Skip navigation

Duo Admin API v1 (Legacy)

Last updated:

The Duo Admin API provides programmatic access to the administrative functionality of Duo Security's two-factor authentication platform.

Version 1 Note

The Admin API v1 handlers listed on this page remain supported, but will be deprecated in the future. These endpoints may not receive updates. Some v1 endpoints already have deprecation dates announced; see the information in each endpoint's section for details. If you're trying Admin API for the first time, please use the current version of these legacy endpoints.

Overview

Duo Admin API is automatically available to paying Duo Premier, Duo Advantage, and Duo Essentials plan customers and new customers with an Advantage or Premier trial. Learn how to sign up for a Duo account and receive a free 30-day Duo Advantage trial.

The Admin API lets developers integrate with Duo Security's platform at a low level. The API has methods for creating, retrieving, updating, and deleting the core objects in Duo's system: users, phones, hardware tokens, admins, and integrations.

Developers can write applications that programmatically read their Duo account's authentication logs, administrator logs, and telephony logs; read or update account settings; and retrieve reports and other information.

Are you a software vendor looking to integrate Duo into your application? Join our free Duo Technology Partner Program for developer accounts, joint marketing support, and more!

About Admin API Version 1

We have started implementing v2 and v3 handlers for endpoints. In these cases, the API v1 handlers listed on this page remain supported, but will be deprecated in the future. These endpoints may not receive updates. We encourage use of the most current endpoints where available and recommend migrating existing API implementations to the v2 or v3 handlers.

Admin API endpoints with v2 or v3 handlers implemented have their v1 handlers classified as legacy. Endpoints with only v1 handlers are considered most current and aren't legacy.

Please see the primary Admin API documentation for the following information:

  • How to create the Admin API application in the Duo Admin Panel.
  • Open-source Duo API client availability.
  • How to construct a valid API request if you do not use a Duo API client.

Groups

Get Group Info

This legacy v1 endpoint will be deprecated in the future. Consider migrating to the v2 endpoint.

The v1 groups endpoint limits the response to the first 4,000 group members. Requires "Grant resource - Read" API permission.

GET /admin/v1/groups/[group_id]

Parameters

This API endpoint has no parameters.

Response Codes

Response Meaning
200 Success.
404 Group with given ID was not found.

Response Format

Key Value
desc The group's description.
push_enabled

Legacy parameter; no effect if specified and always returns false. Use Duo Authentication Method policies to configure this setting.
sms_enabled

Legacy parameter; no effect if specified and always returns false. Use Duo Authentication Method policies to configure this setting.
voice_enabled

Legacy parameter; no effect if specified and always returns false. Use Duo Authentication Method policies to configure this setting.
mobile_otp_enabled

Legacy parameter; no effect if specified and always returns false. Use Duo Authentication Method policies to configure this setting.
group_id The group's ID.
name The group's name. If managed by directory sync, then the name returned here also indicates the source directory.
status The group's authentication status. See Retrieve Groups for a list of possible values.
users A list of the users in the group.

Example Response

{
  "response": {
    "desc": "Group description",
    "group_id": "DGBDKSSH37KSJ373JKSU",
    "mobile_otp_enabled": false,
    "name": "Group Name",
    "push_enabled": false,
    "sms_enabled": false,
    "status": "active",
    "users": [
      {
      "user_id": "DUJ424R8DP0OL5D4DAFJ",
      "username": "User A"
      },
      {
      "user_id": "DUJSP005D4DJFJ05HASD",
      "username": "User B"
      }
    ],
    "voice_enabled": false
  },
  "stat": "OK"
}

Integrations

Retrieve Integrations

This legacy v1 endpoint will be deprecated in the future. Consider migrating to the v3 endpoint.

Returns a paged list of integrations. To fetch all results, call repeatedly with the offset parameter as long as the result metadata has a next_offset value. This v1 API endpoint cannot retrieve Duo Single Sign-On applications and returns integrations' secret keys in plain text. Requires "Grant resource - Read" API permission.

GET /admin/v1/integrations

Parameters

Use the paging parameters to change the number of results shown in a response or to retrieve additional results. See Response Paging for details.

Paging Parameter Required? Description
limit Optional

The maximum number of records returned.

Default: 100; Max: 500
offset Optional

The offset from 0 at which to start record retrieval.

When used with "limit", the handler will return "limit" records starting at the n-th record, where n is the offset.

Default: 0

This API endpoint has no additional parameters.

Response Codes

Response Meaning
200 Success.

Response Format

Key Value
adminapi_admins

Integer value of 1 if the integration has been granted permission for Administrators methods; otherwise 0. Returned for all integration types but only applicable to Admin API integrations (adminapi type).
adminapi_admins_read

Integer value of 1 if the integration has been granted permission to read Administrators and Administrative Units objects; otherwise 0. Returned for all integration types but only applicable to Admin API integrations (adminapi type).
adminapi_allow_to_set_permissions

Integer value of 1 if the integration has been granted permission to change the permissions for Admin API integrations via the API. If set to 0 then permissions for Admin API applications must be set in the Duo Admin Panel. Returned for all integration types but only applicable to Admin API integrations (adminapi type).
adminapi_info

Integer value of 1 if the integration has been granted permission for Account Info methods; otherwise 0. Returned for all integration types but only applicable to Admin API integrations (adminapi type).
adminapi_integrations

Integer value of 1 if the integration has been granted permission for Integrations methods; otherwise 0. Returned for all integration types but only applicable to Admin API integrations (adminapi type).
adminapi_read_log

Integer value of 1 if the integration has been granted permission for Logs methods; otherwise 0. Returned for all integration types but only applicable to Admin API integrations (adminapi type).
adminapi_read_resource

Integer value of 1 if the integration has been granted permission to retrieve objects like users, phones, and hardware tokens; otherwise 0. Returned for all integration types but only applicable to Admin API integrations (adminapi type).
adminapi_settings

Integer value of 1 if the integration has been granted permission for Settings methods; otherwise 0. Returned for all integration types but only applicable to Admin API integrations (adminapi type).
adminapi_write_resource

Integer value of 1 if the integration has been granted permission to modify objects like users, phones, and hardware tokens; otherwise 0. Returned for all integration types but only applicable to Admin API integrations (adminapi type).
enroll_policy

Legacy parameter; no effect if specified and returns no value. Use Duo New User policies to configure this setting.
frameless_auth_prompt_enabled

Integer value of 1 if the integration has been updated to support Duo Universal Prompt, otherwise 0. Only appears for a given integration after Duo makes the frameless prompt available for that application, and the value is set to 1 automatically when Duo detects a frameless authentication for the integration.
greeting

Voice greeting read before the authentication instructions to users who authenticate with a phone callback.
groups_allowed

A list of groups, as group IDs, that are allowed to authenticate with the integration. If empty, all groups are allowed.
integration_key

Integration ID.
ip_whitelist

Legacy parameter; no effect if specified and always returns an empty list. Use Duo Authorized Network policies to configure this for an application.
ip_whitelist_enroll_policy

Legacy parameter; no effect if specified and always returns no value. Use Duo Authorized Network policies to configure this for an application.
name

The integration's name.
networks_for_api_access

A comma-separated list of IP addresses, IP ranges, or CIDRs specifying the networks allowed to access this API integration. Only returned for Accounts API and Admin API integrations.
notes

Description of the integration.
policy_key

The identifying policy key for the custom policy attached to the integration. Not shown if no policy attached to the integration.
prompt_v4_enabled

Integer value of 1 if Duo Universal Prompt is activated for the application, otherwise 0. Only appears for a given integration when frameless_auth_prompt_enabled is 1 (value set automatically when Duo detects a frameless authentication for the integration).
secret_key

Secret used when configuring systems to use this integration.

The secret keys (SKEYs) for Admin API integrations will only be accessible when the requesting Admin API integration has equal or better permissions than the target integration. Otherwise, the secret key will be hidden, showing only the last four characters.
self_service_allowed

Integer value of 1 if users may use self-service from this integration's 2FA prompt to update authentication devices, otherwise false (default). Supported integrations display the interactive Duo authentication prompt in a web browser.

Note: The v1 API response does not include information about Duo Single Sign-On applications.
type

Integration type. Refer to Retrieve Integrations for a list of valid values.

Note: The v1 API response does not include information about Duo Single Sign-On applications.
trusted_device_days

Legacy parameter; no effect if specified and always returns no value. Use Duo Remembered Devices policies to configure this for an application.
username_normalization_policy

This controls whether or not usernames should be altered before trying to match them to a user account. One of:

Policy Description
"None" The username will be used as is.
"Simple" Both "DOMAIN\username" and "username@example.com" will be normalized to "username" when logging in.

Example Response

{
  "metadata": {
    "total_objects": 2
  },
  "response": [
    {
      "adminapi_admins": 0,
      "adminapi_admins_read": 0,
      "adminapi_allow_to_set_permissions": 0,
      "adminapi_info": 0,
      "adminapi_integrations": 0,
      "adminapi_read_log": 0,
      "adminapi_read_resource": 0,
      "adminapi_settings": 0,
      "adminapi_write_resource": 0,
      "enroll_policy": "",
      "frameless_auth_prompt_enabled": 1,
      "greeting": "Welcome to Duo.",
      "groups_allowed": [],
      "integration_key": "DIRWIH0ZZPV4G88B37VQ",
      "ip_whitelist": [],
      "ip_whitelist_enroll_policy": "",
      "name": "Web Application",
      "notes": "",
      "policy_key": "POHSLA8SP00LABDAD98Y",
      "prompt_v4_enabled": 1,
      "secret_key": "QO4ZLqQVRIOZYkHfdPDORfcNf8LeXIbCWwHazY7",
      "self_service_allowed": false,
      "trusted_device_days": 0,
      "type": "websdk",
      "username_normalization_policy": "None"
    },
    {
      "adminapi_admins": 0,
      "adminapi_admins_read": 0,
      "adminapi_allow_to_set_permissions": 0,
      "adminapi_info": 0,
      "adminapi_integrations": 0,
      "adminapi_read_log": 1,
      "adminapi_read_resource": 0,
      "adminapi_settings": 0,
      "adminapi_write_resource": 0,
      "enroll_policy": "",
      "greeting": "Welcome to Duo.",
      "groups_allowed": [],
      "integration_key": "DIRWIH0ZZPV4GJ05H7VQ",
      "name": "Admin API",
      "networks_for_api_access": "",
      "notes": "",
      "secret_key": "QO4ZLqQVRIOZYkHfdPDORj05h8LeXIbCWwHazY7",
      "self_service_allowed": false,
      "type": "adminapi",
      "username_normalization_policy": "None"
    }
  ]
  "stat": "OK"
}

Create Integration

This legacy v1 endpoint will be deprecated in the future. Consider migrating to the v3 endpoint.

Create a new integration. The new integration key and secret key are randomly generated and returned in the response. This v1 API endpoint cannot create Duo Single Sign-On applications and returns the integration's secret key in plain text. Requires "Grant applications" API permission.

POST /admin/v1/integrations

Parameters

Parameter Required? Description
name Required The name of the integration to create.
type Required

The type of the integration to create.

Refer to Retrieve Integrations for a list of valid values. Duo Single Sign-On applications can only be created using the v2 and v3 endpoints. Integrations of type "azure-ca" (Microsoft Azure Active Directory) "microsoft-eam" (Microsoft Entra ID: External MFA) may not be created via API. If an integration has reached the Duo end of support then new instances of that integration may not be created with the API.
adminapi_admins Optional

Set to 1to grant to grant an Admin API integration permission to create, modify, and delete all Administrators and Administrative Units objects.

Default: 0.
adminapi_admins_read Optional

Set to 1 to grant an Admin API integration permission to read Administrators and Administrative Units objects.

Default: 0.
adminapi_allow_to_set_permissions Optional Set to 1 to grant an Admin API integration permission to change the permissions for Admin API integrations via the API. If left at 0 then permissions for Admin API applications must be set in the Duo Admin Panel.

Default: 0.
adminapi_info Optional

Set to 1 to grant an Admin API integration permission for all Account Info methods.

Default: 0.
adminapi_integrations Optional

Set to 1to grant an Admin API integration permission for all Integrations methods.

Default: 0.
adminapi_read_log Optional

Set to 1to grant an Admin API integration permission for all Logs methods.

Default: 0.
adminapi_read_resource Optional Set to 1to grant an Admin API integration permission to retrieve objects like users, phones, and hardware tokens.

Default: 0.
adminapi_settings Optional

Set to 1to grant an Admin API integration permission for all Settings methods.

Default: 0.
adminapi_write_resource Optional Set to 1to grant an Admin API integration permission to create, modify, and delete objects like users, phones, and hardware tokens.

Default: 0.
enroll_policy Optional

Legacy parameter; no effect if specified and returns no value. Use Duo New User policies to configure this setting.

What to do after an unenrolled user passes primary authentication.
greeting Optional Voice greeting read before the authentication instructions to users who authenticate with a phone callback.
groups_allowed Optional A comma-separated list of group IDs that are allowed to authenticate with the integration. If empty, all groups are allowed.

Object limits: 100 groups per integration.
ip_whitelist Optional

Legacy parameter; no effect if specified and always returns an empty list. Use Duo Authorized Network policies to configure this for an application.
ip_whitelist_enroll_policy Optional

Legacy parameter; no effect if specified and always returns no value. Use Duo Authorized Network policies to configure this for an application.

What to do after a new user from a trusted IP completes primary authentication.
networks_for_api_access Optional A comma-separated list of IP addresses, IP ranges, or CIDRs specifying the networks allowed to access this API integration. Only applicable to Accounts API and Admin API integrations. A given API integration may apply a network restriction to itself via API; use a different API integration to apply the network restriction, or edit the API application in the Duo Admin Panel GUI.
notes Optional Description of the integration.
trusted_device_days Optional

Legacy parameter; no effect if specified and always returns 0. Use Duo Remembered Devices policies to configure this for an application.
self_service_allowed Optional Set to 1to grant an integration permission to allow users to manage their own devices. This is only supported by integrations which allow for self service configuration.
username_normalization_policy Optional

Policy for whether or not usernames should be altered before trying to match them to a user account. Refer to Retrieve Integrations for a list of valid values.

Response Codes

Response Meaning
200 Success. Returns the newly created integration.
400 Invalid or missing parameters, one-to-many object limit reached, integration already exists with the given name, or insufficient Admin API permissions.
500 Other internal error.

Response Format

Returns the created single integration object. Refer to Retrieve Integrations for an explanation of the object's keys.

Example Response

Same as Retrieve Integration by Integration Key.

Retrieve Integration by Integration Key

This legacy v1 endpoint will be deprecated in the future. Consider migrating to the v3 endpoint.

Return the single integration with integration_key. This v1 API endpoint cannot retrieve Duo Single Sign-On applications and returns the integration's secret key in plain text. Requires "Grant applications" API permission.

GET /admin/v1/integrations/[integration_key]

Parameters

This API endpoint has no parameters.

Response Codes

Response Meaning
200 Success.
404 No integration was found with the given integration_key.

Response Format

Returns the single integration object. Refer to Retrieve Integrations for an explanation of the object's keys.

Example Response

{
  "response": {
    "adminapi_admins": 0,
    "adminapi_admins_read": 0,
    "adminapi_allow_to_set_permissions": 0,
    "adminapi_info": 0,
    "adminapi_integrations": 0,
    "adminapi_read_log": 0,
    "adminapi_read_resource": 0,
    "adminapi_settings": 0,
    "adminapi_write_resource": 0,
    "enroll_policy": "",
    "frameless_auth_prompt_enabled": 1,
    "greeting": "Welcome to Duo.",
    "groups_allowed": [],
    "integration_key": "DIRWIH0ZZPV4G88B37VQ",
    "ip_whitelist": [],
    "ip_whitelist_enroll_policy": "",
    "name": "Web Application",
    "notes": "",
    "policy_key": "POHSL88SP00LABDAD98Y",
    "prompt_v4_enabled": 1,
    "secret_key": "QO4ZLqQVRIOZYkHfdPDORfcNf8LeXIbCWwHazY7",
    "self_service_allowed": false,
    "trusted_device_days": 0,
    "type": "websdk",
    "username_normalization_policy": "None"
  },
  "stat": "OK"
}

Modify Integration

This legacy v1 endpoint will be deprecated in the future. Consider migrating to the v3 endpoint.

Change the name, greeting, and/or notes of the integration with integration key integration_key, or reset its secret key. When modifying an Admin API integration permissions can also be added or removed. This v1 API endpoint cannot modifyDuo Single Sign-On applications and returns the integration's secret key in plain text. Requires "Grant applications" API permission.

POST /admin/v1/integrations/[integration_key]

Parameters

Parameter Required? Description
name Optional New name for the integration.
networks_for_api_access Optional A comma-separated list of IP addresses, IP ranges, or CIDRs specifying the networks allowed to access this API integration. Only applicable to Accounts API and Admin API integrations. A given API integration may apply a network restriction to itself via API; use a different API integration to apply the network restriction, or edit the API application in the Duo Admin Panel GUI.
adminapi_admins Optional

Set to 1 to grant an Admin API integration permission to create, modify, or delete Administrators and Administrative Units objects or 0 to remove access to them.
adminapi_admins_read Optional

Set to 1 to grant an Admin API integration permission to read Administrators and Administrative Units objects or 0 to remove access to them.
adminapi_allow_to_set_permissions Optional Set to 1 to grant an Admin API integration permission to change the permissions for Admin API integrations via the API or 0 to require that permissions for Admin API applications must be set in the Duo Admin Panel.
adminapi_info Optional

Set to 1to grant an Admin API integration permission for all Account Info methods or 0 to remove access to them.
adminapi_integrations Optional

Set to 1to grant an Admin API integration permission for all Integrations methods or 0 to remove access to them.
adminapi_read_log Optional

Set to 1to grant an Admin API integration permission for all Logs methods or 0 to remove access to them.
adminapi_read_resource Optional

Set to 1to grant an Admin API integration permission to retrieve objects like users, phones, and hardware tokens or 0 to remove access to them.
adminapi_settings Optional

Set to 1to grant an Admin API integration permission for all Settings methods or 0 to remove access to them.
adminapi_write_resource Optional Set to 1to grant an Admin API integration permission to create and modify objects like users, phones, and hardware tokens or 0 to remove access to them.
trusted_device_days Optional

Legacy parameter; no effect if specified and always returns 0. Use Duo Remembered Devices policies to configure this for an application.

Refer to Retrieve Integrations for a list of supported integrations.
enroll_policy Optional

Legacy parameter; no effect if specified and returns no value. Use Duo New User policies to configure this setting.

New policy for what to do after an unenrolled user passes primary authentication. Refer to Retrieve Integrations for a list of valid values.
greeting Optional New voice greeting. Will be read before the authentication instructions to users who authenticate with a phone callback.
groups_allowed Optional A comma-separated list of group IDs that are allowed to authenticate with the integration. If set to an empty string, all groups will be allowed.

Object limits: 100 groups per integration.
ip_whitelist Optional

Legacy parameter; no effect if specified and always returns an empty list. Use Duo Authorized Network policies to configure this for an application.

Refer to Retrieve Integrations for a list of supported integrations.
ip_whitelist_enroll_policy Optional

Legacy parameter; no effect if specified and always returns no value. Use Duo Authorized Network policies to configure this for an application.

New policy for what to do after a new user from a trusted IP completes primary authentication. Refer to Retrieve Integrations for a list of valid values.
notes Optional New description of the integration.
policy_key Optional

Specify the "Policy Key" value for a custom policy to attach it to the specified integration. Obtain a policy's key by viewing it in the Duo Admin Panel's "Policies" page or from the output of Retrieve Integrations. Leave the value blank to detach the currently attached policy from an integration.
prompt_v4_enabled Optional Set to 1 to activate Duo Universal Prompt for the application, or to 0 to revert back to traditional prompt. Only appears for a given integration when frameless_auth_prompt_enabled is 1 (value set automatically when Duo detects a frameless authentication for the integration).
reset_secret_key Optional If set to 1, resets the integration's secret key to a new, randomly generated value. The new secret key is returned in the return value. Attempting to reset the secret key for the same Admin API integration whose integration key and secret key are used to make this call will return an error. Can not be used with SSO applications.
self_service_allowed Optional Set to 1 to grant an integration permission to allow users to manage their own devices. This is only supported by integrations which allow for self service configuration.
username_normalization_policy Optional

New policy for whether or not usernames should be altered before trying to match them to a user account. Refer to Retrieve Integrations for a list of valid values.

Response Codes

Response Meaning
200

The integration was modified successfully. Also returns the integration object (see Retrieve Integration by Integration Key).
400 Invalid or missing parameters, one-to-many object limit reached, an integration already exists with the given name, insufficient Admin API permissions, or attempting to reset the secret key used to sign this API request.
404 No integration was found with the given integration_key.
500 Other internal error.

Response Format

Returns the modified single integration object. Refer to Retrieve Integrations for an explanation of the object's keys.

Example Response

Same as Retrieve Integration by Integration Key.

Delete Integration

This legacy v1 endpoint will be deprecated in the future. Consider migrating to the v3 endpoint.

WARNING: Deleting an integration from Duo can block user logins!

Be sure to remove Duo authentication from your product's configuration before you delete the corresponding integration.

Depending on the application this could mean uninstalling Duo software from your systems, or updating your device or application settings to no longer include Duo in the authentication process.

There is no way to restore an integration deleted in error with Admin API.

Delete the integration with integration_key from the system. Attempting to delete the Admin API integration whose secret key is used to sign this request will return an error. This v1 API endpoint cannot delete Duo Single Sign-On applications. Requires "Grant applications" API permission.

DELETE /admin/v1/integrations/[integration_key]

Parameters

This API endpoint has no parameters.

Response Codes

Response Meaning
200 The integration was deleted or did not exist.
400 Attempting to delete the integration whose secret key was used to sign this API request.

Response Format

Empty string.

Example Response

{
  "stat": "OK",
  "response": ""
}

Logs

Authentication Logs

This legacy v1 endpoint will be deprecated on September 30, 2026. Migrate your use of this logging endpoint to the Authentication Logs v2 endpoint before then to avoid service disruption.

The v2 authentication logs endpoint provides new filtering and querying capabilities unavailable in the legacy v1 handler, like the ability to filter on users, groups, applications, authentication results, factors, and time ranges. Consider migrating to the new handler.

Returns a list of authentication log events ranging from the last 180 days up to as recently as two minutes before the API request. There is an intentional two minute delay in availability of new authentications in the API response. Duo operates a large scale distributed system, and this two minute buffer period ensures that calls will return consistent results. Querying for results more recent than two minutes will return as empty. Requires "Grant read log" API permission.

The 1000 earliest events will be returned; you may need to call this multiple times with mintime to page through the entire log. Note that more or fewer than 1000 events may be returned depending on how many actual events exist for the specified mintime.

We recommend requesting logs no more than once per minute.

GET /admin/v1/logs/authentication

Parameters

Parameter Required? Description
mintime Optional

Only return records that have a Unix timestamp in seconds of mintime or later. Use mintime+1 to avoid receiving duplicate data.

Response Codes

Response Meaning
200 Success.

Response Format

Key Value
access_device

Browser, plugin, and operating system information for the endpoint used to access the Duo-protected resource. Values present only when the application accessed features Duo's inline browser prompt.

This information is available to Duo Premier and Duo Advantage plan customers.

browser The web browser used for access.
browser_version The browser version.
flash_version The Flash plugin version used, if present, otherwise "uninstalled".
java_version The Java plugin version used, if present, otherwise "uninstalled".
os The device operating system name.
os_version The device operating system version.
trusted_endpoint_status

Shows whether the endpoint is a Duo managed endpoint. One of "trusted", "not trusted", "unknown", or "error". Returned for Duo Premier customers only.
alias The username alias used to log in. No value if the user logged in with their username instead of a username alias.
device Device used to authenticate, if present, otherwise none.
email The email address of the user, if known to Duo, otherwise none.
factor

The authentication factor. One of: "Bypass Code", "Digipass GO 7 Token", "Duo Desktop", "Duo Mobile Inline Auth", "Duo Mobile Passcode", "Duo Mobile Passcode (HOTP)", "Duo Mobile Passcode (TOTP)", "Duo Push", "Passcode", "Phone Call", "Hardware Token", "Remembered Device", "Security Key (WebAuthn)", "SMS Passcode", "SMS Refresh", "Touch ID (WebAuthn)", "Trusted Network", "U2F Token", or "Yubikey Passcode".
integration The integration name.
ip The IP address that this request originated from.
isotimestamp

ISO8601 timestamp of the event.
location The GeoIP location from which the user authenticated, if available. The response may not include all location parameters.
city The city name.
state The state, county, province, or prefecture.
country The country code. Refer to ISO 3166 for a list of possible countries.
new_enrollment true if the user enrolled a new device at the authentication prompt; false if authenticated with a previously enrolled device.
ood_software

If authentication was denied due to out-of-date software, shows the name of the software, i.e. "Chrome", "Flash", etc.

No value if authentication was successful or authentication denial was not due to out-of-date software.

reason

Provide the reason for the authentication attempt result.

If result is "SUCCESS" then one of: "Allow unenrolled user", "Allowed by policy", "Bypass user", "Remembered device", "Trusted location", "Trusted network", "User approved", "Valid passcode".

If result is "FAILURE" then one of: "Anonymous IP", "Call timed out", "Couldn't determine if endpoint was trusted", "Denied by policy", "Deny unenrolled user", "Duo Mobile version restricted", "Endpoint is not in Management System", "Factor restricted", "Frequent attempts", "Invalid device", "Invalid passcode", "Location restricted", "Locked out", "No Duo certificate present", "No response", "No disk encryption", "No fingerprint", "No screen lock", "Out of date", "Platform restricted", "Rooted device", "Software Restricted", "User cancelled", "User is disabled", "User mistake", or "User provided an invalid certificate".

If result is "ERROR" then: "Error".

If result is "FRAUD" then: "User marked fraud".

Note that enrollment events have no associated reason.
result The result of the authentication attempt. One of: "success", "denied", "failure", "error", or "fraud".
timestamp An integer indicating the Unix timestamp of the event.
username The authenticating user's username.

Example Response

{
  "response": [{
      "access_device": {
           "browser": "Chrome",
           "browser_version": "56.0.2924.87",
           "flash_version": "25.0.0.0",
           "java_version": "1.8.0.92",
           "os": "Mac OS X",
           "os_version": "10.11"
           "trusted_endpoint_status": "trusted"
      },
      "alias": "john.smith",
      "device": "503-555-1000",
      "email": "jsmith@example.com",
      "factor": "Duo Push",
      "integration": "Acme Intranet",
      "ip": "192.168.0.1",
      "isotimestamp": "2020-02-13T18:56:20.351346+00:00",
      "location": {
           "city": "Ann Arbor",
           "state": "Michigan",
           "country": "US"
      },
      "new_enrollment": false,
      "ood_software": "",
      "reason": "User approved",
      "result": "SUCCESS",
      "timestamp": 1581620180,
      "username": "jsmith"
  }],
  "stat": "OK"
}

Telephony Logs

This legacy v1 endpoint will be deprecated on September 30, 2026. Migrate your use of this logging endpoint to the Telephony Logs v2 endpoint before then to avoid service disruption.

The v2 telephony logs endpoint provides new querying capabilities and contextual information for events unavailable in the legacy v1 handler. Consider migrating to the new handler.

Returns a list of telephony log events. Only the 1000 earliest events will be returned; you may need to call this multiple times with mintime to page through the entire log. Requires "Grant read log" API permission.

We recommend requesting logs no more than once per minute.

GET /admin/v1/logs/telephony

Parameters

Parameter Required? Description
mintime Optional Only return records that have a Unix timestamp in seconds after mintime. This can help to avoid fetching records that have already been retrieved.

Response Codes

Response Meaning
200 Success.

Response Format

Key Value
context How this telephony event was initiated. One of: "administrator login", "authentication", "enrollment", or "verify".
credits How many telephony credits this event cost.
isotimestamp

ISO8601 timestamp of the event.
phone The phone number that initiated this event.
timestamp An integer indicating the Unix timestamp of the event.
type The event type. Either "sms" or "phone".

Example Response

{
  "stat": "OK",
  "response": [{
      "context": "authentication",
      "credits": 1,
      "isotimestamp": "2020-03-20T15:38:12+00:00",
      "phone": "+15035550100",
      "timestamp": 1584718692,
      "type": "sms"
  }]
}