2022-05-26 23:06:25 +08:00
---
aliases:
2022-12-10 00:36:04 +08:00
- ../../http_api/auth/
- ../../http_api/authentication/
2023-02-07 01:14:36 +08:00
canonical: /docs/grafana/latest/developers/http_api/auth/
2022-05-26 23:06:25 +08:00
description: Grafana Authentication HTTP API
keywords:
- grafana
- http
- documentation
- api
- authentication
Explicitly set all front matter labels in the source files (#71548)
* Set every page to have defaults of 'Enterprise' and 'Open source' labels
Signed-off-by: Jack Baldry <jack.baldry@grafana.com>
* Set administration pages to have of 'Cloud', 'Enterprise', and 'Open source' labels
Signed-off-by: Jack Baldry <jack.baldry@grafana.com>
* Set administration/enterprise-licensing pages to have 'Enterprise' labels
Signed-off-by: Jack Baldry <jack.baldry@grafana.com>
* Set administration/organization-management pages to have 'Enterprise' and 'Open source' labels
Signed-off-by: Jack Baldry <jack.baldry@grafana.com>
* Set administration/provisioning pages to have 'Enterprise' and 'Open source' labels
Signed-off-by: Jack Baldry <jack.baldry@grafana.com>
* Set administration/recorded-queries pages to have labels cloud,enterprise
* Set administration/roles-and-permissions/access-control pages to have labels cloud,enterprise
Signed-off-by: Jack Baldry <jack.baldry@grafana.com>
* Set administration/stats-and-license pages to have labels cloud,enterprise
* Set alerting pages to have labels cloud,enterprise,oss
* Set breaking-changes pages to have labels cloud,enterprise,oss
* Set dashboards pages to have labels cloud,enterprise,oss
* Set datasources pages to have labels cloud,enterprise,oss
* Set explore pages to have labels cloud,enterprise,oss
* Set fundamentals pages to have labels cloud,enterprise,oss
* Set introduction/grafana-cloud pages to have labels cloud
Signed-off-by: Jack Baldry <jack.baldry@grafana.com>
* Fix introduction pages products
Signed-off-by: Jack Baldry <jack.baldry@grafana.com>
* Set panels-visualizations pages to have labels cloud,enterprise,oss
* Set release-notes pages to have labels cloud,enterprise,oss
* Set search pages to have labels cloud,enterprise,oss
* Set setup-grafana/configure-security/audit-grafana pages to have labels cloud,enterprise
Signed-off-by: Jack Baldry <jack.baldry@grafana.com>
* Set setup-grafana/configure-security/configure-authentication pages to have labels cloud,enterprise,oss
* Set setup-grafana/configure-security/configure-authentication/enhanced-ldap pages to have labels cloud,enterprise
* Set setup-grafana/configure-security/configure-authentication/saml pages to have labels cloud,enterprise
* Set setup-grafana/configure-security/configure-database-encryption/encrypt-secrets-using-hashicorp-key-vault pages to have labels cloud,enterprise
* Set setup-grafana/configure-security/configure-request-security pages to have labels cloud,enterprise,oss
Signed-off-by: Jack Baldry <jack.baldry@grafana.com>
* Set setup-grafana/configure-security/configure-team-sync pages to have labels cloud,enterprise
Signed-off-by: Jack Baldry <jack.baldry@grafana.com>
* Set setup-grafana/configure-security/export-logs pages to have labels cloud,enterprise
Signed-off-by: Jack Baldry <jack.baldry@grafana.com>
* Set troubleshooting pages to have labels cloud,enterprise,oss
* Set whatsnew pages to have labels cloud,enterprise,oss
* Apply updated labels from review
Co-authored-by: brendamuir <100768211+brendamuir@users.noreply.github.com>
Co-authored-by: Isabel <76437239+imatwawana@users.noreply.github.com>
---------
Signed-off-by: Jack Baldry <jack.baldry@grafana.com>
Co-authored-by: brendamuir <100768211+brendamuir@users.noreply.github.com>
Co-authored-by: Isabel <76437239+imatwawana@users.noreply.github.com>
2023-07-18 16:10:12 +08:00
labels:
products:
- enterprise
- oss
2022-05-26 23:06:25 +08:00
title: 'Authentication HTTP API '
---
2016-02-03 14:59:22 +08:00
2016-02-05 17:15:09 +08:00
# Authentication API
2016-02-03 14:59:22 +08:00
2022-07-09 03:21:29 +08:00
> If you are running Grafana Enterprise, for some endpoints you would need to have relevant permissions. Refer to [Role-based access control permissions]({{< relref "../../administration/roles-and-permissions/access-control/custom-role-actions-scopes/" >}}) for more information.
2022-05-21 03:48:52 +08:00
2016-02-05 17:15:09 +08:00
## Tokens
2016-02-03 14:59:22 +08:00
2022-05-21 03:48:52 +08:00
Currently, you can authenticate via an `API Token` or via a `Session cookie` (acquired using regular login or OAuth).
2016-02-03 14:59:22 +08:00
2021-04-22 00:24:56 +08:00
## X-Grafana-Org-Id Header
2021-08-06 21:52:36 +08:00
**X-Grafana-Org-Id** is an optional property that specifies the organization to which the action is applied. If it is not set, the created key belongs to the current context org. Use this header in all requests except those regarding admin.
2021-04-22 00:24:56 +08:00
**Example Request**:
```http
POST /api/auth/keys HTTP/1.1
Accept: application/json
Content-Type: application/json
X-Grafana-Org-Id: 2
Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk
{
"name": "mykey",
"role": "Admin",
"secondsToLive": 86400
}
```
2016-02-05 17:15:09 +08:00
## Basic Auth
2016-02-03 14:59:22 +08:00
2020-07-06 22:56:26 +08:00
If basic auth is enabled (it is enabled by default), then you can authenticate your HTTP request via
2016-12-13 16:15:52 +08:00
standard basic auth. Basic auth will also authenticate LDAP users.
2016-02-03 14:59:22 +08:00
curl example:
2021-08-06 21:52:36 +08:00
2017-10-06 01:01:03 +08:00
```bash
2022-05-30 20:02:04 +08:00
curl http://admin:admin@localhost:3000/api/org
2016-02-03 14:59:22 +08:00
{"id":1,"name":"Main Org."}
```
2016-02-05 17:15:09 +08:00
## Create API Token
2016-02-03 14:59:22 +08:00
Open the sidemenu and click the organization dropdown and select the `API Keys` option.
You use the token in all requests in the `Authorization` header, like this:
**Example**:
2017-10-06 01:01:03 +08:00
```http
GET http://your.grafana.com/api/dashboards/db/mydash HTTP/1.1
Accept: application/json
Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk
```
2016-02-03 14:59:22 +08:00
2016-02-05 17:15:09 +08:00
The `Authorization` header value should be `Bearer <your api key>` .
2017-04-20 19:59:36 +08:00
2018-06-28 18:08:32 +08:00
The API Token can also be passed as a Basic authorization password with the special username `api_key` :
curl example:
2021-08-06 21:52:36 +08:00
2018-06-28 18:08:32 +08:00
```bash
2022-05-30 20:02:04 +08:00
curl http://api_key:eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk@localhost:3000/api/org
2018-06-28 18:08:32 +08:00
{"id":1,"name":"Main Org."}
```
2017-04-20 19:59:36 +08:00
# Auth HTTP resources / actions
## Api Keys
`GET /api/auth/keys`
2022-05-21 03:48:52 +08:00
**Required permissions**
See note in the [introduction ]({{< ref "#authentication-api" >}} ) for an explanation.
| Action | Scope |
| -------------- | ----------- |
| `apikeys:read` | `apikeys:*` |
2017-04-20 19:59:36 +08:00
**Example Request**:
2017-10-06 01:01:03 +08:00
```http
GET /api/auth/keys HTTP/1.1
Accept: application/json
Content-Type: application/json
Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk
```
2017-04-20 19:59:36 +08:00
2019-11-20 19:14:57 +08:00
Query Parameters:
- `includeExpired` : boolean. enable listing of expired keys. Optional.
2017-04-20 19:59:36 +08:00
**Example Response**:
2017-10-06 01:01:03 +08:00
```http
HTTP/1.1 200
Content-Type: application/json
[
{
"id": 3,
"name": "API",
"role": "Admin"
},
{
"id": 1,
"name": "TestAdmin",
2019-06-26 14:47:03 +08:00
"role": "Admin",
"expiration": "2019-06-26T10:52:03+03:00"
2017-10-06 01:01:03 +08:00
}
]
```
2017-04-20 19:59:36 +08:00
## Create API Key
`POST /api/auth/keys`
2022-05-21 03:48:52 +08:00
**Required permissions**
See note in the [introduction ]({{< ref "#authentication-api" >}} ) for an explanation.
| Action | Scope |
| ---------------- | ----- |
| `apikeys:create` | n/a |
2017-04-20 19:59:36 +08:00
**Example Request**:
2017-10-06 01:01:03 +08:00
```http
POST /api/auth/keys HTTP/1.1
Accept: application/json
Content-Type: application/json
Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk
2017-04-20 19:59:36 +08:00
2017-10-06 01:01:03 +08:00
{
"name": "mykey",
2019-06-26 14:47:03 +08:00
"role": "Admin",
"secondsToLive": 86400
2017-10-06 01:01:03 +08:00
}
```
2017-04-20 19:59:36 +08:00
JSON Body schema:
- **name** –
2017-12-14 01:53:42 +08:00
- **role** – `Viewer` , `Editor` or `Admin` .
2019-06-26 14:47:03 +08:00
- **secondsToLive** – `api_key_max_seconds_to_live` configuration option is set) the key will never expire.
Error statuses:
- **400** – `api_key_max_seconds_to_live` is set but no `secondsToLive` is specified or `secondsToLive` is greater than this value.
- **500** –
2017-04-20 19:59:36 +08:00
**Example Response**:
2017-10-06 01:01:03 +08:00
```http
HTTP/1.1 200
Content-Type: application/json
2017-04-20 19:59:36 +08:00
2020-09-07 23:06:11 +08:00
{"name":"mykey","key":"eyJrIjoiWHZiSWd3NzdCYUZnNUtibE9obUpESmE3bzJYNDRIc0UiLCJuIjoibXlrZXkiLCJpZCI6MX1=","id":1}
2017-10-06 01:01:03 +08:00
```
2017-04-20 19:59:36 +08:00
## Delete API Key
`DELETE /api/auth/keys/:id`
2022-05-21 03:48:52 +08:00
**Required permissions**
See note in the [introduction ]({{< ref "#authentication-api" >}} ) for an explanation.
| Action | Scope |
| ---------------- | ---------- |
| `apikeys:delete` | apikeys:\* |
2017-04-20 19:59:36 +08:00
**Example Request**:
2017-10-06 01:01:03 +08:00
```http
DELETE /api/auth/keys/3 HTTP/1.1
Accept: application/json
Content-Type: application/json
Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk
```
2021-08-06 21:52:36 +08:00
2017-04-20 19:59:36 +08:00
**Example Response**:
2017-10-06 01:01:03 +08:00
```http
HTTP/1.1 200
Content-Type: application/json
2017-04-20 19:59:36 +08:00
2017-10-06 01:01:03 +08:00
{"message":"API key deleted"}
2020-05-19 04:56:23 +08:00
```
