FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lpizziniaco
Staff
Staff
Article Id 357228
Description This article describes how to enable the 'access_token' parameter in the URL for a  FortiGate API request.
Scope FortiGate, REST API.
Solution

Since FortiGate 7.4.5, the API requests are not allowing the access_token as a URL parameter by default. This change has been made in order to be compliant with some security best practices, sensitive information should not be exposed in order to avoid any form of interception. The access_token must be passed within the HTTP headers, like in the example below:


curl --location 'https://10.5.209.146/api/v2/cmdb/system/vdom?vdom=root' \
--header 'Authorization: Bearer xxx' \
--header 'Content-Type: application/json' \
--data '{
"name": "testing",
"type": "ppp"
}'


If the use of the access_token as a URL parameter is necessary, the configuration can be modified to allow it. The following commands will allow it:

 

config system global

    set rest-api-key-url-query enable
end

 

Once this done, the inclusion of access_token within URL parameters is allowed. However, as already mentioned, enabling this option should be carefully evaluated since it has the potential to expose the network to some risks.