Duo Admin API

Overview

The Admin API lets developers integrate with Duo Security's platform at a low level. The API has methods for creating, retrieving, updating, and deleting the core objects in Duo's system: users, phones, hardware tokens, admins, and integrations.

Developers can write applications that programmatically read their Duo account's authentication logs, administrator logs, and telephony logs; read or update account settings; and retrieve reports and other information.

Review the API Details to see how to construct your first API request.

About the Admin API

This API is automatically available to paying Duo Beyond, Duo Access, and Duo MFA plan customers and new customers with an Access or Beyond trial.

Documented properties will not be removed within a stable version of the API. Once a given API endpoint is documented to return a given property, a property with that name will always appear (although certain properties may only appear under certain conditions, like if the customer is using a specific edition). When Duo deprecates a property, the API continues to accept that property in requests, although it no longer has any effect.

Properties that enumerate choices may gain new values at any time, e.g. the device platform value could return new device platforms that did not previously exist. Duo may cease to return legacy values for properties as well. Duo will update our API documentation with changes to property values in a timely fashion, adding new property values or indicating changes to existing property values.

New, undocumented properties may also appear at any time. For instance, Duo may make available a beta feature involving extra information returned by an API endpoint. Until the property is documented here its format may change or it may even be entirely removed from our API.

We have started implementing v2 handlers for endpoints. In these cases, the API v1 handler remains supported, but will be limited or deprecated in the future. We encourage use of the v2 endpoints where available and recommend migrating existing API implementations to the v2 handlers.

Please note that all Unix timestamps are in seconds.

First Steps

Role required: Owner

Note that only administrators with the Owner role can create or modify an Admin API application in the Duo Admin Panel.

1. Sign up for a Duo account.
2. Log in to the Duo Admin Panel and navigate to Applications.
3. Click Protect an Application and locate the entry for Admin API in the applications list. Click Protect to the far-right to configure the application and get your integration key, secret key, and API hostname. You'll need this information to complete your setup. See Protecting Applications for more information about protecting applications in Duo and additional application options.
Treat your secret key like a password
The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!
4. Determine what permissions you want to grant to this Admin API application. Refer to the API endpoint descriptions throughout this document for information about required permissions for operations.

   Permission	Details
   Grant administrators	The Admin API application can read information about, create, update, and delete Duo administrators and administrative units.
   Grant read information	The Admin API application can read information about the Duo customer account's utilization.
   Grant applications	The Admin API application can read information about, create, update, and delete Duo applications (referred to as "integrations" in the API).
   Grant settings	The Admin API application can read and change global Duo account settings.
   Grant read log	The Admin API application can read authentication, offline access, telephony, and administrator action log information.
   Grant read resource	The Admin API application can read information about resource objects such as end users and devices.
   Grant write resource	The Admin API application can create, update, and delete resource objects such as end users and devices.

5. Optionally specify which IP addresses or ranges are allowed to use this Admin API application in Networks for API Access. If you do not specify any IP addresses or ranges, this Admin API application may be accessed from any network.

   The Admin API performs the IP check occurs after verifying the authentication signature in a request. If you restrict the allowed networks for API access and see logged events for blocked Admin API requests from unrecognized IP addresses, this may indicate compromise of your Admin API application's secret key.

API Clients

Duo Security has demonstration clients available on Github to call the Duo API methods. Examples are available in: Python, Java, C#, Go, Node, Ruby, Perl, and PHP.

API Details

Base URL

All API methods use your API hostname, https://api-XXXXXXXX.duosecurity.com. Obtain this value from the Duo Admin Panel and use it exactly as shown there.

Methods always use HTTPS. Unsecured HTTP is not supported.

Request Format

All requests must have "Authorization" and "Date" headers.

If the request method is GET or DELETE, URL-encode parameters and send them in the URL query string like this: /admin/v1/users?realname=First%20Last&username=root. They still go on a separate line when creating the string to sign for an Authorization header.

Send parameters for POST requests in the body as URL-encoded key-value pairs (the same request format used by browsers to submit form data). The header "Content-Type: application/x-www-form-urlencoded" must also be present.

When URL-encoding, all bytes except ASCII letters, digits, underscore ("_"), period ("."), tilde ("~"), and hyphen ("-") are replaced by a percent sign ("%") followed by two hexadecimal digits containing the value of the byte. For example, a space is replaced with "%20" and an at-sign ("@") becomes "%40". Use only upper-case A through F for hexadecimal digits.

A request with parameters, as a complete URL, would look like this: https://api-XXXXXXXX.duosecurity.com/admin/v1/users?realname=First%20Last&username=root.

Response Format

Responses are formatted as a JSON object with a top-level stat key.

Successful responses will have a stat value of "OK" and a response key. The response will either be a single object or a sequence of other JSON types, depending on which endpoint is called.

{
  "stat": "OK",
  "response": {
    "key": "value"
  }
}

Values are returned as strings unless otherwise documented.

Unsuccessful responses will have a stat value of "FAIL", an integer code, and a message key that further describes the failure. A message_detail key may be present if additional information is available (like the specific parameter that caused the error).

{
  "stat": "FAIL",
  "code": 40002,
  "message": "Invalid request parameters",
  "message_detail": "username"
}

The HTTP response code will be the first three digits of the more specific code found inside the JSON object. Each endpoint's documentation lists HTTP response codes it can return. Additionally, all API endpoints that require a signed request can return the following HTTP response codes:

Response Paging

Some API endpoints return a paged list of results on GET, up to the API endpoint's limit, or maximum results per page.

A successful response when the total results exceed the endpoint's default page size will include a metadata section with information about the total number of objects found and the results returned in the paged response. If the request returns no paging metadata, then either the endpoint does not support paged results or the total results do not exceed one page.

Specifying incorrect paging parameters results in a 400 invalid parameters response.

Use the metadata information returned to change the paging parameters for your request.

To retrieve the full set of results for a request with paged results, repeat the call, specifying the offset parameter value, until there are no more results (indicated by the absence of next_offset).

Paging Metadata Examples:

The metadata response will look like these examples except where noted for an individual API endpoint.

This metadata information indicates that there are 951 total objects returned by that endpoint, and no offset or limit was specified so the response set defaulted to the first 100 objects:

{
    "metadata": {
        "next_offset": 100,
        "prev_offset": 0,
        "total_objects": 951
    }

This metadata information indicates that the request specified offset=500 limit=200, so the response set was objects 500-699:

{
    "metadata": {
        "next_offset": 700,
        "prev_offset": 300,
        "total_objects": 11318
    }

This metadata information indicates that there are 2342 total objects, and the request specified offset=2300 and used that endpoint's default limit of 100, so the response set was the end of the list (objects 2300-2342):

{
    "metadata": {
        "prev_offset": 2200,
        "total_objects": 2342
    }

Authentication

The API uses HTTP Basic Authentication to authenticate requests. Use your Duo application's integration key as the HTTP Username.

Generate the HTTP Password as an HMAC signature of the request. This will be different for each request and must be re-generated each time.

To construct the signature, first build an ASCII string from your request, using the following components:

Then concatenate these components with (line feed) newlines. For example:

Tue, 21 Aug 2012 17:29:18 -0000
POST
api-xxxxxxxx.duosecurity.com
/admin/v1/users
realname=First%20Last&username=root

GET requests also use this five-line format:

Tue, 21 Aug 2012 17:29:18 -0000
GET
api-xxxxxxxx.duosecurity.com
/admin/v1/users
username=root

Lastly, compute the HMAC-SHA1 of this canonical representation, using your Duo Admin API application's secret key as the HMAC key. Send this signature as hexadecimal ASCII (i.e. not raw binary data). Use HTTP Basic Authentication for the request, using your integration key as the username and the HMAC-SHA1 signature as the password. Signature validation is case-insensitive, so the signature may be upper or lowercase.

For example, here are the headers for the above POST request to api-XXXXXXXX.duosecurity.com/admin/v1/users, using DIWJ8X6AEYOR5OMC6TQ1 as the integration key and Zh5eGmUq9zpfQnyUIu5OL9iWoMMv5ZNmk3zLJ4Ep as the secret key:

Date: Tue, 21 Aug 2012 17:29:18 -0000
Authorization: Basic RElXSjhYNkFFWU9SNU9NQzZUUTE6NjVhZWJhZWZhNDBjOWYyMWI1NmYzYWExMTc1ZDE3ZGM4N2I1ZDM4NQ==
Host: api-XXXXXXXX.duosecurity.com
Content-Length: 35
Content-Type: application/x-www-form-urlencoded

Separate HTTP request header lines with CRLF newlines.

The following Python function can be used to construct the "Authorization" and "Date" headers:

import base64, email.utils, hmac, hashlib, urllib
  ​ ​
def sign(method, host, path, params, skey, ikey):
    """
    Return HTTP Basic Authentication ("Authorization" and "Date") headers.
    method, host, path: strings from request
    params: dict of request parameters
    skey: secret key
    ikey: integration key
    """
  ​
    # create canonical string
    now = email.utils.formatdate()
    canon = [now, method.upper(), host.lower(), path]
    args = []
    for key in sorted(params.keys()):
        val = params[key].encode("utf-8")
        args.append(
            '%s=%s' % (urllib.parse.
                       quote(key, '~'), urllib.parse.quote(val, '~')))
    canon.append('&'.join(args))
    canon = '\n'.join(canon)
  ​
    # sign canonical string
    sig = hmac.new(bytes(skey, encoding='utf-8'),
                   bytes(canon, encoding='utf-8'),
                   hashlib.sha1)
    auth = '%s:%s' % (ikey, sig.hexdigest())
  ​
    # return headers
    return {'Date': now, 'Authorization': 'Basic %s' % base64.b64encode(bytes(auth, encoding="utf-8")).decode()}

import base64, email, hmac, hashlib, urllib

def sign(method, host, path, params, skey, ikey):
    """
    Return HTTP Basic Authentication ("Authorization" and "Date") headers.
    method, host, path: strings from request
    params: dict of request parameters
    skey: secret key
    ikey: integration key
    """

    # create canonical string
    now = email.Utils.formatdate()
    canon = [now, method.upper(), host.lower(), path]
    args = []
    for key in sorted(params.keys()):
        val = params[key]
        if isinstance(val, unicode):
            val = val.encode("utf-8")
        args.append(
            '%s=%s' % (urllib.quote(key, '~'), urllib.quote(val, '~')))
    canon.append('&'.join(args))
    canon = '\n'.join(canon)

    # sign canonical string
    sig = hmac.new(skey, canon, hashlib.sha1)
    auth = '%s:%s' % (ikey, sig.hexdigest())

    # return headers
    return {'Date': now, 'Authorization': 'Basic %s' % base64.b64encode(auth)}

Users

Retrieve Users

Returns a paged list of users. To fetch all results, call repeatedly with the offset parameter as long as the result metadata has a next_offset value. If username is not provided, the list will contain all users. If username is provided, the list will either contain a single user (if a match was found) or no users. Requires "Grant read resource" API permission.

GET /admin/v1/users

Parameters

Use the paging parameters to change the number of results shown in a response or to retrieve additional results. See Response Paging for details.

Response Codes

Response Format

Example Response

{
  "stat": "OK",
  "response": [
    {
      "alias1": "joe.smith",
      "alias2": "jsmith@example.com",
      "alias3": null,
      "alias4": null,
      "aliases": {
        "alias1": "joe.smith",
        "alias2": "jsmith@example.com"
      },
      "created": 1489612729,
      "email": "jsmith@example.com",
      "firstname": "Joe",
      "groups": [
        {
        "desc": "People with hardware tokens",
        "group_id": "DGXXXXXXXXXXXXXXXXX",
        "mobile_otp_enabled": false,
        "name": "token_users",
        "push_enabled": false,
        "sms_enabled": false,
        "status": "Active",
        "voice_enabled": false  
        }
      ],
      "is_enrolled": true,
      "last_directory_sync": 1508789163,
      "last_login": 1343921403,
      "lastname": "Smith",
      "notes": "",
      "phones": [
        {
        "activated": true,
        "capabilities": [
          "auto",
          "push",
          "sms",
          "phone",
          "mobile_otp"
        ],
        "encrypted": "Encrypted",
        "extension": "",
        "fingerprint": "Configured",
        "last_seen": "2019-11-18T15:51:13",
        "model": "Apple iPhone 11 Pro",
        "name": "My iPhone",
        "number": "15555550100",
        "phone_id": "DPFZRS9FB0D46QFTM899",
        "platform": "Apple iOS",
        "postdelay": "0",
        "predelay": "0",
        "screenlock": "Locked",
        "sms_passcodes_sent": true,
        "tampered": "Not tampered",
        "type": "Mobile"
        }
      ],
      "realname": "Joe Smith",
      "status": "active",
      "tokens": [
        {
        "serial": "123456",
        "token_id": "DHIZ34ALBA2445ND4AI2",
        "type": "d1"
        }
      ],
      "u2ftokens": [],
      "user_id": "DU3RP9I2WOC59VZX672N",
      "username": "jsmith",
      "webauthncredentials": [
        {
        "credential_name": "Touch ID",
        "date_added": 1550685154,
        "label": "Touch ID",
        "webauthnkey": "WABFEOE007ZMV1QAZTRB"
        },
        {
        "credential_name": "YubiKey C",
        "date_added": 1550674764,
        "label": "Security Key",
        "webauthnkey": "WA4BD9AUVMSNUFWZGES4"
        }
      ],
    },
    {
      "alias1": "chris.jones",
      "alias2": "cjones@example.com",
      "alias3": null,
      "alias4": null,
      "aliases": {
        "alias1": "chris.jones",
        "alias2": "cjones@example.com"
      },
      "created": 1489612829,
      "email": "cjones@example.com",
      "firstname": "Chris",
      "groups": [],
      "is_enrolled": true,
      "last_directory_sync": null,
      "last_login": 1343821403,
      "lastname": "Jones",
      "notes": "",
      "phones": [
        {
        "activated": true,
        "capabilities": [
          "auto",
          "push",
          "sms",
          "phone",
          "mobile_otp"
        ],
        "encrypted": "Encrypted",
        "extension": "",
        "fingerprint": "Configured",
        "last_seen": "2019-11-19T15:51:13",
        "model": "Google Pixel 3",
        "name": "Pixel3",
        "number": "15555550200",
        "phone_id": "DPFZRS9FB0D46QFTP00L",
        "platform": "Google Android",
        "postdelay": "0",
        "predelay": "0",
        "screenlock": "Locked",
        "sms_passcodes_sent": false,
        "tampered": "Not tampered",
        "type": "Mobile"
        }
      ],
      "realname": "Chris Jones",
      "status": "active",
      "tokens": [],
      "u2ftokens": [],
      "user_id": "DU3RP9I2WOC59VZXJ05H",
      "username": "cjones",
      "webauthncredentials": [
        {
        "credential_name": "YubiKey",
        "date_added": 1550564764,
        "label": "yubikey",
        "webauthnkey": "WA4BD9AUVMSNUFWZJ05H"
        }
      ]
    }
  ]
}

Create User

Create a new user with the specified username. Requires "Grant write resource" API permission.

POST /admin/v1/users

Parameters

Response Codes

Response Format

Returns the new single user object. Refer to Retrieve Users for an explanation of the object's keys.

Example Response

{
  "stat": "OK",
  "response":{
    "alias1": null,
    "alias2": null,
    "alias3": null,
    "alias4": null,
    "aliases": {},
    "created": 1657222760,
    "email": "jperez@example.com",
    "firstname": "",
    "groups": [],
    "is_enrolled": false,
    "last_directory_sync": null,
    "last_login": null,
    "lastname": "",
    "notes": "",
    "phones": [],
    "realname": "Juan Perez",
    "status": "active",
    "tokens": [],
    "u2ftokens": [],
    "user_id": "DU0W79YFWZAJWJV6P00L",
    "username": "jperez",
    "webauthncredentials": []
  }
}

Retrieve User by ID

Return the single user with user_id. Requires "Grant read resource" API permission.

GET /admin/v1/users/[user_id]

Parameters

This API endpoint has no parameters.

Response Codes

Response Format

Returns a single user object. Refer to Retrieve Users for an explanation of the object's keys.

Example Response

{
  "stat": "OK",
  "response": {
    "alias1": "joe.smith",
    "alias2": "jsmith@example.com",
    "alias3": null,
    "alias4": null,
    "aliases": {
      "alias1": "joe.smith",
      "alias2": "jsmith@example.com"
    },
    "created": 1489612729,
    "email": "jsmith@example.com",
    "firstname": "Joe",
    "groups": [
      {
      "desc": "People with hardware tokens",
      "group_id": "DGXXXXXXXXXXXXXXXXX",
      "mobile_otp_enabled": false,
      "name": "token_users",
      "push_enabled": false,
      "sms_enabled": false,
      "status": "Active",
      "voice_enabled": false  
      }
    ],
    "is_enrolled": true,
    "last_directory_sync": 1508789163,
    "last_login": 1343921403,
    "lastname": "Smith",
    "notes": "",
    "phones": [
      {
      "activated": true,
      "capabilities": [
        "auto",
        "push",
        "sms",
        "phone",
        "mobile_otp"
        ],
      "encrypted": "Encrypted",
      "extension": "",
      "fingerprint": "Configured",
      "last_seen": "2019-11-18T15:51:13",
      "model": "Apple iPhone 11 Pro",
      "name": "My iPhone",
      "number": "15555550100",
      "phone_id": "DPFZRS9FB0D46QFTM899",
      "platform": "Apple iOS",
      "postdelay": "0",
      "predelay": "0",
      "screenlock": "Locked",
      "sms_passcodes_sent": true,
      "tampered": "Not tampered",
      "type": "Mobile"
      }
    ],
    "realname": "Joe Smith",
    "status": "active",
    "tokens": [
      {
      "serial": "123456",
      "token_id": "DHIZ34ALBA2445ND4AI2",
      "type": "d1"
      }
    ],
    "u2ftokens": [],
    "user_id": "DU3RP9I2WOC59VZX672N",
    "username": "jsmith",
    "webauthncredentials": [
      {
      "credential_name": "Touch ID",
      "date_added": 1550685154,
      "label": "Touch ID",
      "webauthnkey": "WABFEOE007ZMV1QAZTRB"
      },
      {
      "credential_name": "YubiKey C",
      "date_added": 1550674764,
      "label": "Security Key",
      "webauthnkey": "WA4BD9AUVMSNUFWZGES4"
      }
    ],
  }
}

Modify User

Change the username, username aliases, full name, status, and/or notes section of the user with ID user_id. Requires "Grant write resource" API permission.

POST /admin/v1/users/[user_id]

Parameters

Response Codes

Response Format

Returns the modified single user object. Refer to Retrieve Users for an explanation of the object's keys.

Example Response

Same as Retrieve User by ID.

Delete User

Delete the user with ID user_id from the system. The API will not automatically delete phones associated with the user; remove them permanently with Delete Phone. This method returns 200 if the phone was found or if no such phone exists. Requires "Grant write resource" API permission.

Users deleted by the API do not get moved into the Trash view as "Pending Deletion" as they would if removed by directory sync, inactive user expiration, or interactively from the Duo Admin Panel, and therefore are not available for restoration. Users deleted via the API are immediately and permanently removed from Duo.

DELETE /admin/v1/users/[user_id]

Parameters

This API endpoint has no parameters.

Response Codes

Response Format

Empty string.

Example Response

{
  "stat": "OK",
  "response": ""
}

Enroll User

Enroll a user with user name username and email address email and send them an enrollment email that expires after valid_secs seconds. Requires "Grant write resource" API permission.

POST /admin/v1/users/enroll

Parameters

Response Codes

Response Format

Single string (the enrollment code).

Example Response

{
  "stat": "OK",
  "response": "00d70e730b22cb66"
}

Create Bypass Codes for User

Clear all existing bypass codes for the user with ID user_id and return a list of count newly generated bypass codes, or specify codes that expire after valid_secs seconds, or reuse_count uses. Requires "Grant write resource" API permission.

Object limits: 100 bypass codes per user.

POST /admin/v1/users/[user_id]/bypass_codes

Parameters

Response Codes

Response Format

List of strings.

Example Response

{
  "stat": "OK",
  "response": [
    "407176182",
    "016931781",
    "338390347",
    "537828175",
    "006165274",
    "438680449",
    "877647224",
    "196167433",
    "719424708",
    "727559878"
  ]
}

Retrieve Bypass Codes by User ID

Returns a paged list of bypass code metadata associated with the user with ID user_id. To fetch all results, call repeatedly with the offset parameter as long as the result metadata has a next_offset value. Does not return the actual bypass codes. Requires "Grant read resource" API permission.

GET /admin/v1/users/[user_id]/bypass_codes

Parameters

Use the paging parameters to change the number of results shown in a response or to retrieve additional results. See Response Paging for details.

This API endpoint has no additional parameters.

Response Codes

Response Format

Example Response

{
  "stat": "OK",
  "response": [
    {
    "bypass_code_id": "DB2A9F0012RL54001FA3",
    "created": 1522260759,
    "expiration": 1522264359,
    "reuse_count": 1
    }
  ]
}

Retrieve Groups by User ID

Returns a paged list of groups associated with the user with ID user_id. To fetch all results, call repeatedly with the offset parameter as long as the result metadata has a next_offset value. Requires "Grant read resource" API permission.

GET /admin/v1/users/[user_id]/groups

Parameters

Use the paging parameters to change the number of results shown in a response or to retrieve additional results. See Response Paging for details.

This API endpoint has no additional parameters.

Response Codes

Response Format

Returns the groups for the user object. Refer to Retrieve Groups for an explanation of the object keys.

Example Response

{
  "stat": "OK",
  "response": [
    {
    "desc": "This is group A",
    "group_id": "DGXXXXXXXXXXXXXXXXXX",
    "mobile_otp_enabled": false,    
    "name": "Group A",
    "push_enabled": false,
    "sms_enabled": false,
    "status": "active",
    "voice_enabled": false
    },
    {
    "desc": "This is group B",
    "group_id": "DGXXXXXXXXXXXXXXXXXX",
    "mobile_otp_enabled": false,
    "name": "Group B (from Azure sync \"Acme Corp Azure AD\")"",
    "push_enabled": false,
    "sms_enabled": false,
    "status": "active",
    "voice_enabled": false
    }
  ]
}

Associate Group with User

Associate a group with ID group_id with the user with ID user_id. Requires "Grant write resource" API permission.

Object limits: 100 groups per user.

POST /admin/v1/users/[user_id]/groups

Parameters

Response Codes

Response Format

Empty string.

Example Response

{
  "stat": "OK",
  "response": ""
}

Disassociate Group from User

Disassociate a group from the user with ID user_id. This method will return 200 if the group was found or if no such group exists. Requires "Grant write resource" API permission.

DELETE /admin/v1/users/[user_id]/groups/[group_id]

Parameters

This API endpoint has no parameters.

Response Codes

Response Format

Empty string.

Example Response

{
  "stat": "OK",
  "response": ""
}

Retrieve Phones by User ID

Returns a paged list of phones associated with the user with ID user_id. To fetch all results, call repeatedly with the offset parameter as long as the result metadata has a next_offset value. Requires "Grant read resource" API permission.

GET /admin/v1/users/[user_id]/phones

Parameters

Use the paging parameters to change the number of results shown in a response or to retrieve additional results. See Response Paging for details.

This API endpoint has no additional parameters.

Response Codes

Response Format

Same as for Retrieve Phones, except phones have no users attribute.

Example Response

{
  "stat": "OK",
  "response": [
    {
    "activated": false,
    "capabilities": [
      "sms",
      "phone",
      "push"
    ],
    "encrypted": "Encrypted",
    "extension": "",
    "fingerprint": "Configured",
    "last_seen": "2019-03-04T15:04:04",
    "model": "Google Pixel 2 Xl",
    "name": "",
    "number": "+15035550102",
    "phone_id": "DPFZRS9FB0D46QFTM890",
    "platform": "Google Android",
    "postdelay": "",
    "predelay": "",
    "screenlock": "Locked",
    "sms_passcodes_sent": true,
    "tampered": "Not tampered",
    "type": "Mobile"
    },
    {
    "activated": false,
    "capabilities": [
      "phone"
    ].
    "encrypted": "",
    "extension": "",
    "fingerprint": "",
    "last_seen": "",
    "model": "Unknown",
    "name": "",
    "number": "+15035550103",
    "phone_id": "DPFZRS9FB0D46QFTM891",
    "platform": "Unknown",
    "postdelay": "",
    "predelay": "",
    "screenlock": "",
    "sms_passcodes_sent": false,
    "tampered": "",
    "type": "Landline"
    }
  ]
}

Associate Phone with User

Associate a phone with the user with ID user_id. Requires "Grant write resource" API permission.

Object limits: 100 phones per user; 100 users per phone.

POST /admin/v1/users/[user_id]/phones

Parameters

Response Codes

Response Format

Empty string.

Example Response

{
  "stat": "OK",
  "response": ""
}

Disassociate Phone from User

Disassociate a phone from the user with ID user_id. The API will not automatically delete the phone after removing the last user association; remove it permanently with Delete Phone. This method returns 200 if the phone was found or if no such phone exists. Requires "Grant write resource" API permission.

DELETE /admin/v1/users/[user_id]/phones/[phone_id]

Parameters

This API endpoint has no parameters.

Response Codes

Response Format

Empty string.

Example Response

{
  "stat": "OK",
  "response": ""
}

Retrieve Hardware Tokens by User ID

Returns a paged list of OTP hardware tokens associated with the user with ID user_id. To fetch all results, call repeatedly with the offset parameter as long as the result metadata has a next_offset value. Requires "Grant read resource" API permission.

GET /admin/v1/users/[user_id]/tokens

Parameters

Use the paging parameters to change the number of results shown in a response or to retrieve additional results. See Response Paging for details.

This API endpoint has no additional parameters.

Response Codes

Response Format

Same as for Retrieve Hardware Tokens, except hardware tokens have no admins or users attribute.

Example Response

{
  "stat": "OK",
  "response": [
    {
    "serial": "123456",
    "token_id": "DHEKH0JJIYC1LX3AZWO4",
    "totp_step": null,
    "type": "d1"
    },
    {
    "serial": "123457",
    "token_id": "DHUNT3ZVS3ACF8AEV2WG",
    "totp_step": null,
    "type": "d1"
    }
  ]
}

Associate Hardware Token with User

Associate a hardware token with the user with ID user_id. Requires "Grant write resource" API permission.

Object limits: 100 tokens per user.

POST /admin/v1/users/[user_id]/tokens

Parameters

Response Codes

Response Format

Empty string.

Example Response

{
  "stat": "OK",
  "response": ""
}

Disassociate Hardware Token from User

Disassociate a hardware token from the user with ID user_id. This method will return 200 if the hardware token was found or if no such hardware token exists. Requires "Grant write resource" API permission.

DELETE /admin/v1/users/[user_id]/tokens/[token_id]

Parameters

This API endpoint has no parameters.

Response Codes

Response Format

Empty string.

Example Response

{
  "stat": "OK",
  "response": ""
}

Retrieve U2F Tokens by User ID

The U2F Tokens by User ID API endpoint /admin/v1/users/[user_id]/u2ftokens is deprecated as of February 2022. This API no longer allows listing all U2F tokens for a user. Requests to this endpoint now fail with the following response:

{
  "stat": "FAIL",
  "code": 40301,
  "message": "Access forbidden",
}

Retrieve WebAuthn Credentials by User ID

Returns a list of WebAuthn credentials associated with the user with ID user_id. Requires "Grant read resource" API permission.

GET /admin/v1/users/[user_id]/webauthncredentials

Parameters

This API endpoint has no parameters.

Response Codes

Response Format

Example Response

{
  "stat": "OK",
  "response": [
    {
    "credential_name": "YubiKey 5",
    "date_added": 1550674764,
    "label": "Security Key",
    "webauthnkey": "WA4ED9AUVMSWUF00KES4"
    }
  ],
}

Synchronize User from Directory

Initiate a sync to create, update, or mark for deletion the user specified by username against the directory specified by the directory_key. The directory_key for a directory can be found by navigating to Users → Directory Sync in the Duo Admin Panel, and then clicking on the configured directory. Learn more about syncing individual users from Active Directory, OpenLDAP, or Azure Active Directory. Requires "Grant write resource" API permission.

POST /admin/v1/users/directorysync/[directory_key]/syncuser

Parameters

Response Codes

Response Format

Returns the single synced user object with an additional message stating the user synced successfully. Refer to Retrieve Users for an explanation of the object's keys.

Example Response

{
  "stat": "OK",
  "response":{
    "message": "User wwu synced successfully.",
    "user": {
      "alias1": "wwu@example.com",
      "alias2": null,
      "alias3": null,
      "alias4": null,
      "aliases": {
        "alias1": "wwu@example.com"
      },
      "created": 1553271753,
      "email": "",
      "firstname": "Wang",
      "groups": [
        {
        "desc": "",
        "group_id": "DGKAT4WCV306FOONUNIC",
        "mobile_otp_enabled": false,
        "name": "Duo Users (from AD sync \"Acme Sync")",
        "push_enabled": false,
        "sms_enabled": false,
        "status": "Active",
        "voice_enabled": false
        }
      ],
      "is_enrolled": true,
      "last_directory_sync": 1657227493,
      "last_login": 1553271773,
      "lastname": "Wu",
      "notes": "",
      "phones": [],
      "realname": "Wang Wu",
      "status": "active",
      "tokens": [],
      "u2ftokens": [],
      "user_id": "DUYGKDZI47WEJIIXU6QI",
      "username": "wwu",
      "webauthncredentials": [
        {
        "credential_name": "YubiKey",
        "date_added": 1553271760,
        "label": "Security Key",
        "webauthnkey": "WAYRDI633R1219HM1BN7"
        }
      ]
    }
  }
}

Groups

Per-user Group Operations

See Retrieve Groups by User ID, Associate Group with User, and Disassociate Group from User.

Retrieve Groups

Returns a paged list of groups. To fetch all results, call repeatedly with the offset parameter as long as the result metadata has a next_offset value. Requires "Grant read resource" API permission.

GET /admin/v1/groups

Parameters

Use the paging parameters to change the number of results shown in a response or to retrieve additional results. See Response Paging for details.

This API endpoint has no additional parameters.

Response Codes

Response Format

Example Response

{
  "stat": "OK",
  "response": [
    {
    "desc": "This is group A",
    "group_id": "DGXXXXXXXXXXXXXXXXXX",
    "mobile_otp_enabled": false,    
    "name": "Group A",
    "push_enabled": false,
    "sms_enabled": false,
    "status": "Active",
    "voice_enabled": false
    },
    {
    "desc": "This is group B",
    "group_id": "DGXXXXXXXXXXXXXXXXXX",
    "mobile_otp_enabled": false,
    "name": "Group B (from Azure sync \"Acme Corp Azure AD\")"",
    "push_enabled": false,
    "sms_enabled": false,
    "status": "Active",
    "voice_enabled": false
    }
  ],
}

Create Group

Create a new group. Requires "Grant write resource" API permission.

POST /admin/v1/groups

Parameters

Response Codes

Response Format

Example Response

{
  "stat": "OK",
  "response": {
    "desc": "This is an example group",
    "group_id": "DGXXXXXXXXXXXXXXXXXX",
    "mobile_otp_enabled": false,
    "name": "Example Group",
    "push_enabled": false,
    "sms_enabled": false,
    "status": "active",
    "voice_enabled": false
  }
}

Get Group Info

Retrieve information about a group. Note that this output does not include a list of group members. To retrieve group members, use /admin/v2/groups/[group_id]/users. Requires "Grant read resource" API permission.

GET /admin/v2/groups/[group_id]

Parameters

This API endpoint has no parameters.

Response Codes

Response Format

Example Response

{
  "stat": "OK",
  "response": {
    "desc": "Group description",
    "group_id": "DGXXXXXXXXXXXXXXXXXX",
    "mobile_otp_enabled": false,
    "name": "Group Name",
    "push_enabled": false,
    "sms_enabled": false,
    "status": "active",
    "voice_enabled": false
  }
}

Returns a paged list of members of a specified group. To fetch all results, call repeatedly with the offset parameter as long as the result metadata has a next_offset value.

GET /admin/v2/groups/[group_id]/users

Parameters

Use the paging parameters to change the number of results shown in a response or to retrieve additional results. See Response Paging for details.

Response Codes

Response Format

Example Response

{
  "stat": "OK",
  "metadata": {
      "total_objects": 4
  },
  "response": [
      {
          "user_id": "DU1XXXXXXXXXXXXXXXXX",
          "username": "user1"
      },
      {
          "user_id": "DU2XXXXXXXXXXXXXXXXX",
          "username": "user2"
      },
      {
          "user_id": "DU3XXXXXXXXXXXXXXXXX",
          "username": "user3"
      }
  ]
}

Get Group Info (Legacy v1)

The v1 groups endpoint limits the response to the first 4,000 group members. Consider migrating to the v2 endpoint. Requires "Grant read resource" API permission.

GET /admin/v1/groups/[group_id]

Parameters

This API endpoint has no parameters.

Response Codes

Response Format

Example Response

{
  "stat": "OK",
  "response": {
    "desc": "Group description",
    "group_id": "DGXXXXXXXXXXXXXXXXXX",
    "mobile_otp_enabled": false,
    "name": "Group Name",
    "push_enabled": false,
    "sms_enabled": false,
    "status": "active",
    "users": [
      {
      "user_id": "DU1XXXXXXXXXXXXXXXXX",
      "username": "User A"
      },
      {
      "user_id": "DU2XXXXXXXXXXXXXXXXX",
      "username": "User B"
      }
    ],
    "voice_enabled": false
  }
}

Update Group

Update information about a group. Requires "Grant write resource" API permission.

POST /admin/v1/groups/[group_id]

Parameters

Response Codes

Response Format

Example Response

{
  "stat": "OK",
  "response": {
    "desc": "Group description",
    "group_id": "DGXXXXXXXXXXXXXXXXXX",
    "mobile_otp_enabled": false,
    "name": "Group Name",
    "push_enabled": false,
    "sms_enabled": false,
    "status": "active",
    "voice_enabled": false
  }
}

Delete Group

Delete a group. Requires "Grant write resource" API permission.

DELETE /admin/v1/groups/[group_id]

Parameters

This API endpoint has no parameters.

Response Codes

Response Format

This API endpoint has no

Example Response

{
  "response": "",
  "stat": "OK"
}

Phones

Per-user Phone Operations

See Retrieve Phones by User ID, Associate Phone with User, and Disassociate Phone from User.

Retrieve Phones

Returns a paged list of phones. To fetch all results, call repeatedly with the offset parameter as long as the result metadata has a next_offset value. If no number or extension parameters are provided, the list will contain all phones. Otherwise, the list will contain either single phone (if a match was found), or no phones. Requires "Grant read resource" API permission.

GET /admin/v1/phones

Parameters

Use the paging parameters to change the number of results shown in a response or to retrieve additional results. See Response Paging for details.

Response Codes

Response Format

Example Response

{
  "stat": "OK",
  "response": [
    {
      "activated": true,
      "capabilities": [
        "auto",
        "push",
        "sms",
        "phone",
        "mobile_otp"
      ],
      "encrypted": "Encrypted",
      "extension": "",
      "fingerprint": "Configured",
      "last_seen": "2019-11-18T15:51:13",
      "model": "Apple iPhone 11 Pro",
      "name": "My iPhone",
      "number": "15555550100",
      "phone_id": "DPFZRS9FB0D46QFTM899",
      "platform": "Apple iOS",
      "postdelay": "",
      "predelay": "",
      "screenlock": "Locked",
      "sms_passcodes_sent": false,
      "tampered": "Not tampered",
      "type": "Mobile",
      "users": [
        {
        "alias1": "joe.smith",
        "alias2": "jsmith@example.com"
        "alias3": null,
        "alias4": null,
        "aliases": {
          "alias1": "joe.smith",
          "alias2": "jsmith@example.com"
        },
        "created": 1509717442,
        "email": "jsmith@example.com",
        "firstname": "Joe",
        "is_enrolled": false,
        "last_directory_sync": null,
        "last_login": 1474399627,
        "lastname": "Smith",
        "notes": "",
        "realname": "Joe Smith",
        "status": "active",
        "user_id": "DUJZ2U4L80HT45MQ4EOQ",
        "username": "jsmith"
        }
      ]
    },
    {
      "activated": true,
      "capabilities": [
        "auto",
        "push",
        "sms",
        "phone",
        "mobile_otp"
      ],
      "encrypted": "Encrypted",
      "extension": "",
      "fingerprint": "Configured",
      "last_seen": "2019-11-19T15:51:13",
      "model": "Google Pixel 3",
      "name": "Pixel3",
      "number": "15555550200",
      "phone_id": "DPFZRS9FB0D46QFTP00L",
      "platform": "Google Android",
      "postdelay": "0",
      "predelay": "0",
      "screenlock": "Locked",
      "sms_passcodes_sent": false,
      "tampered": "Not tampered",
      "type": "Mobile"
      "users": [
        {
        "alias1": "chris.jones",
        "alias2": "cjones@example.com",
        "alias3": null,
        "alias4": null,
        "aliases": {
          "alias1": "chris.jones",
          "alias2": "cjones@example.com"
        },
        "created": 1489612829,
        "email": "cjones@example.com",
        "firstname": "Chris",
        "groups": [],
        "is_enrolled": true,
        "last_directory_sync": null,
        "last_login": 1343821403,
        "lastname": "Jones",
        "notes": "",
        "realname": "Chris Jones",
        "status": "active",
        "user_id": "DU3RP9I2WOC59VZXJ05H",
        "username": "cjones"
        }
      ]
    }
  ]
}

Create Phone

Create a new phone with a specified phone number or other parameters. Requires "Grant write resource" API permission.

POST /admin/v1/phones

Parameters

Response Codes

Response Format

Returns the single phone object created. Refer to Retrieve Phones for an explanation of the object's keys.

Example Response

{
  "stat": "OK",
  "response":{
    "activated": false,
    "capabilities": [],
    "extension": "",
    "last_seen": "",
    "model": "Unknown",
    "name": "",
    "number": "15555551111",
    "phone_id": "DP1D9EZJNZNQXJ05HKJB",
    "platform": "Generic Smartphone",
    "postdelay": "",
    "predelay": "",
    "sms_passcodes_sent": false,
    "type": "Unknown",
    "users": []
    }
}

Retrieve Phone by ID

Return the single phone with phone_id. Requires "Grant read resource" API permission.

GET /admin/v1/phones/[phone_id]

Parameters

This API endpoint has no parameters.

Response Codes

Response Format

Returns a single phone object. Refer to Retrieve Phones for an explanation of the object's keys.

Example Response

{
  "stat": "OK",
  "response": {
    "activated": true,
    "capabilities": [
      "auto",
      "push",
      "sms",
      "phone",
      "mobile_otp"
    ],
    "encrypted": "Encrypted",
    "extension": "",
    "fingerprint": "Configured",
    "last_seen": "2019-03-04T15:04:04",
    "model": "Google Pixel 2 Xl",
    "name": "",
    "number": "+15555550100",
    "phone_id": "DPFZRS9FB0D46QFTM899",
    "platform": "Google Android",
    "postdelay": "",
    "predelay": "",
    "screenlock": "Locked",
    "sms_passcodes_sent": false,
    "tampered": "Not tampered",
    "type": "Mobile",
    "users": [
      {
        "alias1": "joe.smith",
        "alias2": "jsmith@example.com"
        "alias3": null,
        "alias4": null,
        "aliases": {
          "alias1": "joe.smith",
          "alias2": "jsmith@example.com"
        },
        "created": 1509717442,
        "email": "jsmith@example.com",
        "firstname": "Joe",
        "is_enrolled": false,
        "last_directory_sync": null,
        "last_login": 1474399627,
        "lastname": "Smith",
        "notes": "",
        "realname": "Joe Smith",
        "status": "active",
        "user_id": "DUJZ2U4L80HT45MQ4EOQ",
        "username": "jsmith",
      }
    ]
  }
}

Modify Phone

Change the details of the phone with ID phone_id. Requires "Grant write resource" API permission.

POST /admin/v1/phones/[phone_id]

Parameters

Response Codes

Response Format

Returns the modified single phone object. Refer to Retrieve Phones for an explanation of the object's keys.

Example Response

Same as Retrieve Phone by ID.

Delete Phone

Delete the phone with ID phone_id from the system. Requires "Grant write resource" API permission.

DELETE /admin/v1/phones/[phone_id]

Parameters

This API endpoint has no parameters.

Response Codes

Response Format

Empty string.

Example Response

{
  "stat": "OK",
  "response": ""
}

Create Activation Code

Generate a Duo Mobile activation code. This method will fail if the phone's type or platform are Unknown. Requires "Grant write resource" API permission.

POST /admin/v1/phones/[phone_id]/activation_url

Parameters

Response Codes

Response Format

Example Response

{
  "stat": "OK",
  "response": {
    "activation_barcode": "https://api-abcdefgh.duosecurity.com/frame/qr?value=duo%3A%2F%2Factivation-code",
    "activation_url": "https://m-abcdefgh.duosecurity.com/iphone/7dmi4Oowz5g3J47FARLs",
    "valid_secs": 3600
  }
}

Send Activation Code via SMS

Generate a Duo Mobile activation code and send it to the phone via SMS, optionally sending an additional message with a URL to install Duo Mobile. This method will fail if the phone's type or platform are Unknown. Requires "Grant write resource" API permission.

POST /admin/v1/phones/[phone_id]/send_sms_activation

Parameters

Response Codes

Response Format

Example Response

{
  "stat": "OK",
  "response": {
    "activation_barcode": "https://api-abcdef/frame/qr\?*value=duo%3A%2F%2FXoudqt8a9F-Jqt",
    "activation_msg": "To activate the Duo Mobile app, click this link: https://m-eval.duosecurity.com/iphone/7dmi4Oowz5g3J47FARLs",
    "installation_msg": "Welcome to Duo! To install the Duo Mobile app, click this link: http://m-eval.duosecurity.com",
    "valid_secs": 3600
  }
}

Send Installation URL via SMS

Send a message via SMS describing how to install Duo Mobile. This method will fail if the phone's type or platform are Unknown. Requires "Grant write resource" API permission.

POST /admin/v1/phones/[phone_id]/send_sms_installation

Parameters

Response Codes

Response Format

Example Response

{
  "stat": "OK",
  "response": {
    "installation_msg": "Welcome to Duo! To install the Duo Mobile app, click this link: http://m-abcdef.duosecurity.com"
  }
}

Send Passcodes via SMS

Generate a new batch of SMS passcodes send them to the phone in a single SMS message. Requires "Grant write resource" API permission.

POST /admin/v1/phones/[phone_id]/send_sms_passcodes

Parameters

This API endpoint has no parameters.

Response Codes

Response Format

Empty string.

Example Response

{
  "stat": "OK",
  "response": ""
}

Tokens

Per-user Token Operations

See Retrieve Hardware Tokens by User ID, Associate Hardware Token with User, and Disassociate Hardware Token from User.

Per-administrator Token Operations

See Retrieve Administrator by ID, Create Administrator, and Modify Administrator. Note that token information retrieved from the Tokens endpoint does not include information about administrators associated with a token, just end-users.

Retrieve Hardware Tokens

Returns a paged list of OTP hardware tokens. To fetch all results, call repeatedly with the offset parameter as long as the result metadata has a next_offset value. If no type and serial parameters are provided, the list will contain all hardware tokens. Otherwise, the list will contain either a single hardware token (if a match was found) or no hardware tokens. Requires "Grant read resource" API permission.

GET /admin/v1/tokens

Parameters

Use the paging parameters to change the number of results shown in a response or to retrieve additional results. See Response Paging for details.

Response Codes

Response Format

Example Response

{
  "stat": "OK",
  "response": [
    {
      "admins": [
        {
        "admin_id": "DESMP00LIAKRJPD4DZSH",
        "created": 1648143942,
        "email": "jsmith@example.com",
        "last_login": 1343921403,
        "name": "Joe Smith"
        }
      ],  
      "serial": "123456",
      "token_id": "DHIZ34ALBA2445ND4AI2",
      "totp_step": null,
      "type": "d1",
      "users": [
        {
        "alias1": "joe.smith",
        "alias2": "jsmith@example.com",
        "alias3": null,
        "alias4": null,
        "aliases": {
          "alias1": "joe.smith",
          "alias2": "jsmith@example.com"
        },
        "created": 1343621411,
        "email": "jsmith@example.com",
        "is_enrolled": true,
        "last_directory_sync": null,
        "last_login": 1343921403,
        "notes": "",
        "realname": "Joe Smith",
        "status": "active",
        "user_id": "DUJZ2U4L80HT45MQ4EOQ",
        "username": "jsmith"
        }
      ]
    }
  ]
}

Create Hardware Token

Create a new hardware token. Requires "Grant write resource" API permission.

POST /admin/v1/tokens

Parameters

Response Codes

Response Format

Returns the created single token object. Refer to Retrieve Hardware Tokens for an explanation of the object's keys.

Example Response

{
  "stat": "OK",
  "response": {
    "admins": [],
    "serial": "123456",
    "token_id": "DH6G5OP9NU4C5UP00LMN",
    "totp_step": null,
    "type": "h6",
    "users": []
  }
}

Retrieve Hardware Token by ID

Return the single hardware token with token_id. Requires "Grant read resource" API permission.

GET /admin/v1/tokens/[token_id]

Parameters

This API endpoint has no parameters.

Response Codes

Response Format

Returns a single user object. Refer to Retrieve Hardware Tokens for an explanation of the object's keys.

Example Response

{
  "stat": "OK",
  "response": {
    "admins": [
      {
      "admin_id": "DESMP00LIAKRJPD4DZSH",
      "created": 1648143942,
      "email": "jsmith@example.com",
      "last_login": 1343921403,
      "name": "Joe Smith"
      }
    ],  
    "serial": "123456",
    "token_id": "DHIZ34ALBA2445ND4AI2",
    "totp_step": null,
    "type": "d1",
    "users": [
      {
      "alias1": "joe.smith",
      "alias2": "jsmith@example.com",
      "alias3": null,
      "alias4": null,
      "aliases": {
          "alias1": "joe.smith",
          "alias2": "jsmith@example.com"
      },
      "created": 1343621411,
      "email": "jsmith@example.com",
      "is_enrolled": true,
      "last_directory_sync": null,
      "last_login": 1343921403,
      "notes": "",
      "realname": "Joe Smith",
      "status": "active",
      "user_id": "DUJZ2U4L80HT45MQ4EOQ",
      "username": "jsmith"
      }
    ]
  }
}

Resync Hardware Token

Resynchronize the hardware token with ID token_id by providing three successive codes from the token. Only HOTP and Duo-D100 tokens can be resynchronized. YubiKey tokens operating in their native AES mode do not need resynchronization. Requires "Grant write resource" API permission.

POST /admin/v1/tokens/[token_id]/resync

Parameters

Response Codes

Response Format

Empty string.

Example Response

{
  "stat": "OK",
  "response": ""
}

Delete Hardware Token

Delete the hardware token with ID token_id from the system. Requires "Grant write resource" API permission.

DELETE /admin/v1/tokens/[token_id]

Parameters

This API endpoint has no parameters.

Response Codes

Response Format

Empty string.

Example Response

{
  "stat": "OK",
  "response": ""
}

U2F Tokens

The U2F Tokens API endpoint /admin/v1/u2ftokens is deprecated as of February 2022. This API no longer allows listing all U2F tokens or deletion of U2F tokens. Requests to this endpoint now fail with the following response:

{
  "stat": "FAIL",
  "code": 40301,
  "message": "Access forbidden",
}

Per-user U2F Token Operations

See Retrieve U2F Tokens by User ID.

WebAuthn Credentials

Per-user WebAuthn Credential Operations

See Retrieve WebAuthn Credentials by User ID.

Retrieve WebAuthn Credentials

Returns a paged list of all registered WebAuthn credentials. To fetch all results, call repeatedly with the offset parameter as long as the result metadata has a next_offset value. Requires "Grant read resource" API permission.

GET /admin/v1/webauthncredentials

Parameters

Use the paging parameters to change the number of results shown in a response or to retrieve additional results. See Response Paging for details.

This API endpoint has no additional parameters.

Response Codes

Response Format

Example Response

{
  "stat": "OK",
  "response": [
    {
      "credential_name": "YubiKey",
      "date_added": 1550674764,
      "label": "Security Key",
      "user": {
        "alias1": "joe.smith",
        "alias2": "jsmith@example.com",
        "alias3": null,
        "alias4": null,
        "aliases": {
            "alias1": "joe.smith",
            "alias2": "jsmith@example.com"
        },
        "created": 1384275337,
        "email": "jsmith@example.com",
        "firstname": Joe,
        "is_enrolled": true,
        "last_directory_sync": 1384275337,
        "last_login": 1514922986,
        "lastname": Smith,
        "notes": "",
        "realname": "Joe Smith",
        "status": "active",
        "user_id": "DU3RP9I2WOC59VZX672N",
        "username": "jsmith"
      }
    "webauthnkey": "WA4ED9AUVMSWUF00KES4"
    }
  ]
}

Retrieve WebAuthn Credentials by Key

Return the single WebAuthn credential with webauthnkey. Requires "Grant read resource" API permission.

GET /admin/v1/webauthncredentials/[webauthnkey]

Parameters

This API endpoint has no parameters.

Response Codes

Response Format

Returns a single WebAuthn credential object. Refer to Retrieve WebAuthn Credentials for an explanation of the object's keys.

Example Response

{
  "stat": "OK",
  "response": {
      "credential_name": "YubiKey",
      "date_added": 1550674764,
      "label": "Security Key",
      "user": {
        "alias1": "joe.smith",
        "alias2": "jsmith@example.com",
        "alias3": null,
        "alias4": null,
        "aliases": {
            "alias1": "joe.smith",
            "alias2": "jsmith@example.com"
        },
        "created": 1384275337,
        "email": "jsmith@example.com",
        "firstname": Joe,
        "is_enrolled": true,
        "last_directory_sync": 1384275337,
        "last_login": 1514922986,
        "lastname": Smith,
        "notes": "",
        "realname": "Joe Smith",
        "status": "active",
        "user_id": "DU3RP9I2WOC59VZX672N",
        "username": "jsmith"
      }
    }
    "webauthnkey": "WA4ED9AUVMSWUF00KES4"
  }
}

Delete WebAuthn Credential

Delete the WebAuthn credential with key webauthnkey from the system. Requires "Grant write resource" API permission.

DELETE /admin/v1/webauthncredentials/[webauthnkey]

Parameters

This API endpoint has no parameters.

Response Codes

Response Format

Empty string.

Example Response

{
  "stat": "OK",
  "response": ""
}

Bypass Codes

Per-user Bypass Code Operations

See Create Bypass Codes for User and Retrieve Bypass Codes by User ID.

Retrieve Bypass Codes

Returns a paged list of information about all bypass codes. To fetch all results, call repeatedly with the offset parameter as long as the result metadata has a next_offset value. Output does not include the actual bypass codes. Requires "Grant read resource" API permission.

GET /admin/v1/bypass_codes

Parameters

Use the paging parameters to change the number of results shown in a response or to retrieve additional results. See Response Paging for details.

This API endpoint has no additional parameters.

Response Codes

Response Format

Example Response

{
  "stat": "OK",
  "response": [
    {
    "bypass_code_id": "DB2A9F0012RL54001FA3",
    "created": 1522260759,
    "expiration": 1522264359,
    "reuse_count": 1,
    "user": {
      "alias1": "joe.smith",
      "alias2": "jsmith@example.com",
      "alias3": null,
      "alias4": null,
      "aliases": {
        "alias1": "joe.smith",
        "alias2": "jsmith@example.com"
      },
      "created": 1384275337,
      "email": "jsmith@example.com",
      "firstname": Joe,
      "is_enrolled": true,
      "last_directory_sync": 1384275337,
      "last_login": 1514922986,
      "lastname": Smith,
      "notes": "",
      "realname": "Joe Smith",
      "status": "active",
      "user_id": "DU3RP9I2WOC59VZX672N",
      "username": "jsmith"
    }
  ]
}

Retrieve Bypass Code by ID

Return information about a single bypass code with bypass_code_id. Output does not include the actual bypass code. Requires "Grant read resource" API permission.

GET /admin/v1/bypass_codes/[bypass_code_id]

Parameters

This API endpoint has no parameters.

Response Codes

Response Format

Returns a single bypass code object. Refer to Retrieve Bypass Codes for an explanation of the object's keys.

Example Response

{
  "stat": "OK",
  "response": {
    "bypass_code_id": "DB2A9F0012RL54001FA3",
    "created": 1522260759,
    "expiration": 1522264359,
    "reuse_count": 1,
    "user": {
      "alias1": "joe.smith",
      "alias2": "jsmith@example.com",
      "alias3": null,
      "alias4": null,
      "aliases": {
        "alias1": "joe.smith",
        "alias2": "jsmith@example.com"
      },
      "created": 1384275337,
      "email": "jsmith@example.com",
      "firstname": Joe,
      "is_enrolled": true,
      "last_directory_sync": 1384275337,
      "last_login": 1514922986,
      "lastname": Smith,
      "notes": "",
      "realname": "Joe Smith",
      "status": "active",
      "user_id": "DU3RP9I2WOC59VZX672N",
      "username": "jsmith"
    }
  }
}

Delete Bypass Code

Delete the bypass code with ID bypass_code_id from the system. Requires "Grant write resource" API permission.

DELETE /admin/v1/bypass_codes/[bypass_code_id]

Parameters

This API endpoint has no parameters.

Response Codes

Response Format

Empty string.

Example Response

{
  "stat": "OK",
  "response": ""
}

Integrations

This API cannot view or manage Duo Single Sign-On applications.

Retrieve Integrations

Returns a paged list of integrations. To fetch all results, call repeatedly with the offset parameter as long as the result metadata has a next_offset value. Requires "Grant read resource" API permission.

GET /admin/v1/integrations

Parameters

Use the paging parameters to change the number of results shown in a response or to retrieve additional results. See Response Paging for details.

This API endpoint has no additional parameters.

Response Codes

Response Format

Example Response

{
  "stat": "OK",
  "response": [
    {
      "adminapi_admins": 0,
      "adminapi_info": 0,
      "adminapi_integrations": 0,
      "adminapi_read_log": 0,
      "adminapi_read_resource": 0,
      "adminapi_settings": 0,
      "adminapi_write_resource": 0,
      "enroll_policy": "",
      "frameless_auth_prompt_enabled": 1,
      "greeting": "Welcome to Duo.",
      "groups_allowed": [],
      "integration_key": "DIRWIH0ZZPV4G88B37VQ",
      "ip_whitelist": [],
      "ip_whitelist_enroll_policy": "",
      "name": "Web Application",
      "notes": "",
      "policy_key": "POHSLA8SP00LABDAD98Y",
      "prompt_v4_enabled": 1,
      "secret_key": "QO4ZLqQVRIOZYkHfdPDORfcNf8LeXIbCWwHazY7",
      "self_service_allowed": false,
      "trusted_device_days": 0,
      "type": "websdk",
      "username_normalization_policy": "None"
    },
    {
      "adminapi_admins": 0,
      "adminapi_info": 0,
      "adminapi_integrations": 0,
      "adminapi_read_log": 1,
      "adminapi_read_resource": 0,
      "adminapi_settings": 0,
      "adminapi_write_resource": 0,
      "enroll_policy": "",
      "greeting": "Welcome to Duo.",
      "groups_allowed": [],
      "integration_key": "DIRWIH0ZZPV4GJ05H7VQ",
      "name": "Admin API",
      "networks_for_api_access": "",
      "notes": "",
      "secret_key": "QO4ZLqQVRIOZYkHfdPDORj05h8LeXIbCWwHazY7",
      "self_service_allowed": false,
      "type": "adminapi",
      "username_normalization_policy": "None"
    }
  ]
}

Create Integration

Create a new integration. The new integration key and secret key are randomly generated and returned in the response. Requires "Grant applications" API permission.

POST /admin/v1/integrations

Parameters

Response Codes

Response Format

Returns the created single integration object. Refer to Retrieve Integrations for an explanation of the object's keys.

Example Response

Same as Retrieve Integration by Integration Key.

Retrieve Integration by Integration Key

Return the single integration with integration_key. Requires "Grant read resource" API permission.

GET /admin/v1/integrations/[integration_key]

Parameters

This API endpoint has no parameters.

Response Codes

Response Format

Returns the single integration object. Refer to Retrieve Integrations for an explanation of the object's keys.

Example Response

{
  "stat": "OK",
  "response": {
    "adminapi_admins": 0,
    "adminapi_info": 0,
    "adminapi_integrations": 0,
    "adminapi_read_log": 0,
    "adminapi_read_resource": 0,
    "adminapi_settings": 0,
    "adminapi_write_resource": 0,
    "enroll_policy": "",
    "frameless_auth_prompt_enabled": 1,
    "greeting": "Welcome to Duo.",
    "groups_allowed": [],
    "integration_key": "DIRWIH0ZZPV4G88B37VQ",
    "ip_whitelist": [],
    "ip_whitelist_enroll_policy": "",
    "name": "Web Application",
    "notes": "",
    "policy_key": "POHSL88SP00LABDAD98Y",
    "prompt_v4_enabled": 1,
    "secret_key": "QO4ZLqQVRIOZYkHfdPDORfcNf8LeXIbCWwHazY7",
    "self_service_allowed": false,
    "trusted_device_days": 0,
    "type": "websdk",
    "username_normalization_policy": "None"
  }
}

Modify Integration

Change the name, enrollment policy, greeting, and/or notes of the integration with integration key integration_key, or reset its secret key. When modifying an Admin API integration permissions can also be added or removed. Requires "Grant applications" API permission.

POST /admin/v1/integrations/[integration_key]

Parameters

Response Codes

Response Format

Returns the modified single integration object. Refer to Retrieve Integrations for an explanation of the object's keys.

Example Response

Same as Retrieve Integration by Integration Key.

Delete Integration

Delete the integration with integration_key from the system. Attempting to delete the Admin API integration whose secret key is used to sign this request will return an error. Requires "Grant applications" API permission.

DELETE /admin/v1/integrations/[integration_key]

Parameters

This API endpoint has no parameters.

Response Codes

Response Format

Empty string.

Example Response

{
  "stat": "OK",
  "response": ""
}

Endpoints

Retrieve Endpoints

Returns a paged list of endpoints. To fetch all results, call repeatedly with the offset parameter as long as the result metadata has a next_offset value. When no limit is specified the response is limited to 100 results. Requires "Grant read resource" API permission.

Information for a given endpoint is purged after 30 days of inactivity.

Endpoint information retrievable by Duo Beyond and Duo Access customers. In addition, some response information is available only with Duo Beyond.

GET /admin/v1/endpoints

Parameters

Use the paging parameters to change the number of results shown in a response or to retrieve additional results. See Response Paging for details.

This API endpoint has no additional parameters.

Response Codes

Response Format

Example Response

Example response for a Duo Beyond plan customer

{
  "stat": "OK",
  "response": [{
        "browsers": [{
            "browser_family": "Chrome",
            "browser_version": "91.0.4472.77",
            "flash_version": "uninstalled",
            "java_version": "uninstalled",
            "last_used": 1624451420
        },
        {
            "browser_family": "Safari",
            "browser_version": "14.1",
            "flash_version": "uninstalled",
            "java_version": "uninstalled",
            "last_used": 1624457297
        }],
        "computer_sid": "",
        "cpu_id": "",
        "device_id": "",
        "device_identifier": "3FA47335-1976-3BED-8286-D3F1ABCDEA13",
        "device_identifier_type": "hardware_uuid",
        "device_name": "ejmac",
        "device_udid": "",
        "device_username": "mba22915\u00e2\u0080\u0099s MacBook Air/mba22915",
        "device_username_type": "os_username",
        "disk_encryption_status": "On",
        "domain_sid": "",
        "email": "ejennings@example.com",
        "epkey": "EP18JX1A10AB102M2T2X",
        "firewall_status": "On",
        "hardware_uuid": "3FA47335-1976-3BED-8286-D3F1ABCDEA13",
        "health_app_client_version": "2.13.1.0",
        "health_data_last_collected": 1624451421,
        "last_updated": 1624451420,
        "machine_guid": "",
        "model": "",
        "os_build": "19H1030",
        "os_family": "Mac OS X",
        "os_version": "10.11.7",
        "password_status": "Set",
        "security_agents": [{
            "security_agent": "Cisco AMP for Endpoints",
            "version": "10.1.2.3",
        }],
        "trusted_endpoint": "yes",
        "type": "",
        "username": "ejennings"
    },
    {
        "browsers": [{
        {
            "browser_family": "Mobile Safari",
            "browser_version": "9.0",
            "flash_version": "uninstalled",
            "java_version": "uninstalled"
        }],
        "computer_sid": "",
        "cpu_id": "",
        "device_id": "",
        "device_identifier": "",
        "device_identifier_type": "",
        "device_name": "",
        "device_udid": "",
        "device_username": "",
        "device_username_type": "",
        "disk_encryption_status": "Unknown",
        "domain_sid": "",
        "email": "mhanson@example.com",
        "epkey": "EP65MWZWXA10AB1027TQ",
        "firewall_status": "Unknown",
        "hardware_uuid": "",
        "health_app_client_version": "",
        "health_data_last_collected": "",
        "last_updated": 1622036309,
        "machine_guid": "",
        "model": "iPhone",
        "os_build": "",
        "os_family": "iOS",
        "os_version": "14.5.1",
        "password_status": "Unknown",
        "security_agents": [],
        "trusted_endpoint": "unknown",
        "type": "",
        "username": "mhanson"
    }],
}

Retrieve Endpoint by ID

Return information for an individual endpoint with epkey. Requires "Grant read resource" API permission.

Some response information available for Duo Beyond customers only.

GET /admin/v1/endpoints/[epkey]

Parameters

This API endpoint has no parameters.

Response Codes

Response Format

Same as Retrieve Endpoints.

Example Response

Example response for a Duo Access plan customer

{
  "stat": "OK",
  "response": {
        "browsers": [{
            "browser_family": "Edge Chromium",
            "browser_version": "91.0.864.54",
            "flash_version": "uninstalled",
            "java_version": "uninstalled",
            "last_used": 1624459875
        }],
        "computer_sid": "S-1-5-21-3284820969-3957662392-1842130629",
        "cpu_id": "561699bcbac7533644465b4f16637adf5870773b571f6d5b90bbfaeb2f0ba568",
        "device_identifier": "561699bcbac7533644465b4f16637adf5870773b571f6d5b90bbfaeb2f0ba568",
        "device_identifier_type": "hardware_serial",
        "device_name": "AMOSSPC",
        "disk_encryption_status": "Off",
        "domain_sid": "",
        "email": "",
        "epkey": "EPQC0C77F6MLXBCXCSWP",
        "firewall_status": "On",
        "hardware_uuid": "",
        "health_app_client_version": "2.14.0",
        "health_data_last_collected": 1624459875,
        "last_updated": 1624459875,
        "machine_guid": "6345e8c1-e717-4c68-a0f9-34cd0789e17f",
        "model": "",
        "os_build": "",
        "os_family": "Windows",
        "os_version": "10.0.19041.1052",
        "password_status": "Set",
        "type": "",
        "username": "amoss"
    },
}

Administrators

Retrieve Administrators

Returns a paged list of administrators. To fetch all results, call repeatedly with the offset parameter as long as the result metadata has a next_offset value. Requires "Grant administrators" API permission.

GET /admin/v1/admins

Parameters

Use the paging parameters to change the number of results shown in a response or to retrieve additional results. See Response Paging for details.

This API endpoint has no additional parameters.

Response Codes

Response Format

Example Response

{
  "stat": "OK",
  "response": [ 
    {
     "admin_id": "DEVKWVBJA7LO95OIBIS3",
     "admin_units": [],
      "created": 1648143942,
      "email": "rscott@example.com",
      "hardtoken": {
        "serial": "1234567890",
        "token_id": "DH1TIP00LBCIH887OPSV",
        "totp_step": null,
        "type": "d1"
      },
      "last_directory_sync": null,
      "last_login": 1343921403,
      "name": "Rachael Scott",
      "password_change_required": false,
      "phone": "+17345551000",
      "restricted_by_admin_units": false,
      "role": "Owner",
      "status": "Active"
    },
    {
     "admin_id": "DEVKWVBJA7P00LD4DIS3",
     "admin_units": [],
      "created": 1648146942,
      "email": "fulan@example.com",
      "hardtoken": {},
      "last_directory_sync": 1658850983,
      "last_login": 1343971403,
      "name": "Fulan Al Fulani",
      "password_change_required": false,
      "phone": "+17345551100",
      "restricted_by_admin_units": false,
      "role": "Administrator",
      "status": "Active"
    }
  ]
}

Create Administrator

Create a new administrator. Requires "Grant administrators" API permission.

POST /admin/v1/admins

Parameters

Response Codes

Response Format

Returns the created single administrator object, with the same information as Retrieve Administrator by ID plus:

Example Response

{
  "stat": "OK",
  "response": {
    "activation_url": "https://admin-abcd1234.duosecurity.com/admins/activation/DAAR5SIVP00LYZA0WDAD/87e9b5fe47010441b5j05h2c5838fbf5",
    "activation_url_expires": 1604347975,  
    "admin_id": "DEVKWVBJA7LO95OIBIS3",
    "admin_units": [],
    "created": 1648143942,
    "email": "rscott@example.com",
    "hardtoken": null,
    "last_directory_sync": null,
    "last_login": null,
    "name": "Rachael Scott",
    "password_change_required": false,
    "phone": null,
    "restricted_by_admin_units": false,
    "role": "Help Desk",
    "status": "Pending Activation"
  }
}

Retrieve Administrator by ID

Return the single administrator with the administrator ID admin_id. Requires "Grant administrators" API permission.

GET /admin/v1/admins/[admin_id]

Parameters

This API endpoint has no parameters.

Response Codes

Response Format

Returns the single administrator object, with the same information as Retrieve Administrators plus:

Example Response

{
  "stat": "OK",
  "response": {
    "activation_url": "https://admin-abcd1234.duosecurity.com/admins/activation/DAAR5SIVP00LYZA0WDAD/87e9b5fe47010441b5j05h2c5838fbf5",
    "admin_id": "DEVKWVBJA7LO95OIBIS3",
    "admin_units": [],
    "created": 1648143942,
    "email": "rscott@example.com",
    "hardtoken": null,
    "last_login": null,
    "last_directory_sync": null,
    "name": "Rachael Scott",
    "password_change_required": false,
    "phone": null,
    "restricted_by_admin_units": false,
    "role": "Owner",
    "status": "Pending Activation"
  }
}

Modify Administrator

Change the name, phone number, or other properties of the administrator with the administrator ID admin_id. Requires "Grant administrators" API permission.

POST /admin/v1/admins/[admin_id]

Parameters

Response Codes

Response Format

Returns the single modified administrator object. Refer to Retrieve Administrators for an explanation of the object's keys.

Example Response

Same as Retrieve Administrator by ID.

Delete Administrator

Delete the administrator with administrator ID admin_id from the system. Administrators managed by directory sync can not be deleted via API. Requires "Grant administrators" API permission.

DELETE /admin/v1/admins/[admin_id]

Parameters

This API endpoint has no parameters.

Response Codes

Response Format

Empty string.

Example Response

{
  "stat": "OK",
  "response": ""
}

Reset Administrator Authentication Attempts

Clear the number of failed login attempts for the administrator with admin_id. Re-enables an administrator who has been disabled due to too many failed authentication attempts. Requires "Grant administrators" API permission.

POST /admin/v1/admins/[admin_id]/reset

Parameters

This API endpoint has no parameters.

Response Codes

Response Format

Empty string.

Example Response

{
  "stat": "OK",
  "response": ""
}

Clear Administrator Expiration

Clear expiration for the administrator with admin_id after the admin has been expired due to inactivity. The administrator's status changes from "Expired" to the status applied to that admin before inactive expiration, and restores access to the Duo Admin Panel if the effective status is "Active". Requires "Grant administrators" API permission.

POST /admin/v1/admins/[admin_id]/clear_inactivity

Parameters

This API endpoint has no parameters.

Response Codes

Response Format

Empty string.

Example Response

{
  "stat": "OK",
  "response": ""
}

Email Activation Link to Administrator Pending Activation

Email the current activation link to the administrator pending activation with the administrator ID admin_id. Requires "Grant administrators" API permission.

POST /admin/v1/admins/[admin_id]/activation_link/email

Parameters

This API endpoint has no parameters.

Response Codes

Response Format

Example Response

{
  "stat": "OK",
  "response": {
      "admin_activation_id": "DK9PHLB5Z8NZJRFSJX4Q",
      "code": "g793cfba2b4e8684164c6b8766baad08",
      "email": "rscott@example.com",
      "expires": 1604348536
  }
}

Delete Activation Link from Administrator Pending Activation

Deletes and invalidates the current activation link from the administrator pending activation with the administrator ID admin_id. Requires "Grant administrators" API permission.

DELETE /admin/v1/admins/[admin_id]/activation_link

Parameters

This API endpoint has no parameters.

Response Codes

Response Format

Same as Retrieve Administrator by ID.

Example Response

{
  "stat": "OK",
  "response": {
    "admin_id": "DEVKWVBJA7LO95OIBIS3",
    "admin_units": [],
    "created": 1648143942,
    "email": "rscott@example.com",
    "hardtoken": null,
    "last_directory_sync": null,
    "last_login": null,
    "name": "Rachael Scott",
    "password_change_required": false,
    "phone": null,
    "restricted_by_admin_units": false,
    "role": "Owner",
    "status": "Pending Activation"
  }
}

Create Activation Link for Administrator Pending Activation

Creates an activation link for the administrator pending activation with the administrator ID admin_id. There must not already be an existing activation link for the admin. Requires "Grant administrators" API permission.

POST /admin/v1/admins/[admin_id]/activation_link

Parameters

This API endpoint has no parameters.

Response Codes

Response Format

Same as Retrieve Administrator by ID.

Example Response

{
  "stat": "OK",
  "response": {
    "activation_url": "https://admin-abcd1234.duosecurity.com/admins/activation/DAAR5SIVP00LYZA0WDAD/87e9b5fe47010441b5j05h2c5838fbf5",
    "admin_id": "DEVKWVBJA7LO95OIBIS3",
    "admin_units": [],
    "created": 1648143942,
    "email": "rscott@example.com",
    "hardtoken": null,
    "last_directory_sync": null,
    "last_login": null,
    "name": "Rachael Scott",
    "password_change_required": false,
    "phone": null,
    "restricted_by_admin_units": false,
    "role": "Owner",
    "status": "Pending Activation"
  }
}

Create Administrator Activation Link

Create a link to the activation form for a new administrator with email address email. The administrator will not actually be created until the activation form is completed with further information (like the administrator's name and phone number). Requires "Grant administrators" API permission.

POST /admin/v1/admins/activations

Parameters

Response Codes

Response Format

Example Response

{
  "stat": "OK",
  "response": {
    "admin_activation_id": "DK9PHLB5Z8NZJRFSJX4Q",
    "admin_name": "Soren Ogilby",
    "admin_role": "Read-only",
    "code": "g793cfba2b4e8684164c6b8766baad08",
    "email": "sogilby@example.com",
    "email_sent": 1,
    "expires": 1550075404,
    "link": "https://admin-abcd1234.duosecurity.com/activation/g793cfba2b4e8684164c6b8766baad08",
    "message": "\nHello sogilby@example.com,\n\nYou have been added as a Duo administrator for the Acme Corp organization with the role of Read-Only. It takes about 3 minutes to set up and you will need your smartphone.\n\nClick the link below to start setting up your account. Your invitation will expire on Mon, Nov 2 at 11:02 PM UTC.\n\nhttps://admin-abcd1234.duosecurity.com/activation/g793cfba2b4e8684164c6b8766baad08\n\nRegards,\nDuo Security\n",
    "subject": "Set up your administrator account on Duo Security",
    "valid_days": 7
  },
}

Retrieve Pending Administrator Activations

Returns a paged list of pending administrator activations. To fetch all results, call repeatedly with the offset parameter as long as the result metadata has a next_offset value. Requires "Grant administrators" API permission.

GET /admin/v1/admins/activations

Parameters

Use the paging parameters to change the number of results shown in a response or to retrieve additional results. See Response Paging for details.

This API endpoint has no additional parameters.

Response Codes

Response Format

Example Response

{
  "stat": "OK",
  "response": {
    "admin_activation_id": "DK9PHLB5Z8NZJRFSJX4Q",
    "code": "g793cfba2b4e8684164c6b8766baad08",
    "email": "sogilby@example.com",
    "expires": 1550075404
  },
}

Delete Pending Administrator Activation

Delete the pending admin activation with ID admin_activation_id from the system. Requires "Grant administrators" API permission.

DELETE /admin/v1/admins/activations/[admin_activation_id]

Parameters

This API endpoint has no parameters.

Response Codes

Response Format

Empty string.

Example Response

{
  "stat": "OK",
  "response": ""
}

Synchronize Admin from Directory

Initiate a sync to create, update, or mark for deletion the administrator specified by email against the directory specified by the directory_key. The directory_key for a directory can be found by navigating to Administrators → Admin Directory Sync in the Duo Admin Panel, and then clicking on the configured directory. Learn more about syncing individual admins from Active Directory, OpenLDAP, or Azure Active Directory. Requires "Grant administrators" API permission.

POST /admin/v1/admins/directorysync/[directory_key]/syncadmin

Parameters

Response Codes

Response Format

Returns the single synced administrator object with an additional message stating the admin synced successfully. Refer to Retrieve Administrators for an explanation of the object's keys.

Example Response

{
  "stat": "OK",
  "response":{
    "admin": {
        "admin_id": "DE98U1VAFZ6CO4T06HZO",
        "admin_units": [],
        "created": 1658850929,
        "email": "sogilby@example.com",
        "hardtoken": null,
        "last_directory_sync": 1658850983,
        "last_login": null,
        "name": "Soren Ogilby",
        "password_change_required": false,
        "phone": "+17345559777",
        "restricted_by_admin_units": false,
        "role": "Help Desk",
        "status": "Pending Activation"
    },
    "message": "User sogilby@example.com synced successfully."
}

Retrieve Admin External Password Management Status

Returns a paged list of administrators indicating whether they have been configured for external password management. To fetch all results, call repeatedly with the offset parameter as long as the result metadata has a next_offset value. Requires "Grant administrators" API permission.

GET /admin/v1/admins/password_mgmt

Parameters

Use the paging parameters to change the number of results shown in a response or to retrieve additional results. See Response Paging for details.

This API endpoint has no additional parameters.

Response Codes

Response Format

Example Response

{
   "stat": "OK",
    "response": [
        {
            "admin_id": "DEORP00LUIXPGD4DCC37",
            "email": "sogilby@example.com",
            "has_external_password_mgmt": false
        },
    ],
}

Retrieve Admin External Password Management Status by ID

Returns the external password management configuration for the single administrator with the administrator ID admin_id. Requires "Grant administrators" API permission.

GET /admin/v1/admins/[admin_id]/password_mgmt

Parameters

This API endpoint has no parameters.

Response Codes

Response Format

Same as Retrieve Admin External Password Management Status.

Example Response

{
    "stat": "OK",
    "response": {
        "admin_id": "DEORP00LUIXPGD4DCC37",
        "email": "sogilby@example.com",
        "has_external_password_mgmt": false
    },
}

Modify Admin External Password Management Status or Password

Enable or disable an administrator, specified by admin_id, for external password management, or set the password for an administrator with has_external_password_mgmt set to true (either passed in with the same POST or previously set).

Administrator passwords must have at least twelve characters, and may also require a mix of character types depending on your Admin Password Policy settings. New passwords will be checked against common passwords, usernames, and other account information to ensure uniqueness.

Setting has_external_password_mgmt also updates the administrator account's password_change_required value. When has_external_password_mgmt is set to true, password_change_required is updated to false, as enabling external password management restricts administrators from performing self-service password resets via the Duo Admin Panel UI. When has_external_password_mgmt is set to false, password_change_required is updated to true to ensure that an administrator no longer subject to external password management updates their password to a new value not known by the external system.

POST /admin/v1/admins/[admin_id]/password_mgmt

Parameters

Response Codes

Response Format

Example Response

{
    "stat": "OK",
    "response": {
            "admin_id": "DEORP00LUIXPGD4DCC37",
            "email": "sogilby@example.com",
            "has_external_password_mgmt": true,
            "password_changed": true
    },
}

Retrieve Administrator Authentication Factors

Retrieve a list of the secondary authentication methods permitted for administrator log on to the Duo Admin Panel. Requires "Grant administrators" API permission.

GET /admin/v1/admins/allowed_auth_methods

Parameters

This API endpoint has no parameters.

Response Codes

Response Format

Example Response

{
  "stat": "OK",
  "response": {
    "hardware_token_enabled": true,
    "mobile_otp_enabled": true,
    "push_enabled": true,
    "sms_enabled": false,
    "voice_enabled": false,
    "yubikey_enabled": true
  }
}

Restrict Administrator Authentication Factors

Enable or disable secondary authentication methods permitted for administrator log on to the Duo Admin Panel. When no methods are restricted Duo administrators may use any available two-factor method. Any method not explicitly set to true in the POST is disabled. Requires "Grant administrators" API permission.

POST /admin/v1/admins/allowed_auth_methods

Parameters

Response Codes

Response Format

Same as Retrieve Administrator Authentication Factors

Example Response

Same as Retrieve Administrator Authentication Factors

Administrative Units

Retrieve Administrative Units

Returns a paged list of all administrative units if no parameters specified. To fetch all results, call repeatedly with the offset parameter as long as the result metadata has a next_offset value. Requires "Grant administrators" API permission.

Optionally specify at most one parameter to return a list of administrative units associated with the given administrator, group, or integration.

GET /admin/v1/administrative_units

Parameters

Use the paging parameters to change the number of results shown in a response or to retrieve additional results. See Response Paging for details.

Response Codes

Response Format

Example Response

{
  "stat": "OK",
  "response": [{
    "admin_unit_id": "AUT0HJ753KH67HGF4S7H",
    "description": "Acme Corp Europe, Middle East, and Africa",
    "name": "Acme EMEA",
    "restrict_by_groups": true,
    "restrict_by_integrations": true
    },
    {
    "admin_unit_id": "AUDJ753KH6Z252X1B2B4",
    "description": "Acme Corp United States",
    "name": "Acme USA",
    "restrict_by_groups": true,
    "restrict_by_integrations": true
  }]
}

Retrieve Administrative Unit Details

Returns details for a single administrative unit with admin_unit_id. Requires "Grant administrators" API permission.

GET /admin/v1/administrative_units/[admin_unit_id]

Parameters

This API endpoint has no parameters.

Response Codes

Response Format

Example Response

{
  "stat": "OK",
  "response": [{
    "admin_unit_id": "AUTU3AA76HG76K9GPFJ2",
    "admins": [
      "DEA76HG76K45TQHBMFI4"
    ],
    "description": "Acme Networking and VPN Admins",
    "groups": [],
    "integrations": [
      "DIBA76HEQMHRWA76KSSH"
    ],
    "name": "Acme Net Admins",
    "restrict_by_groups": false,
    "restrict_by_integrations": true
  }
}

Add Administrative Unit

Add a new administrative unit with specified administrators, groups, or other parameters. Requires "Grant administrators" API permission.

POST /admin/v1/administrative_units

Parameters

Response Codes

Response Format

Same as Retrieve Administrative Unit Details.

Modify Administrative Unit

Change the name, description, assigned administrators, groups, and/or integrations of the administrative unit with admin_unit_id. Requires "Grant administrators" API permission.

POST /admin/v1/administrative_units/[admin_unit_id]

Parameters

Response Codes

Response Format

Same as Retrieve Administrative Unit Details.

Add Administrator to Administrative Unit

Assign the administrator with admin_id to the administrative unit with admin_unit_id. The administrator user must have restricted_by_admin_units set to true before attempting to assign them to an administrative unit via the API. Requires "Grant administrators" API permission.

POST /admin/v1/administrative_units/[admin_unit_id]/admin/[admin_id]

Parameters

This API endpoint has no parameters.

Response Codes

Response Format

Same as Retrieve Administrative Unit Details.

Remove Administrator from Administrative Unit

Unassign the administrator with admin_id from the administrative unit with admin_unit_id. The administrator user will still have restricted_by_admin_units set to true, and if the admin is not assigned to any other admin unit they will not be able to view any users or integrations. Be sure to change the value of restricted_by_admin_units to false to permit that admin to view all users and integrations. Requires "Grant administrators" API permission.

DELETE /admin/v1/administrative_units/[admin_unit_id]/admin/[admin_id]

Parameters

This API endpoint has no parameters.

Response Codes

Response Format

Same as Retrieve Administrative Unit Details.

Add Group to Administrative Unit

Assign the group with group_id to the administrative unit with admin_unit_id. Requires "Grant administrators" API permission.

POST /admin/v1/administrative_units/[admin_unit_id]/group/[group_id]

Parameters

This API endpoint has no parameters.

Response Codes

Response Format

Same as Retrieve Administrative Unit Details.

Remove Group from Administrative Unit

Unassign the group with group_id from the administrative unit with admin_unit_id. Requires "Grant administrators" API permission.

DELETE /admin/v1/administrative_units/[admin_unit_id]/group/[group_id]

Parameters

This API endpoint has no parameters.

Response Codes

Response Format

Same as Retrieve Administrative Unit Details.

Add Integration to Administrative Unit

Assign the integration with integration_key to the administrative unit with admin_unit_id. Requires "Grant administrators" API permission.

POST /admin/v1/administrative_units/[admin_unit_id]/integration/[integration_key]

Parameters

This API endpoint has no parameters.

Response Codes

Response Format

Same as Retrieve Administrative Unit Details.

Remove Integration from Administrative Unit

Unassign the integration with admin_id from the administrative unit with admin_unit_id. Requires "Grant administrators" API permission.

DELETE /admin/v1/administrative_units/[admin_unit_id]/integration/[integration_key]

Parameters

This API endpoint has no parameters.

Response Codes

Response Format

Same as Retrieve Administrative Unit Details.

Delete Administrative Unit

Delete the administrative unit with admin_unit_id from the system. Requires "Grant administrators" API permission.

DELETE /admin/v1/administrative_units/[admin_unit_id]

Parameters

This API endpoint has no parameters.

Response Codes

Response Format

Empty string.

Example Response

{
  "stat": "OK",
  "response": ""
}

Logs

Authentication Logs

Returns a paged list of authentication log events ranging from the last 180 days up to as recently as two minutes before the API request. To fetch all results, call repeatedly with the next_offset paging parameter as long as the result metadata has next_offset values. Requires "Grant read log" API permission.

There is an intentional two minute delay in availability of new authentications in the API response. Duo operates a large scale distributed system, and this two minute buffer period ensures that calls will return consistent results. Querying for results more recent than two minutes will return as empty.

We recommend requesting logs no more than once per minute.

The v2 handler provides new filtering and querying capabilities unavailable in the legacy v1 handler. This includes the ability to filter on users, groups, applications, authentication results, factors, and time ranges.

GET or POST /admin/v2/logs/authentication

Parameters

Use the paging parameters to change the number of results shown in a response or to retrieve additional results. See Response Paging for details.

Response Codes

Response Format

Example Response

200 OK
{
    "stat": "OK",
    "response": {
        "authlogs": [
            {
                "access_device": {
                    "browser": "Chrome",
                    "browser_version": "67.0.3396.99",
                    "flash_version": "uninstalled",
                    "hostname": null,
                    "ip": "169.232.89.219",
                    "is_encryption_enabled": true,
                    "is_firewall_enabled": true,
                    "is_password_set": true,
                    "java_version": "uninstalled",
                    "location": {
                        "city": "Ann Arbor",
                        "country": "United States",
                        "state": "Michigan"
                    },
                    "os": "Mac OS X",
                    "os_version": "10.14.1",
                    "security_agents": []
                },
                "alias": "",
                "application": {
                    "key": "DIY231J8BR23QK4UKBY8",
                    "name": "Microsoft Azure Active Directory"
                },
                "auth_device": {
                    "ip": "192.168.225.254",
                    "key": "DP5BJ05HI4WRBVI4Q7JF",
                    "location": {
                        "city": "Ann Arbor",
                        "country": "United States",
                        "state": "Michigan"
                    },
                    "name": "My iPhone X (734-555-2342)"
                },
                "email": "narroway@example.com",
                "event_type": "authentication",
                "factor": "duo_push",
                "isotimestamp": "2020-02-13T18:56:20.351346+00:00",
                "ood_software": null,
                "reason": "user_approved",
                "result": "success",
                "timestamp": 1581620180,
                "trusted_endpoint_status": "not trusted",
                "txid": "340a23e3-23f3-23c1-87dc-1491a23dfdbb",
                "user": {
                    "groups": [
                        "Duo Users",
                        "CorpHQ Users"
                    ],
                    "key": "DU3KC77WJ06Y5HIV7XKQ",
                    "name": "narroway@example.com"
                }
            },
         ],
        "metadata": {
            "next_offset": [
                "1532951895000",
                "af0ba235-0b33-23c8-bc23-a31aa0231de8"
            ],
            "total_objects": 1
        }
    },
}

Authentication Logs (Legacy v1)

The v2 authentication logs endpoint provides new filtering and querying capabilities unavailable in the legacy v1 handler, like the ability to filter on users, groups, applications, authentication results, factors, and time ranges. Consider migrating to the new handler.

Returns a list of authentication log events ranging from the last 180 days up to as recently as two minutes before the API request. There is an intentional two minute delay in availability of new authentications in the API response. Duo operates a large scale distributed system, and this two minute buffer period ensures that calls will return consistent results. Querying for results more recent than two minutes will return as empty. Requires "Grant read log" API permission.

The 1000 earliest events will be returned; you may need to call this multiple times with mintime to page through the entire log. Note that more or fewer than 1000 events may be returned depending on how many actual events exist for the specified mintime.

We recommend requesting logs no more than once per minute.

GET /admin/v1/logs/authentication

Parameters

Response Codes

Response Format

Example Response

{
  "stat": "OK",
  "response": [{
      "access_device": {
           "browser": "Chrome",
           "browser_version": "56.0.2924.87",
           "flash_version": "25.0.0.0",
           "java_version": "1.8.0.92",
           "os": "Mac OS X",
           "os_version": "10.11"
           "trusted_endpoint_status": "trusted"
      },
      "alias": "john.smith",
      "device": "503-555-1000",
      "email": "jsmith@example.com",
      "factor": "Duo Push",
      "integration": "Acme Intranet",
      "ip": "192.168.0.1",
      "isotimestamp": "2020-02-13T18:56:20.351346+00:00",
      "location": {
           'city': 'Ann Arbor',
           'state': 'Michigan',
           'country': 'US'
      },
      "new_enrollment": false,
      "ood_software": "",
      "reason": "User approved",
      "result": "SUCCESS",
      "timestamp": 1581620180,
      "username": "jsmith",

  }]
}

Administrator Logs

Returns a list of administrator log events. Only the 1000 earliest events will be returned; you may need to call this multiple times with mintime to page through the entire log. Requires "Grant read log" API permission.

We recommend requesting logs no more than once per minute.

GET /admin/v1/logs/administrator

Parameters

Response Codes

Response Format