Palo Alto Networks · Authentication Profile

Palo Alto Networks Authentication

Authentication

Palo Alto Networks secures its APIs with apiKey, http, and oauth2 across 13 declared security schemes, as derived from its OpenAPI definitions. OAuth 2.0 is offered via the clientCredentials flow(s).

Cloud SecurityCybersecurityFirewallNetwork SecuritySASESOARThreat IntelligenceXDR
Methods: apiKey, http, oauth2 Schemes: 13 OAuth flows: clientCredentials API key in: header

Security Schemes

oauth2Bearer http
scheme: bearer
oauth2 oauth2
· flows: clientCredentials
awsSigV4 apiKey
· in: header (Authorization)
xdrAuth apiKey
· in: header (x-xdr-hmac-v2)
dnsApiKey apiKey
· in: header (X-DNS-API-APIKEY)
keyId apiKey
· in: header (X-Key-Id)
accessKey apiKey
· in: header (X-Access-Key)
apiKey apiKey
· in: header (X-PAN-KEY)
apiKeyAuth apiKey
· in: header (x-pan-token)
redlockAuth apiKey
· in: header (x-redlock-auth)
basicAuth http
scheme: basic
authKey http
scheme: Bearer
apiKey apiKey
· in: header (X-API-KEY)

Source

Authentication Profile

Raw ↑
generated: '2026-07-11'
method: derived
source: openapi/palo-alto-aiops-ngfw-bpa-api-openapi-original.yml, openapi/palo-alto-autonomous-dem-api-openapi-original.yml,
  openapi/palo-alto-cloud-ngfw-api-openapi-original.yml, openapi/palo-alto-cortex-xdr-api-openapi-original.yml,
  openapi/palo-alto-cortex-xpanse-api-openapi-original.yml, openapi/palo-alto-cortex-xsiam-api-openapi-original.yml,
  openapi/palo-alto-cortex-xsoar-api-openapi-original.yml, openapi/palo-alto-dlp-api-openapi-original.yml,
  openapi/palo-alto-dns-security-api-openapi-original.yml, openapi/palo-alto-email-dlp-api-openapi-original.yml,
  openapi/palo-alto-iot-security-api-openapi-original.yml, openapi/palo-alto-pan-os-rest-api-openapi-original.yml
  ...
summary:
  types:
  - apiKey
  - http
  - oauth2
  api_key_in:
  - header
  oauth2_flows:
  - clientCredentials
schemes:
- name: oauth2Bearer
  type: http
  scheme: bearer
  bearerFormat: JWT
  description: OAuth 2.0 Bearer token for SASE platform authentication. Obtain using the client_credentials
    grant with your SASE service account client ID and client secret.
  sources:
  - openapi/palo-alto-aiops-ngfw-bpa-api-openapi-original.yml
  - openapi/palo-alto-dlp-api-openapi-original.yml
  - openapi/palo-alto-email-dlp-api-openapi-original.yml
  - openapi/palo-alto-prisma-access-browser-api-openapi-original.yml
  - openapi/palo-alto-prisma-access-insights-api-openapi-original.yml
  - openapi/palo-alto-prisma-airs-ai-red-teaming-api-openapi-original.yml
  - openapi/palo-alto-prisma-cloud-compute-api-openapi-original.yml
  - openapi/palo-alto-prisma-cloud-cspm-api-openapi-original.yml
  - openapi/palo-alto-prisma-cloud-dspm-api-openapi-original.yml
  - openapi/palo-alto-prisma-cloud-mssp-api-openapi-original.json
  - openapi/palo-alto-saas-security-api-openapi-original.yml
  - openapi/palo-alto-sase-5g-api-openapi-original.yml
  - openapi/palo-alto-sase-aggregate-monitoring-api-openapi-original.yml
  - openapi/palo-alto-sase-config-orchestration-api-openapi-original.yml
  - openapi/palo-alto-sase-iam-api-openapi-original.yml
  - openapi/palo-alto-sase-multitenant-notifications-api-openapi-original.yml
  - openapi/palo-alto-sase-subscription-api-openapi-original.yml
  - openapi/palo-alto-sase-tenancy-api-openapi-original.yml
  - openapi/palo-alto-sspm-api-openapi-original.yml
  - openapi/palo-alto-strata-cloud-manager-api-openapi-original.yml
  - openapi/palo-alto-strata-logging-service-api-openapi-original.yml
  - openapi/palo-alto-ztna-connector-api-openapi-original.yml
- name: oauth2
  type: oauth2
  flows:
  - flow: clientCredentials
    tokenUrl: https://auth.apps.paloaltonetworks.com/oauth2/access_token
    scopes: 0
  description: OAuth 2.0 client credentials flow for obtaining an access token. Requires a client
    ID and client secret from the Palo Alto Networks SASE identity provider.
  sources:
  - openapi/palo-alto-autonomous-dem-api-openapi-original.yml
  - openapi/palo-alto-prisma-access-api-openapi-original.yml
  - openapi/palo-alto-prisma-sd-wan-api-openapi-original.yml
- name: awsSigV4
  type: apiKey
  in: header
  parameter: Authorization
  description: AWS Signature Version 4 (SigV4) signed request. Use an AWS IAM role or user with
    CloudNGFW IAM permissions. Sign requests using the service name cloudngfw and the target
    AWS region. Include x-amz-date and x-amz-security-token headers as required.
  sources:
  - openapi/palo-alto-cloud-ngfw-api-openapi-original.yml
  - openapi/palo-alto-cortex-xsoar-api-openapi-original.yml
- name: xdrAuth
  type: apiKey
  in: header
  parameter: x-xdr-hmac-v2
  description: 'Cortex XDR uses a custom HMAC-SHA256 authentication scheme. Each request requires
    four headers: x-xdr-auth-id (API key ID), x-xdr-nonce (64-character random string), x-xdr-timestamp
    (Unix epoch milliseconds), and x-xdr-hmac-v2 (SHA-256 hash of apikey + nonce + timestamp).
    Generate API keys from Cortex XDR Settings > Configurations > API Keys.'
  sources:
  - openapi/palo-alto-cortex-xdr-api-openapi-original.yml
  - openapi/palo-alto-cortex-xpanse-api-openapi-original.yml
  - openapi/palo-alto-cortex-xsiam-api-openapi-original.yml
- name: dnsApiKey
  type: apiKey
  in: header
  parameter: X-DNS-API-APIKEY
  description: DNS Security API key. Requires an active DNS Security subscription associated
    with a Palo Alto Networks support account. Obtain from the DNS Security portal under API
    settings.
  sources:
  - openapi/palo-alto-dns-security-api-openapi-original.yml
- name: keyId
  type: apiKey
  in: header
  parameter: X-Key-Id
  description: IoT Security API key identifier. Generated from the IoT Security portal under
    Settings > API Keys.
  sources:
  - openapi/palo-alto-iot-security-api-openapi-original.yml
- name: accessKey
  type: apiKey
  in: header
  parameter: X-Access-Key
  description: IoT Security API access key. Generated alongside the key identifier from the
    IoT Security portal.
  sources:
  - openapi/palo-alto-iot-security-api-openapi-original.yml
- name: apiKey
  type: apiKey
  in: header
  parameter: X-PAN-KEY
  description: PAN-OS API key generated via the /api/?type=keygen endpoint or from the web interface
    under Device > Administrators. The key is tied to an administrator account and inherits
    its role-based permissions.
  sources:
  - openapi/palo-alto-pan-os-rest-api-openapi-original.yml
- name: apiKeyAuth
  type: apiKey
  in: header
  parameter: x-pan-token
  description: API key for authenticating requests to the Prisma AIRS API. Generate keys in
    the Palo Alto Networks AI Runtime Security console under Settings > API Keys.
  sources:
  - openapi/palo-alto-prisma-airs-api-openapi-original.yml
- name: redlockAuth
  type: apiKey
  in: header
  parameter: x-redlock-auth
  description: JWT token obtained from the Prisma Cloud /login endpoint. Pass the token value
    in the x-redlock-auth header. Tokens are valid for 10 minutes.
  sources:
  - openapi/palo-alto-prisma-cloud-code-security-api-openapi-original.yml
- name: basicAuth
  type: http
  scheme: basic
  description: HTTP Basic authentication using Prisma Cloud Compute credentials.
  sources:
  - openapi/palo-alto-prisma-cloud-compute-api-openapi-original.yml
- name: authKey
  type: http
  scheme: Bearer
  sources:
  - openapi/palo-alto-sase-multitenant-interconnect-api-openapi-original.yml
- name: apiKey
  type: apiKey
  in: header
  parameter: X-API-KEY
  description: Threat Vault API key. Generate your API key from the Palo Alto Networks customer
    support portal or the Developer Portal at pan.dev. The API key controls access level and
    daily quota limits.
  sources:
  - openapi/palo-alto-threat-vault-api-openapi-original.yml