alto-prisma-access-api-openapi-original.yml
- openapi/palo-alto-prisma-sd-wan-api-openapi-original.yml
- name: awsSigV4
type: apiKey
in: header
parameter: Authorization
description: AWS Signature Version 4 (SigV4) signed request. Use an AWS IAM role or user with
CloudNGFW IAM permissions. Sign requests using the service name cloudngfw and the target
AWS region. Include x-amz-date and x-amz-security-token headers as required.
sources:
- openapi/palo-alto-cloud-ngfw-api-openapi-original.yml
- openapi/palo-alto-cortex-xsoar-api-openapi-original.yml
- name: xdrAuth
type: apiKey
in: header
parameter: x-xdr-hmac-v2
description: 'Cortex XDR uses a custom HMAC-SHA256 authentication scheme. Each request requires
four headers: x-xdr-auth-id (API key ID), x-xdr-nonce (64-character random string), x-xdr-timestamp
(Unix epoch milliseconds), and x-xdr-hmac-v2 (SHA-256 hash of apikey + nonce + timestamp).
Generate API keys from Cortex XDR Settings > Configurations > API Keys.'
sources:
- openapi/palo-alto-cortex-xdr-api-openapi-original.yml
- openapi/palo-alto-cortex-xpanse-api-openapi-original.yml
- openapi/palo-alto-cortex-xsiam-api-openapi-original.yml
- name: dnsApiKey
type: apiKey
in: header
parameter: X-DNS-API-APIKEY
description: DNS Security API key. Requires an active DNS Security subscription associated
with a Palo Alto Networks support account. Obtain from the DNS Security portal under API
settings.
sources:
- openapi/palo-alto-dns-security-api-openapi-original.yml
- name: keyId
type: apiKey
in: header
parameter: X-Key-Id
description: IoT Security API key identifier. Generated from the IoT Security portal under
Settings > API Keys.
sources:
- openapi/palo-alto-iot-security-api-openapi-original.yml
- name: accessKey
type: apiKey
in: header
parameter: X-Access-Key
description: IoT Security API access key. Generated alongside the key identifier from the
IoT Security portal.
sources:
- openapi/palo-alto-iot-security-api-openapi-original.yml
- name: apiKey
type: apiKey
in: header
parameter: X-PAN-KEY
description: PAN-OS API key generated via the /api/?type=keygen endpoint or from the web interface
under Device > Administrators. The key is tied to an administrator account and inherits
its role-based permissions.
sources:
- openapi/palo-alto-pan-os-rest-api-openapi-original.yml
- name: apiKeyAuth
type: apiKey
in: header
parameter: x-pan-token
description: API key for authenticating requests to the Prisma AIRS API. Generate keys in
the Palo Alto Networks AI Runtime Security console under Settings > API Keys.
sources:
- openapi/palo-alto-prisma-airs-api-openapi-original.yml
- name: redlockAuth
type: apiKey
in: header
parameter: x-redlock-auth
description: JWT token obtained from the Prisma Cloud /login endpoint. Pass the token value
in the x-redlock-auth header. Tokens are valid for 10 minutes.
sources:
- openapi/palo-alto-prisma-cloud-code-security-api-openapi-original.yml
- name: basicAuth
type: http
scheme: basic
description: HTTP Basic authentication using Prisma Cloud Compute credentials.
sources:
- openapi/palo-alto-prisma-cloud-compute-api-openapi-original.yml
- name: authKey
type: http
scheme: Bearer
sources:
- openapi/palo-alto-sase-multitenant-interconnect-api-openapi-original.yml
- name: apiKey
type: apiKey
in: header
parameter: X-API-KEY
description: Threat Vault API key. Generate your API key from the Palo Alto Networks customer
support portal or the Developer Portal at pan.dev. The API key controls access level and
daily quota limits.
sources:
- openapi/palo-alto-threat-vault-api-openapi-original.yml