Starting from v7.4.5, API requests no longer allow the access_token as a URL parameter by default. This change aligns with security best practices to prevent sensitive information from being exposed and intercepted. Instead, the access_token must be included in the HTTP headers, as shown in the example below

curl --location 'https://10.5.209.146/api/v2/cmdb/system/vdom?vdom=root' \
--header 'Authorization: Bearer xxx' \
--header 'Content-Type: application/json' \
--data '{
"name": "testing",
"type": "ppp"
}'

The following errors may appear in the HTTPS debug logs when an API request fails with a '401 Unauthorized' error:

[httpsd 2513 - 1739308886 info] fweb_debug_init[531] -- New GET request for "/api/v2/monitor/system/time" from "192.168.1.37:40424"
[httpsd 2513 - 1739308886 info] fweb_debug_init[533] -- User-Agent: "curl/7.81.0"
[httpsd 2513 - 1739308886 info] fweb_debug_init[535] -- Handler "api_monitor_v2-handler" assigned torequest
[httpsd 2513 - 1739308886 warning] _extract_key_param[97] -- REST API key in URL parameters is disabled.
[httpsd 2513 - 1739308886 warning] _extract_key_param[97] -- REST API key in URL parameters is disabled.
[httpsd 2513 - 1739308886 info] fweb_debug_final[355] -- Completed GET request for "/api/v2/monitor/system/time" (HTTP 401 Unauthorized)

In some cases, while attempting to connect to the FortiGate from FortiSOAR, the changes mentioned above may result in the following error message: 'Unauthorized. Wrong API key provided OR check user/VDOM/API key permission' as shown in the screenshot.

If using the access_token as a URL parameter is required, the configuration can be adjusted to enable it. The following commands allow this:

config system global

    set rest-api-key-url-query enable
end

Once this is enabled, the inclusion of access_token within URL parameters is allowed. However, as already mentioned, enabling this option should be carefully evaluated since it has the potential to expose the network to some risks.