Focus

WildFire API Reference

Generate an Access Token for WildFire API Requests

Table of Contents

Generate an Access Token for WildFire API Requests

Generate a short-lived Bearer token from the authentication service to authorize your WildFire API requests.

Where Can I Use This?	What Do I Need?
Advanced WildFire public cloud	A configured Tenant Service Group (TSG-ID) A service account with a Client ID and Client Secret An active WildFire API token provisioned in Strata Cloud Manager

Before you can make authenticated requests to the WildFire API using token-based authentication, you must generate an access token from the Palo Alto Networks authentication service. The access token is a short-lived Bearer credential (valid for 15 minutes) that you include in the HTTP Authorization header of each WildFire API request.

You obtain an access token by calling the authentication service endpoint with your service account credentials (Client ID and Client Secret) and specifying the TSG-ID that scopes the token to a specific tenant. Your script or application must generate a new access token before the current one expires to maintain uninterrupted API access.

The authentication service FQDN is separate from the WildFire API endpoints:

https://auth.apps.paloaltonetworks.com

Retrieve your service account credentials.
You need the following values from the service account you created when provisioning your WildFire API token in Strata Cloud Manager:
- Client ID—The unique identifier for your service account.
- Client Secret—The secret key paired with the Client ID.
- TSG-ID—The Tenant Service Group identifier that scopes the access token to a specific tenant.
Request an access token from the authentication service.
Send a POST request to the authentication service token endpoint using the OAuth2 client credentials grant type. Use basic authentication with your Client ID as the username and Client Secret as the password, and specify the TSG-ID in the scope field:
```
curl -X POST https://auth.apps.paloaltonetworks.com/am/oauth2/access_token \
  -u CLIENT_ID:CLIENT_SECRET \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials&scope=tsg_id:TSG_ID"
```
The service account you authenticate with must belong to the TSG that you identify in the scope field.
Extract the access token from the response.
A successful request returns a JSON response containing the access token:
```
{
  "access_token": "eyJhb...truncated",
  "scope": "tsg_id:TSG_ID",
  "token_type": "Bearer",
  "expires_in": 900
}
```
The expires_in value indicates the token lifetime in seconds (900 seconds = 15 minutes).
Use the access token in your WildFire API requests.
Include the access token as a Bearer credential in the Authorization header of your WildFire API calls:
```
curl https://wildfire.paloaltonetworks.com/publicapi/submit/file \
  -F file=@sample.exe \
  -H "Authorization: Bearer ACCESS_TOKEN"
```
Handle token expiration in your workflows.

Access tokens expire after 15 minutes. Your automation must request a new token before the current one expires. If you submit a request with an expired token, the API returns an authorization error. You can validate your token credentials or check expiration by decoding the token at https://jwt.io/.

Get Your Advanced WildFire Cloud API Token

Manage Advanced WildFire Cloud API Tokens