>
    Strata Copilot
    Manage Applications, API Keys, Security Profiles, and Custom Topics
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma AIRS
    3. Administration
    4. Defend: Create and Configure API Security Profile
    5. Manage Applications, API Keys, Security Profiles, and Custom Topics
    Download PDF
    Prisma AIRS

    Manage Applications, API Keys, Security Profiles, and Custom Topics

    Table of Contents

    Manage Applications, API Keys, Security Profiles, and Custom Topics

    Manage applications, API keys, security profiles, and custom topics.
    Where Can I Use This?What Do I Need?
    • Prisma AIRS AI Runtime: API security
    The Prisma AIRS API dashboard summarizes the API threat scan logs. You can also manage the onboarded applications, API keys, security profiles, and custom topics.
    In this section, you will manage the:
    • Onboarded applications
    • API keys
    • Generate OAuth 2.0 token
    • API security profile
    • Custom topics
    1. Log in to Strata Cloud Manager.
    2. Navigate to AI Security API Applications.
    3. Select Manage from the top right corner.
    4. Select one of the applications, API keys, security profiles, or custom topics, and follow the respective section.
    5. Copy and save your API key token and Security profile name or profile ID (UUID).
      You need these credentials to make successful scan API calls. See the Prisma AIRS API Reference guide for detailed examples.

    Manage Applications

    1. View and manage application details:
      • Application name
      • Application cloud provider
      • Application environment
      • API key associated with the application
      • Deployment profile associated with the application.
      • Select one of the AI agent frameworks to detect AI agent threats specific to a framework.
    2. Edit: If you want to update the application name, cloud provider, environment, and the AI agent framework.
    3. Delete: This deletes the application and the API key associated with it.
    4. Select Add new application/API key to initiate the onboarding workflow for creating an application and API key. This workflow uses an unused deployment profile associated with the tenant.

    Manage API Keys

    1. View and manage API keys and their application details:
      • API key name
      • Application name that's using the API key
      • View and copy the API key token
    2. Regenerate API key token. This revokes the existing API key and creates a new one.
    3. Delete: This deletes the API key and its associated application.
    4. Set the API key Rotation time interval by selecting the drop-down (Every month, 3 months, or 6 months).
      The rotation takes effect only when you regenerate or create a new API key.
    5. Select Add new application/API key to initiate the onboarding workflow for creating an application and API key. This workflow uses an unused deployment profile associated with the tenant.

    Generate OAuth 2.0 token

    The Prisma AIRS API supports both API Key and OAuth 2.0 token-based authentication methods for scan submissions. OAuth 2.0 token authentication addresses several limitations of using API Keys exclusively, including the maximum limit of API Keys per application, the requirement for SCM web interface access to fetch API keys, and information security recommendations for using industry-standard authentication protocols.
    With OAuth 2.0 token authentication, administrators can distribute credentials to authorized users or service accounts with specific roles. These users can then generate OAuth tokens and use them in automation scripts and other integrations. This approach aligns with information security best practices while providing more flexible authentication options.
    OAuth 2.0 tokens for AIRS API have configurable validity periods ranging from 1 hour to 30 days. However, these tokens are bound by the API Key expiration. That is, even if a token was generated with a longer validity period, it will cease to work once the underlying API Key expires. When generated through the SCM web interface, OAuth tokens have a default validity of 24 hours and are displayed only once.
    The system applies the same quota policies to scan submissions regardless of whether they use API Key or OAuth 2.0 token authentication. This ensures consistent resource allocation and management across all authentication methods.
    Before configuring OAuth 2.0 token authentication, administrators should understand the relationship between application roles, API Keys, and OAuth tokens. The super user role has privileges to generate and manage both API Keys and OAuth tokens, while other roles may have more limited permissions based on their assigned capabilities. For reporting purposes, all scan submissions are logged with the associated API key identifier, regardless of whether the actual submission used an API Key or OAuth token.
    1. Log in to Strata Cloud Manager.
    2. Navigate to AI Security API Applications.
    3. Select Manage from the top right corner and then API Keys.
    4. Select API Key that you have already created for which you want to generate the OAuth 2.0 token.
    5. Generate Token for OAuth 2.0.
    6. Set the OAuth 2.0 token lifetime by selecting one of these durations: 1 hour, 3 hours, 1 day, 7 days, or 30 days.
    7. Select Generate Token to generate the token successfully.

    Manage API Security Profiles

    1. Click Show Details to view the following details and manage your security profiles.
      • Security profile name
      • AI security profile unique ID (UUID)
      • Version number. This is the revision number of each security profile
      • Treat detections applied and their default actions
      • Latency configuration
    2. Edit: Update your security profile configurations:
      • You can update the security profile name, AI model protection, AI application protection, AI data protection, and Latency configuration.
      • Select Update to save your settings.
    3. Delete: Deletes the security profile.
    4. Create New Security Profile as described in the Onboard Prisma AIRS API in Strata Cloud Manager section.
      When editing an AI security profile:
      • Updating configurations without changing the name: The profile retains its name but receives a new AI security profile ID (UUID). The revision number is incremented.
      • Updating the name (with or without configuration changes): A new profile revision is created with the updated name and a new AI security profile ID (UUID). Each AI security profile revision is identified by a unique version number, starting from 1.0.
    5. Security Profile Linking: The Security Profile Linking (when enabled while adding an AI application) automatically associates the default Security Profile with the AI profile. Toggle Linked to enable Security Profile Linking to link to an existing Security Profile automatically (based on the AI application the Security Profile is linked with).

    Manage Custom Topics

    Create or update custom topics for custom topic guardrails threat detections and eanble this detection service in the API security profile.
    1. Select Manage Custom Topics.
    2. Add New Custom Topic.
    3. Enter a custom Topic Name. Limit the name to 100 characters.
    4. Enter a Description explaining the purpose of this custom topic. Limit it to 250 characters.
    5. Enter relevant Examples for your custom topic. Limit them to 250 characters.
    6. Create or Update.
      Limitations
      • Custom topic guardrail feature supports a maximum of up to 20 topics per profile.
      • Each topic name is limited to 100 characters.
      • Topic descriptions are limited to 250 characters.
      • Each topic can have up to 5 examples, each limited to 250 characters.
      • The character length of the topic name, description, and examples together is limited to 1000 characters.

    Multi-category Configurability and Reporting for Toxicity Detection

    Prisma AIRS AI Runtime supports multi-category toxicity detection which allows the AI Runtime API to identify specific types of harmful content by moving beyond a single general toxicity classification. It allows you to distinguish between various sub-categories of toxicity based on your specific AI application use cases and compliance requirements. AI Runtime classifies toxic content into one or more sub-categories, which are viewable in the AI Runtime scan API response. The table below describes these categories:
    Violent CrimesAny content depicting, promoting, or excusing criminal violent actions toward people, animals, or other entities. This includes, but not limited to, genocide, extremism, terrorism, murder, battery/assult, kidnapping, hate crimes, torture
    Suicide & Self-HarmAny content depicting, promoting, or excusing physical actions intended to purposely hurt, injure, damage one’s body or kill oneself, including, but not limited to, suicide, non-suicidal self-injury, and eating disorders.
    Indiscriminate WeaponsAny content depicting, promoting, or excusing the creation of weapons of mass destruction, including chemical, biological, radiological, nuclear, or high-yield explosive weapons.
    HateAny content that discriminates, criticizes, insults, denounces, stereotypes or dehumanizes a person or group based on differentiating/protected attributes. This also includes content that promotes discriminatory practices based on the aforementioned attributes, including employment discrimination.
    Sexual ContentAny content related to descriptions of sexual activity, genitals, and other forms of sexual content, including those portrayed as an assault or a forced sexual violent act against one’s will, and child sexual exploitation.
    Controlled / Regulated SubstancesAny content depicting, promoting, or excusing the production, possession, and use of substances regulated by law, often due to potential for abuse, addiction, or harm (e.g. prescription medications, illegal drugs, chemicals for manufacturing illegal substances).
    CybercrimesAny content depicting, promoting, or excusing acts of cybercrime.
    Other Non-Violent Crime & MisconductAny content:
    • Depicting, promoting, or excusing non-violent criminal actions, including financial, property, weapons, and intellectual property crimes.
    • Depicting, promoting, or excusing acts of fraudulent or dishonest behavior, such as misleading advertising and exploitative short term lending practices.
    • Depicting, promoting, or excusing a form of personal privacy violation.
      This does not include cybercrimes.
    1. Log in to Strata Cloud Manager.
    2. Navigate to PoliciesAI Security Profiles.
    3. Select an existing AI Security Profile, or, click Add Profileto to create a new one.
    4. Configure Model Protection settings within the AI Security Profile, scroll down to Toxic Content Detection.
      1. Within the AI Security Profile details, navigate to the Model Protection tab.
      2. Locate the Toxic Content Detection section.
    5. Enable and customize granular toxic content policies:
      1. Select Custom to enable different actions for each toxicity sub category.
      2. For each listed toxic content category, configure the desired action and confidence level thresholds:
        • Violent crimes
        • Suicide and self-harm
        • Indiscriminate weapons
        • Cybercrimes
        • Hate
        • Sexual content
        • Controlled/regulated substances
        • Other Non-violent crime and Misconduct (This super category includes Non-Violent Crimes, Fraudulent behavior, and Encouragement of privacy violation.)
      3. From the drop-down menu for each category, select either Allow or Block.
      4. For each selected action, specify the behavior for different confidence levels:
        • Moderate Confidence: Select Allow or Block.
        • High Confidence: Select Allow or Block.
    6. Save the updated AI Security Profile.
      Verify the deployment and effectiveness of the new policies:
      • Monitor Scan Reports and SLS logs within Strata Cloud Manager.
      • Look for entries where ai_subtype_details includes the newly configured categories and actions.
      • Test your AI applications with content that should trigger the new granular policies and observe the expected behavior.

    Configure Enhanced Source Code Detection

    To configure this feature, you will use the AI Security profile settings within Strata Cloud Manager.
    Follow these steps to set up the detection:
    1. Log in to Strata Cloud Manager.
    2. Navigate to AI Security AI Runtime Security Profiles.
    3. Select the AI security profile you want to configure.
    4. Navigate to AI Data Protection.
    5. Enable the toggle for Detection of Source Code.
    6. Select Actions for API; if you are configuring for the API you can select the actions to Allow or Block.
    7. Verify Logging. Once enabled, the system will automatically update the following reporting areas:
      • API Scan Reports: The prompt_detected, response_detected, and tool_detected sections will now include a code_found boolean value.
      • Log Details: The API Sessions view will display a row for Source Code Detected within the threat features list.
      • SLS Logs: The AI Incident Subtype field will be populated with "Source Code Detected" whenever a payload triggers the detection.
      • Code Snippets: You can view the specific snippets of detected code directly within the logging and reporting interface.

    © 2026 Palo Alto Networks, Inc. All rights reserved.