>
    Strata Copilot
    Manage Applications, API Keys, Security Profiles, and Custom Topics
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma AIRS
    3. Administration
    4. Defend: Create a Security Policy Rule to Prevent AI Security Threats
    5. Manage Applications, API Keys, Security Profiles, and Custom Topics
    Download PDF
    Prisma AIRS

    Manage Applications, API Keys, Security Profiles, and Custom Topics

    Table of Contents

    Manage Applications, API Keys, Security Profiles, and Custom Topics

    Manage applications, API keys, security profiles, and custom topics.
    Where Can I Use This?What Do I Need?
    • Prisma AIRS AI Runtime: API security
    The Prisma AIRS API dashboard summarizes the API threat scan logs. You can also manage the onboarded applications, API keys, security profiles, and custom topics.
    In this secion, you will manage the:
    • Onboarded applications
    • API keys
    • Generate OAuth 2.0 token
    • API security profile
    • Custom topics
    1. Log in to Strata Cloud Manager.
    2. Navigate to Insights Prisma AIRS Prisma AIRS AI Runtime: API intercept.
    3. Select Manage from the top right corner.
    4. Select one of the applications, API keys, security profiles, or custom topics, and follow the respective section.
    5. Copy and save your API key token and Security profile name or profile ID (UUID).
      You need these credentials to make successful scan API calls. See the Prisma AIRS API Reference guide for detailed examples.

    Manage Applications

    1. View and manage application details:
      • Application name
      • Application cloud provider
      • Application environment
      • API key associated with the application
      • Deployment profile associated with the application.
      • Select one of the AI agent frameworks to detect AI agent threats specific to a framework.
    2. Edit: If you want to update the application name, cloud provider, environment, and the AI agent framework.
    3. Delete: This deletes the application and the API key associated with it.
    4. Select Add new application/API key to initiate the onboarding workflow for creating an application and API key. This workflow uses an unused deployment profile associated with the tenant.

    Manage API Keys

    1. View and manage API keys and their application details:
      • API key name
      • Application name that's using the API key
      • View and copy the API key token
    2. Regenerate API key token. This revokes the existing API key and creates a new one.
    3. Delete: This deletes the API key and its associated application.
    4. Set the API key Rotation time interval by selecting the drop-down (Every month, 3 months, or 6 months).
      The rotation takes effect only when you regenerate or create a new API key.
    5. Select Add new application/API key to initiate the onboarding workflow for creating an application and API key. This workflow uses an unused deployment profile associated with the tenant.

    Generate OAuth 2.0 token

    The Prisma AIRS API supports both API Key and OAuth 2.0 token-based authentication methods for scan submissions. OAuth 2.0 token authentication addresses several limitations of using API Keys exclusively, including the maximum limit of API Keys per application, the requirement for SCM web interface access to fetch API keys, and information security recommendations for using industry-standard authentication protocols.
    With OAuth 2.0 token authentication, administrators can distribute credentials to authorized users or service accounts with specific roles. These users can then generate OAuth tokens and use them in automation scripts and other integrations. This approach aligns with information security best practices while providing more flexible authentication options.
    OAuth 2.0 tokens for AIRS API have configurable validity periods ranging from 1 hour to 30 days. However, these tokens are bound by the API Key expiration. That is, even if a token was generated with a longer validity period, it will cease to work once the underlying API Key expires. When generated through the SCM web interface, OAuth tokens have a default validity of 24 hours and are displayed only once.
    The system applies the same quota policies to scan submissions regardless of whether they use API Key or OAuth 2.0 token authentication. This ensures consistent resource allocation and management across all authentication methods.
    Before configuring OAuth 2.0 token authentication, administrators should understand the relationship between application roles, API Keys, and OAuth tokens. The super user role has privileges to generate and manage both API Keys and OAuth tokens, while other roles may have more limited permissions based on their assigned capabilities. For reporting purposes, all scan submissions are logged with the associated API key identifier, regardless of whether the actual submission used an API Key or OAuth token.
    1. Log in to Strata Cloud Manager.
    2. Navigate to Insights Prisma AIRS Prisma AIRS AI Runtime: API intercept.
    3. Select Manage from the top right corner and then API Keys.
    4. Select API Key that you have already created for which you want to generate the OAuth 2.0 token.
    5. Generate Token for OAuth 2.0.
    6. Set the OAuth 2.0 token lifetime by selecting one of these durations: 1 hour, 3 hours, 1 day, 7 days, or 30 days.
    7. Select Generate Token to generate the token successfully.

    Manage API Security Profiles

    1. Click Show Details to view the following details and manage your security profiles.
      • Security profile name
      • AI security profile unique ID (UUID)
      • Version number. This is the revision number of each security profile
      • Treat detections applied and their default actions
      • Latency configuration
    2. Edit: Update your security profile configurations:
      • You can update the security profile name, AI model protection, AI application protection, AI data protection, and Latency configuration.
      • Select Update to save your settings.
    3. Delete: Deletes the security profile.
    4. Create New Security Profile as described in the Onboard Prisma AIRS API in Strata Cloud Manager section.
      When editing an AI security profile:
      • Updating configurations without changing the name: The profile retains its name but receives a new AI security profile ID (UUID). The revision number is incremented.
      • Updating the name (with or without configuration changes): A new profile revision is created with the updated name and a new AI security profile ID (UUID). Each AI security profile revision is identified by a unique version number, starting from 1.0.
    5. Security Profile Linking: The Security Profile Linking (when enabled while adding an AI application) automatically associates the default Security Profile with the AI profile. Toggle Linked to enable Security Profile Linking to link to an existing Security Profile automatically (based on the AI application the Security Profile is linked with).

    Manage Custom Topics

    Create or update custom topics for custom topic guardrails threat detections and eanble this detection service in the API security profile.
    1. Select Manage Custom Topics.
    2. Add New Custom Topic.
    3. Enter a custom Topic Name. Limit the name to 100 characters.
    4. Enter a Description explaining the purpose of this custom topic. Limit it to 250 characters.
    5. Enter relevant Examples for your custom topic. Limit them to 250 characters.
    6. Create or Update.
      Limitations
      • Custom topic guardrail feature supports a maximum of up to 20 topics per profile.
      • Each topic name is limited to 100 characters.
      • Topic descriptions are limited to 250 characters.
      • Each topic can have up to 5 examples, each limited to 250 characters.
      • The character length of the topic name, description, and examples together is limited to 1000 characters.
      • The feature is designed to process content up to 10K characters with an expected latency of up to 100 ms.
      • While highly accurate, the detection mechanism may have a small margin of error, with a target of max 0.1% for incorrect block actions and up to 10% for incorrect allow actions.

    © 2025 Palo Alto Networks, Inc. All rights reserved.