Skip navigation
Documentation

Duo Admin API v1 (Legacy)

Last Updated: March 24th, 2025

Contents

The Duo Admin API provides programmatic access to the administrative functionality of Duo Security's two-factor authentication platform.

Version 1 Note

The Admin API v1 handlers listed on this page remain supported, but will be deprecated in the future. These endpoints may not receive updates. If you're trying Admin API for the first time you should check out the current version.

Overview

Duo Admin API is automatically available to paying Duo Premier, Duo Advantage, and Duo Essentials plan customers and new customers with an Advantage or Premier trial. Learn how to sign up for a Duo account and receive a free 30-day Duo Advantage trial.

The Admin API lets developers integrate with Duo Security's platform at a low level. The API has methods for creating, retrieving, updating, and deleting the core objects in Duo's system: users, phones, hardware tokens, admins, and integrations.

Developers can write applications that programmatically read their Duo account's authentication logs, administrator logs, and telephony logs; read or update account settings; and retrieve reports and other information.

Review the API Details to see how to construct your first API request.

Are you a software vendor looking to integrate Duo into your application? Join our free Duo Technology Partner Program for developer accounts, joint marketing support, and more!

About Admin API Version 1

We have started implementing v2 and v3 handlers for endpoints. In these cases, the API v1 handlers listed on this page remain supported, but will be deprecated in the future. These endpoints may not receive updates. We encourage use of the most current endpoints where available and recommend migrating existing API implementations to the v2 or v3 handlers.

Admin API endpoints with v2 or v3 handlers implemented have their v1 handlers classified as legacy. Endpoints with only v1 handlers are considered most current and aren't legacy.

About the Admin API

Documented properties will not be removed within a stable version of the API. Once a given API endpoint is documented to return a given property, a property with that name will always appear (although certain properties may only appear under certain conditions, like if the customer is using a specific edition). When Duo deprecates a property, the API continues to accept that property in requests, although it no longer has any effect.

Properties that enumerate choices may gain new values at any time, e.g. the device platform value could return new device platforms that did not previously exist. Duo may cease to return legacy values for properties as well. Duo will update our API documentation with changes to property values in a timely fashion, adding new property values or indicating changes to existing property values.

New, undocumented properties may also appear at any time. For instance, Duo may make available a beta feature involving extra information returned by an API endpoint. Until the property is documented here its format may change or it may even be entirely removed from our API.

Please note that all Unix timestamps are in seconds, except where noted.

First Steps

Role required: Owner

Note that only administrators with the Owner role can create or modify an Admin API application in the Duo Admin Panel.

  1. Sign up for a Duo account if you aren't already a customer. Your free 30-day Duo Advantage trial includes Admin API access.

  2. Log in to the Duo Admin Panel and navigate to ApplicationsProtect an Application.

  3. Locate the entry for Admin API in the applications list. Click Protect to the far-right to configure the application and get your integration key, secret key, and API hostname. You'll need this information to complete your setup. See Protecting Applications for more information about protecting applications with Duo and additional application options.

    Treat your secret key like a password

    The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!

  4. Determine the permissions you want to grant to this Admin API application. Refer to the API endpoint descriptions throughout this document for information about required permissions for operations.

    Permission Details
    Grant administrators - Read The Admin API application can read information about Duo administrators and administrative units.
    Grant administrators - Write The Admin API application can read, add, modify, and delete information about Duo administrators and administrative units.
    Grant read information The Admin API application can read information about the Duo customer account's utilization.
    Grant applications The Admin API application can add, modify, and delete applications (referred to as "integrations" in the API), including permissions on itself or other Admin API applications.
    Grant settings The Admin API application can read and change global Duo account settings.
    Grant read log The Admin API application can read authentication, offline access, telephony, and administrator action log information.
    Grant resource - Read The Admin API application can read information about resource objects such as end users, policies, and devices.
    Grant resource - Write The Admin API application can create, update, and delete resource objects such as end users, policies, and devices.
    Grant set Admin API permissions The Admin API application can add or remove the permissions listed above via API for other Admin API applications. When this permission is not granted, permissions for an Admin API application must be set from the Duo Admin Panel.
  5. Optionally specify which IP addresses or ranges are allowed to use this Admin API application in Networks for API Access. If you do not specify any IP addresses or ranges, this Admin API application may be accessed from any network.

    The Admin API performs the IP check after verifying the authentication signature in a request. If you restrict the allowed networks for API access and see logged events for blocked Admin API requests from unrecognized IP addresses, this may indicate compromise of your Admin API application's secret key.

Connectivity Requirements

This application communicates with Duo's service on SSL TCP port 443.

Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review Duo Knowledge Base article 1337.

Effective June 30, 2023, Duo no longer supports TLS 1.0 or 1.1 connections or insecure TLS/SSL cipher suites. See Duo Knowledge Base article 7546 for additional guidance.

API Clients

Duo Security has demonstration clients available on GitHub to call the Duo API methods.

API Details

Base URL

All API methods use your API hostname, https://api-XXXXXXXX.duosecurity.com. Obtain this value from the Duo Admin Panel and use it exactly as shown there.

Methods always use HTTPS. Unsecured HTTP is not supported.

Request Format

All requests must have "Authorization" and "Date" headers.

If the request method is GET or DELETE, URL-encode parameters and send them in the URL query string like this: /admin/v1/users?realname=First%20Last&username=root. They still go on a separate line when creating the string to sign for an Authorization header.

Send parameters for POST requests in the body as URL-encoded key-value pairs (the same request format used by browsers to submit form data).

The header "Content-Type: application/x-www-form-urlencoded" must also be present.

When URL-encoding, all bytes except ASCII letters, digits, underscore ("_"), period ("."), tilde ("~"), and hyphen ("-") are replaced by a percent sign ("%") followed by two hexadecimal digits containing the value of the byte. For example, a space is replaced with "%20" and an at-sign ("@") becomes "%40". Use only upper-case A through F for hexadecimal digits.

A request with parameters, as a complete URL, would look like this: https://api-XXXXXXXX.duosecurity.com/admin/v1/users?realname=First%20Last&username=root.

Response Format

Responses are formatted as a JSON object with a top-level stat key.

Successful responses will have a stat value of "OK" and a response key. The response will either be a single object or a sequence of other JSON types, depending on which endpoint is called.

{
  "stat": "OK",
  "response": {
    "key": "value"
  }
}

Values are returned as strings unless otherwise documented.

Unsuccessful responses will have a stat value of "FAIL", an integer code, and a message key that further describes the failure. A message_detail key may be present if additional information is available (like the specific parameter that caused the error).

{
  "stat": "FAIL",
  "code": 40002,
  "message": "Invalid request parameters",
  "message_detail": "username"
}

The HTTP response code will be the first three digits of the more specific code found inside the JSON object. Each endpoint's documentation lists HTTP response codes it can return. Additionally, all API endpoints that require a signed request can return the following HTTP response codes:

Response Meaning
200 The request completed successfully.
401 The "Authorization", "Date", and/or "Content-Type" headers were missing or invalid.
403 This integration is not authorized for this endpoint or the ikey was created for a different integration type (for example, using an Auth API ikey with Admin API endpoints).
405 The request's HTTP verb is not valid for this endpoint (for example, POST when only GET is supported).
429 The account has made too many requests of this type recently. Try again later.

Response Paging

Some API endpoints return a paged list of results on GET, up to the API endpoint's limit, or maximum results per page.

A successful response when the total results exceed the endpoint's default page size will include a metadata section with information about the total number of objects found and the results returned in the paged response. If the request returns no paging metadata, then either the endpoint does not support paged results or the total results do not exceed one page.

Specifying incorrect paging parameters results in a 400 invalid parameters response.

Metadata Information Description
total_objects An integer indicating the total number of objects retrieved by the API request across all pages of results.
next_offset

An integer indicating The offset from 0 at which to start the next paged set of results.

If not present in the metadata response, then there are no more pages of results left.

prev_offset An integer indicating the offset from 0 at which the previous paged set of results started. If you did not specify next_offset in the request, this defaults to 0 (the beginning of the results).

Use the metadata information returned to change the paging parameters for your request.

Paging Parameter Required? Description
limit Optional

The maximum number of records returned in a paged set of results.

Each endpoint that supports paged results has its own limit settings, specified like "Default: 100; Max: 300".

If a request specifies a value greater than the endpoint's maximum limit, max value is used.

offset Optional

The offset from 0 at which to start record retrieval.

When used with "limit", the handler will return "limit" records starting at the n-th record, where n is the offset.

Default: 0

To retrieve the full set of results for a request with paged results, repeat the call, specifying the offset parameter value, until there are no more results (indicated by the absence of next_offset).

Paging Metadata Examples:

The metadata response will look like these examples except where noted for an individual API endpoint.

This metadata information indicates that there are 951 total objects returned by that endpoint, and no offset or limit was specified so the response set defaulted to the first 100 objects:

{
    "metadata": {
        "next_offset": 100,
        "prev_offset": 0,
        "total_objects": 951
}

This metadata information indicates that the request specified offset=500 limit=200, so the response set was objects 500-699:

{
    "metadata": {
        "next_offset": 700,
        "prev_offset": 300,
        "total_objects": 11318
}

This metadata information indicates that there are 2342 total objects, and the request specified offset=2300 and used that endpoint's default limit of 100, so the response set was the end of the list (objects 2300-2342):

{
    "metadata": {
        "prev_offset": 2200,
        "total_objects": 2342
}

Authentication

The API uses HTTP Basic Authentication to authenticate requests. Use your Duo application's integration key as the HTTP Username.

Generate the HTTP Password as an HMAC signature of the request. This will be different for each request and must be re-generated each time.

To construct the signature, first build an ASCII string from your request, using the following components:

Component Description Example
date The current time, formatted as RFC 2822. This must be the same string as the "Date" header. Tue, 21 Aug 2012 17:29:18 -0000
method The HTTP method (uppercase) POST
host Your API hostname (lowercase) api-xxxxxxxx.duosecurity.com
path The specific API method's path /admin/v1/users
params

The URL-encoded list of key=value pairs, lexicographically sorted by key. These come from the request parameters (the URL query string for GET and DELETE requests or the request body for POST requests).

If the request does not have any parameters one must still include a blank line in the string that is signed.

Do not encode unreserved characters. Use upper-case hexadecimal digits A through F in escape sequences.

An example params list:

realname=First%20Last&username=root

Then concatenate these components with (line feed) newlines. For example:

Tue, 21 Aug 2012 17:29:18 -0000
POST
api-xxxxxxxx.duosecurity.com
/admin/v1/users
realname=First%20Last&username=root

GET requests also use this five-line format:

Tue, 21 Aug 2012 17:29:18 -0000
GET
api-xxxxxxxx.duosecurity.com
/admin/v1/users
username=root

Lastly, compute the HMAC-SHA1 of this canonical representation, using your Duo Admin API application's secret key as the HMAC key. Send this signature as hexadecimal ASCII (i.e. not raw binary data). Use HTTP Basic Authentication for the request, using your integration key as the username and the HMAC-SHA1 signature as the password. Signature validation is case-insensitive, so the signature may be upper or lowercase.

For example, here are the headers for the above POST request to api-XXXXXXXX.duosecurity.com/admin/v1/users, using DIWJ8X6AEYOR5OMC6TQ1 as the integration key and Zh5eGmUq9zpfQnyUIu5OL9iWoMMv5ZNmk3zLJ4Ep as the secret key:

Date: Tue, 21 Aug 2012 17:29:18 -0000
Authorization: Basic RElXSjhYNkFFWU9SNU9NQzZUUTE6YzFlZjQzNzY3YzNlYjNiMzI1OGRiZGRjYTZmOGQwOTQxZTA4NWI5Mg==
Host: api-XXXXXXXX.duosecurity.com
Content-Length: 35
Content-Type: application/x-www-form-urlencoded

Separate HTTP request header lines with CRLF newlines.

The following Python function can be used to construct the "Authorization" and "Date" headers:

import base64, email.utils, hmac, hashlib, urllib
  ​ ​
def sign(method, host, path, params, skey, ikey):
    """
    Return HTTP Basic Authentication ("Authorization" and "Date") headers.
    method, host, path: strings from request
    params: dict of request parameters
    skey: secret key
    ikey: integration key
    """
  ​
    # create canonical string
    now = email.utils.formatdate()
    canon = [now, method.upper(), host.lower(), path]
    args = []
    for key in sorted(params.keys()):
        val = params[key].encode("utf-8")
        args.append(
            '%s=%s' % (urllib.parse.
                       quote(key, '~'), urllib.parse.quote(val, '~')))
    canon.append('&'.join(args))
    canon = '\n'.join(canon)
  ​
    # sign canonical string
    sig = hmac.new(bytes(skey, encoding='utf-8'),
                   bytes(canon, encoding='utf-8'),
                   hashlib.sha1)
    auth = '%s:%s' % (ikey, sig.hexdigest())
  ​
    # return headers
    return {'Date': now, 'Authorization': 'Basic %s' % base64.b64encode(bytes(auth, encoding="utf-8")).decode()}
import base64, email, hmac, hashlib, urllib

def sign(method, host, path, params, skey, ikey):
    """
    Return HTTP Basic Authentication ("Authorization" and "Date") headers.
    method, host, path: strings from request
    params: dict of request parameters
    skey: secret key
    ikey: integration key
    """

    # create canonical string
    now = email.Utils.formatdate()
    canon = [now, method.upper(), host.lower(), path]
    args = []
    for key in sorted(params.keys()):
        val = params[key]
        if isinstance(val, unicode):
            val = val.encode("utf-8")
        args.append(
            '%s=%s' % (urllib.quote(key, '~'), urllib.quote(val, '~')))
    canon.append('&'.join(args))
    canon = '\n'.join(canon)

    # sign canonical string
    sig = hmac.new(skey, canon, hashlib.sha1)
    auth = '%s:%s' % (ikey, sig.hexdigest())

    # return headers
    return {'Date': now, 'Authorization': 'Basic %s' % base64.b64encode(auth)}

If you receive 401 error responses to your API requests, check the following:

  • Is the Authorization header correctly formatted? If not, you may receive a 40101 error.
  • Does your framework override the Date header? The HTTP Date: header must be exactly the same string as was signed. This could result in a 40103 error.
  • Are the Date and time zone used RFC 3339 compliant?? If not, you may get a 40104 or 40105 response.
  • Are the parameters lexicographically sorted?
  • Did you include a line for parameters when constructing the signature, even if you're not passing in any parameters?
  • Are any hex digits lower-case?
  • Are the Content-Length and Content-Type parameters correct? If not, your parameters may be ignored or you may receive a 40103 response because your signature considered parameters that the service didn't receive.

Groups

Get Group Info

This legacy v1 endpoint will be deprecated in the future. Consider migrating to the v2 endpoint.

The v1 groups endpoint limits the response to the first 4,000 group members. Requires "Grant resource - Read" API permission.

GET /admin/v1/groups/[group_id]

Parameters

This API endpoint has no parameters.

Response Codes

Response Meaning
200 Success.
404 Group with given ID was not found.

Response Format

Key Value
desc The group's description.
push_enabled

Legacy parameter; no effect if specified and always returns false. Use Duo Authentication Method policies to configure this setting.

sms_enabled

Legacy parameter; no effect if specified and always returns false. Use Duo Authentication Method policies to configure this setting.

voice_enabled

Legacy parameter; no effect if specified and always returns false. Use Duo Authentication Method policies to configure this setting.

mobile_otp_enabled

Legacy parameter; no effect if specified and always returns false. Use Duo Authentication Method policies to configure this setting.

group_id The group's ID.
name The group's name. If managed by directory sync, then the name returned here also indicates the source directory.
status The group's authentication status. See Retrieve Groups for a list of possible values.
users A list of the users in the group.

Example Response

{
  "response": {
    "desc": "Group description",
    "group_id": "DGBDKSSH37KSJ373JKSU",
    "mobile_otp_enabled": false,
    "name": "Group Name",
    "push_enabled": false,
    "sms_enabled": false,
    "status": "active",
    "users": [
      {
      "user_id": "DUJ424R8DP0OL5D4DAFJ",
      "username": "User A"
      },
      {
      "user_id": "DUJSP005D4DJFJ05HASD",
      "username": "User B"
      }
    ],
    "voice_enabled": false
  },
  "stat": "OK"
}

Integrations

Retrieve Integrations

This legacy v1 endpoint will be deprecated in the future. Consider migrating to the v3 endpoint.

Returns a paged list of integrations. To fetch all results, call repeatedly with the offset parameter as long as the result metadata has a next_offset value. This v1 API endpoint cannot retrieve Duo Single Sign-On applications and returns integrations' secret keys in plain text. Requires "Grant resource - Read" API permission.

GET /admin/v1/integrations

Parameters

Use the paging parameters to change the number of results shown in a response or to retrieve additional results. See Response Paging for details.

Paging Parameter Required? Description
limit Optional

The maximum number of records returned.

Default: 100; Max: 500

offset Optional

The offset from 0 at which to start record retrieval.

When used with "limit", the handler will return "limit" records starting at the n-th record, where n is the offset.

Default: 0

This API endpoint has no additional parameters.

Response Codes

Response Meaning
200 Success.

Response Format

Key Value
adminapi_admins

Integer value of 1 if the integration has been granted permission for Administrators methods; otherwise 0. Returned for all integration types but only applicable to Admin API integrations (adminapi type).

adminapi_admins_read

Integer value of 1 if the integration has been granted permission to read Administrators and Administrative Units objects; otherwise 0. Returned for all integration types but only applicable to Admin API integrations (adminapi type).

adminapi_allow_to_set_permissions

Integer value of 1 if the integration has been granted permission to change the permissions for Admin API integrations via the API. If set to 0 then permissions for Admin API applications must be set in the Duo Admin Panel. Returned for all integration types but only applicable to Admin API integrations (adminapi type).

adminapi_info

Integer value of 1 if the integration has been granted permission for Account Info methods; otherwise 0. Returned for all integration types but only applicable to Admin API integrations (adminapi type).

adminapi_integrations

Integer value of 1 if the integration has been granted permission for Integrations methods; otherwise 0. Returned for all integration types but only applicable to Admin API integrations (adminapi type).

adminapi_read_log

Integer value of 1 if the integration has been granted permission for Logs methods; otherwise 0. Returned for all integration types but only applicable to Admin API integrations (adminapi type).

adminapi_read_resource

Integer value of 1 if the integration has been granted permission to retrieve objects like users, phones, and hardware tokens; otherwise 0. Returned for all integration types but only applicable to Admin API integrations (adminapi type).

adminapi_settings

Integer value of 1 if the integration has been granted permission for Settings methods; otherwise 0. Returned for all integration types but only applicable to Admin API integrations (adminapi type).

adminapi_write_resource

Integer value of 1 if the integration has been granted permission to modify objects like users, phones, and hardware tokens; otherwise 0. Returned for all integration types but only applicable to Admin API integrations (adminapi type).

enroll_policy

Legacy parameter; no effect if specified and returns no value. Use Duo New User policies to configure this setting.

frameless_auth_prompt_enabled

Integer value of 1 if the integration has been updated to support Duo Universal Prompt, otherwise 0. Only appears for a given integration after Duo makes the frameless prompt available for that application, and the value is set to 1 automatically when Duo detects a frameless authentication for the integration.

greeting

Voice greeting read before the authentication instructions to users who authenticate with a phone callback.

groups_allowed

A list of groups, as group IDs, that are allowed to authenticate with the integration. If empty, all groups are allowed.

integration_key

Integration ID.

ip_whitelist

Legacy parameter; no effect if specified and always returns an empty list. Use Duo Authorized Network policies to configure this for an application.

ip_whitelist_enroll_policy

Legacy parameter; no effect if specified and always returns no value. Use Duo Authorized Network policies to configure this for an application.

name

The integration's name.

networks_for_api_access

A comma-separated list of IP addresses, IP ranges, or CIDRs specifying the networks allowed to access this API integration. Only returned for Accounts API and Admin API integrations.

notes

Description of the integration.

policy_key

The identifying policy key for the custom policy attached to the integration. Not shown if no policy attached to the integration.

prompt_v4_enabled

Integer value of 1 if Duo Universal Prompt is activated for the application, otherwise 0. Only appears for a given integration when frameless_auth_prompt_enabled is 1 (value set automatically when Duo detects a frameless authentication for the integration).

secret_key

Secret used when configuring systems to use this integration.

self_service_allowed

Integer value of 1 if users may use self-service from this integration's 2FA prompt to update authentication devices, otherwise false (default). Supported integrations display the interactive Duo authentication prompt in a web browser.

Note: The v1 API response does not include information about Duo Single Sign-On applications.

type

Integration type. Refer to Retrieve Integrations for a list of valid values.

Note: The v1 API response does not include information about Duo Single Sign-On applications.

trusted_device_days

Legacy parameter; no effect if specified and always returns no value. Use Duo Remembered Devices policies to configure this for an application.

username_normalization_policy

This controls whether or not usernames should be altered before trying to match them to a user account. One of:

Policy Description
"None" The username will be used as is.
"Simple" Both "DOMAIN\username" and "username@example.com" will be normalized to "username" when logging in.

Example Response

{
  "metadata": {
    "total_objects": 2
  },
  "response": [
    {
      "adminapi_admins": 0,
      "adminapi_admins_read": 0,
      "adminapi_allow_to_set_permissions": 0,
      "adminapi_info": 0,
      "adminapi_integrations": 0,
      "adminapi_read_log": 0,
      "adminapi_read_resource": 0,
      "adminapi_settings": 0,
      "adminapi_write_resource": 0,
      "enroll_policy": "",
      "frameless_auth_prompt_enabled": 1,
      "greeting": "Welcome to Duo.",
      "groups_allowed": [],
      "integration_key": "DIRWIH0ZZPV4G88B37VQ",
      "ip_whitelist": [],
      "ip_whitelist_enroll_policy": "",
      "name": "Web Application",
      "notes": "",
      "policy_key": "POHSLA8SP00LABDAD98Y",
      "prompt_v4_enabled": 1,
      "secret_key": "QO4ZLqQVRIOZYkHfdPDORfcNf8LeXIbCWwHazY7",
      "self_service_allowed": false,
      "trusted_device_days": 0,
      "type": "websdk",
      "username_normalization_policy": "None"
    },
    {
      "adminapi_admins": 0,
      "adminapi_admins_read": 0,
      "adminapi_allow_to_set_permissions": 0,
      "adminapi_info": 0,
      "adminapi_integrations": 0,
      "adminapi_read_log": 1,
      "adminapi_read_resource": 0,
      "adminapi_settings": 0,
      "adminapi_write_resource": 0,
      "enroll_policy": "",
      "greeting": "Welcome to Duo.",
      "groups_allowed": [],
      "integration_key": "DIRWIH0ZZPV4GJ05H7VQ",
      "name": "Admin API",
      "networks_for_api_access": "",
      "notes": "",
      "secret_key": "QO4ZLqQVRIOZYkHfdPDORj05h8LeXIbCWwHazY7",
      "self_service_allowed": false,
      "type": "adminapi",
      "username_normalization_policy": "None"
    }
  ]
  "stat": "OK"
}

Create Integration

This legacy v1 endpoint will be deprecated in the future. Consider migrating to the v3 endpoint.

Create a new integration. The new integration key and secret key are randomly generated and returned in the response. This v1 API endpoint cannot create Duo Single Sign-On applications and returns the integration's secret key in plain text. Requires "Grant applications" API permission.

POST /admin/v1/integrations

Parameters

Parameter Required? Description
name Required The name of the integration to create.
type Required

The type of the integration to create.

Refer to Retrieve Integrations for a list of valid values. Duo Single Sign-On applications can only be created using the v2 and v3 endpoints. Integrations of type "azure-ca" (Microsoft Azure Active Directory) "microsoft-eam" (Microsoft Entra ID: External Authentication Methods) may not be created via API. If an integration has reached the Duo end of support then new instances of that integration may not be created with the API.

adminapi_admins Optional

Set to 1to grant to grant an Admin API integration permission to create, modify, and delete all Administrators and Administrative Units objects.

Default: 0.

adminapi_admins_read Optional

Set to 1 to grant an Admin API integration permission to read Administrators and Administrative Units objects.

Default: 0.

adminapi_allow_to_set_permissions Optional Set to 1 to grant an Admin API integration permission to change the permissions for Admin API integrations via the API. If left at 0 then permissions for Admin API applications must be set in the Duo Admin Panel.

Default: 0.

adminapi_info Optional

Set to 1 to grant an Admin API integration permission for all Account Info methods.

Default: 0.
adminapi_integrations Optional

Set to 1to grant an Admin API integration permission for all Integrations methods.

Default: 0.
adminapi_read_log Optional

Set to 1to grant an Admin API integration permission for all Logs methods.

Default: 0.
adminapi_read_resource Optional Set to 1to grant an Admin API integration permission to retrieve objects like users, phones, and hardware tokens.

Default: 0.

adminapi_settings Optional

Set to 1to grant an Admin API integration permission for all Settings methods.

Default: 0.
adminapi_write_resource Optional Set to 1to grant an Admin API integration permission to create, modify, and delete objects like users, phones, and hardware tokens.

Default: 0.

enroll_policy Optional

Legacy parameter; no effect if specified and returns no value. Use Duo New User policies to configure this setting.

What to do after an unenrolled user passes primary authentication.
greeting Optional Voice greeting read before the authentication instructions to users who authenticate with a phone callback.
groups_allowed Optional A comma-separated list of group IDs that are allowed to authenticate with the integration. If empty, all groups are allowed.

Object limits: 100 groups per integration.

ip_whitelist Optional

Legacy parameter; no effect if specified and always returns an empty list. Use Duo Authorized Network policies to configure this for an application.

ip_whitelist_enroll_policy Optional

Legacy parameter; no effect if specified and always returns no value. Use Duo Authorized Network policies to configure this for an application.

What to do after a new user from a trusted IP completes primary authentication.
networks_for_api_access Optional A comma-separated list of IP addresses, IP ranges, or CIDRs specifying the networks allowed to access this API integration. Only applicable to Accounts API and Admin API integrations. A given API integration may apply a network restriction to itself via API; use a different API integration to apply the network restriction, or edit the API application in the Duo Admin Panel GUI.
notes Optional Description of the integration.
trusted_device_days Optional

Legacy parameter; no effect if specified and always returns 0. Use Duo Remembered Devices policies to configure this for an application.

self_service_allowed Optional Set to 1to grant an integration permission to allow users to manage their own devices. This is only supported by integrations which allow for self service configuration.
username_normalization_policy Optional

Policy for whether or not usernames should be altered before trying to match them to a user account. Refer to Retrieve Integrations for a list of valid values.

Response Codes

Response Meaning
200 Success. Returns the newly created integration.
400 Invalid or missing parameters, one-to-many object limit reached, integration already exists with the given name, or insufficient Admin API permissions.
500 Other internal error.

Response Format

Returns the created single integration object. Refer to Retrieve Integrations for an explanation of the object's keys.

Example Response

Same as Retrieve Integration by Integration Key.

Retrieve Integration by Integration Key

This legacy v1 endpoint will be deprecated in the future. Consider migrating to the v3 endpoint.

Return the single integration with integration_key. This v1 API endpoint cannot retrieve Duo Single Sign-On applications and returns the integration's secret key in plain text. Requires "Grant applications" API permission.

GET /admin/v1/integrations/[integration_key]

Parameters

This API endpoint has no parameters.

Response Codes

Response Meaning
200 Success.
404 No integration was found with the given integration_key.

Response Format

Returns the single integration object. Refer to Retrieve Integrations for an explanation of the object's keys.

Example Response

{
  "response": {
    "adminapi_admins": 0,
    "adminapi_admins_read": 0,
    "adminapi_allow_to_set_permissions": 0,
    "adminapi_info": 0,
    "adminapi_integrations": 0,
    "adminapi_read_log": 0,
    "adminapi_read_resource": 0,
    "adminapi_settings": 0,
    "adminapi_write_resource": 0,
    "enroll_policy": "",
    "frameless_auth_prompt_enabled": 1,
    "greeting": "Welcome to Duo.",
    "groups_allowed": [],
    "integration_key": "DIRWIH0ZZPV4G88B37VQ",
    "ip_whitelist": [],
    "ip_whitelist_enroll_policy": "",
    "name": "Web Application",
    "notes": "",
    "policy_key": "POHSL88SP00LABDAD98Y",
    "prompt_v4_enabled": 1,
    "secret_key": "QO4ZLqQVRIOZYkHfdPDORfcNf8LeXIbCWwHazY7",
    "self_service_allowed": false,
    "trusted_device_days": 0,
    "type": "websdk",
    "username_normalization_policy": "None"
  },
  "stat": "OK"
}

Modify Integration

This legacy v1 endpoint will be deprecated in the future. Consider migrating to the v3 endpoint.

Change the name, greeting, and/or notes of the integration with integration key integration_key, or reset its secret key. When modifying an Admin API integration permissions can also be added or removed. This v1 API endpoint cannot modifyDuo Single Sign-On applications and returns the integration's secret key in plain text. Requires "Grant applications" API permission.

POST /admin/v1/integrations/[integration_key]

Parameters

Parameter Required? Description
name Optional New name for the integration.
networks_for_api_access Optional A comma-separated list of IP addresses, IP ranges, or CIDRs specifying the networks allowed to access this API integration. Only applicable to Accounts API and Admin API integrations. A given API integration may apply a network restriction to itself via API; use a different API integration to apply the network restriction, or edit the API application in the Duo Admin Panel GUI.
adminapi_admins Optional

Set to 1 to grant an Admin API integration permission to create, modify, or delete Administrators and Administrative Units objects or 0 to remove access to them.

adminapi_admins_read Optional

Set to 1 to grant an Admin API integration permission to read Administrators and Administrative Units objects or 0 to remove access to them.

adminapi_allow_to_set_permissions Optional Set to 1 to grant an Admin API integration permission to change the permissions for Admin API integrations via the API or 0 to require that permissions for Admin API applications must be set in the Duo Admin Panel.
adminapi_info Optional

Set to 1to grant an Admin API integration permission for all Account Info methods or 0 to remove access to them.

adminapi_integrations Optional

Set to 1to grant an Admin API integration permission for all Integrations methods or 0 to remove access to them.

adminapi_read_log Optional

Set to 1to grant an Admin API integration permission for all Logs methods or 0 to remove access to them.

adminapi_read_resource Optional

Set to 1to grant an Admin API integration permission to retrieve objects like users, phones, and hardware tokens or 0 to remove access to them.

adminapi_settings Optional

Set to 1to grant an Admin API integration permission for all Settings methods or 0 to remove access to them.

adminapi_write_resource Optional Set to 1to grant an Admin API integration permission to create and modify objects like users, phones, and hardware tokens or 0 to remove access to them.
trusted_device_days Optional

Legacy parameter; no effect if specified and always returns 0. Use Duo Remembered Devices policies to configure this for an application.

Refer to Retrieve Integrations for a list of supported integrations.

enroll_policy Optional

Legacy parameter; no effect if specified and returns no value. Use Duo New User policies to configure this setting.

New policy for what to do after an unenrolled user passes primary authentication. Refer to Retrieve Integrations for a list of valid values.

greeting Optional New voice greeting. Will be read before the authentication instructions to users who authenticate with a phone callback.
groups_allowed Optional A comma-separated list of group IDs that are allowed to authenticate with the integration. If set to an empty string, all groups will be allowed.

Object limits: 100 groups per integration.

ip_whitelist Optional

Legacy parameter; no effect if specified and always returns an empty list. Use Duo Authorized Network policies to configure this for an application.

Refer to Retrieve Integrations for a list of supported integrations.

ip_whitelist_enroll_policy Optional

Legacy parameter; no effect if specified and always returns no value. Use Duo Authorized Network policies to configure this for an application.

New policy for what to do after a new user from a trusted IP completes primary authentication. Refer to Retrieve Integrations for a list of valid values.

notes Optional New description of the integration.
policy_key Optional

Specify the "Policy Key" value for a custom policy to attach it to the specified integration. Obtain a policy's key by viewing it in the Duo Admin Panel's "Policies" page or from the output of Retrieve Integrations. Leave the value blank to detach the currently attached policy from an integration.

prompt_v4_enabled Optional Set to 1 to activate Duo Universal Prompt for the application, or to 0 to revert back to traditional prompt. Only appears for a given integration when frameless_auth_prompt_enabled is 1 (value set automatically when Duo detects a frameless authentication for the integration).
reset_secret_key Optional If set to 1, resets the integration's secret key to a new, randomly generated value. The new secret key is returned in the return value. Attempting to reset the secret key for the same Admin API integration whose integration key and secret key are used to make this call will return an error. Can not be used with SSO applications.
self_service_allowed Optional Set to 1 to grant an integration permission to allow users to manage their own devices. This is only supported by integrations which allow for self service configuration.
username_normalization_policy Optional

New policy for whether or not usernames should be altered before trying to match them to a user account. Refer to Retrieve Integrations for a list of valid values.

Response Codes

Response Meaning
200

The integration was modified successfully. Also returns the integration object (see Retrieve Integration by Integration Key).

400 Invalid or missing parameters, one-to-many object limit reached, an integration already exists with the given name, insufficient Admin API permissions, or attempting to reset the secret key used to sign this API request.
404 No integration was found with the given integration_key.
500 Other internal error.

Response Format

Returns the modified single integration object. Refer to Retrieve Integrations for an explanation of the object's keys.

Example Response

Same as Retrieve Integration by Integration Key.

Delete Integration

This legacy v1 endpoint will be deprecated in the future. Consider migrating to the v3 endpoint.

WARNING: Deleting an integration from Duo can block user logins!

Be sure to remove Duo authentication from your product's configuration before you delete the corresponding integration.

Depending on the application this could mean uninstalling Duo software from your systems, or updating your device or application settings to no longer include Duo in the authentication process.

There is no way to restore an integration deleted in error with Admin API.

Delete the integration with integration_key from the system. Attempting to delete the Admin API integration whose secret key is used to sign this request will return an error. This v1 API endpoint cannot delete Duo Single Sign-On applications. Requires "Grant applications" API permission.

DELETE /admin/v1/integrations/[integration_key]

Parameters

This API endpoint has no parameters.

Response Codes

Response Meaning
200 The integration was deleted or did not exist.
400 Attempting to delete the integration whose secret key was used to sign this API request.

Response Format

Empty string.

Example Response

{
  "stat": "OK",
  "response": ""
}

Logs

Authentication Logs

This legacy v1 endpoint will be deprecated in the future. Consider migrating to the v2 endpoint.

The v2 authentication logs endpoint provides new filtering and querying capabilities unavailable in the legacy v1 handler, like the ability to filter on users, groups, applications, authentication results, factors, and time ranges. Consider migrating to the new handler.

Returns a list of authentication log events ranging from the last 180 days up to as recently as two minutes before the API request. There is an intentional two minute delay in availability of new authentications in the API response. Duo operates a large scale distributed system, and this two minute buffer period ensures that calls will return consistent results. Querying for results more recent than two minutes will return as empty. Requires "Grant read log" API permission.

The 1000 earliest events will be returned; you may need to call this multiple times with mintime to page through the entire log. Note that more or fewer than 1000 events may be returned depending on how many actual events exist for the specified mintime.

We recommend requesting logs no more than once per minute.

GET /admin/v1/logs/authentication

Parameters

Parameter Required? Description
mintime Optional

Only return records that have a Unix timestamp in seconds of mintime or later. Use mintime+1 to avoid receiving duplicate data.

Response Codes

Response Meaning
200 Success.

Response Format

Key Value
access_device

Browser, plugin, and operating system information for the endpoint used to access the Duo-protected resource. Values present only when the application accessed features Duo's inline browser prompt.

This information is available to Duo Premier and Duo Advantage plan customers.

browser The web browser used for access.
browser_version The browser version.
flash_version The Flash plugin version used, if present, otherwise "uninstalled".
java_version The Java plugin version used, if present, otherwise "uninstalled".
os The device operating system name.
os_version The device operating system version.
trusted_endpoint_status

Shows whether the endpoint is a Duo managed endpoint. One of "trusted", "not trusted", "unknown", or "error". Returned for Duo Premier customers only.

alias The username alias used to log in. No value if the user logged in with their username instead of a username alias.
device Device used to authenticate, if present, otherwise none.
email The email address of the user, if known to Duo, otherwise none.
factor

The authentication factor. One of: "Bypass Code", "Digipass GO 7 Token", "Duo Desktop", "Duo Mobile Inline Auth", "Duo Mobile Passcode", "Duo Mobile Passcode (HOTP)", "Duo Mobile Passcode (TOTP)", "Duo Push", "Passcode", "Phone Call", "Hardware Token", "Remembered Device", "Security Key (WebAuthn)", "SMS Passcode", "SMS Refresh", "Touch ID (WebAuthn)", "Trusted Network", "U2F Token", or "Yubikey Passcode".

integration The integration name.
ip The IP address that this request originated from.
isotimestamp

ISO8601 timestamp of the event.

location The GeoIP location from which the user authenticated, if available. The response may not include all location parameters.
city The city name.
state The state, county, province, or prefecture.
country The country code. Refer to ISO 3166 for a list of possible countries.
new_enrollment true if the user enrolled a new device at the authentication prompt; false if authenticated with a previously enrolled device.
ood_software

If authentication was denied due to out-of-date software, shows the name of the software, i.e. "Chrome", "Flash", etc.

No value if authentication was successful or authentication denial was not due to out-of-date software.

reason

Provide the reason for the authentication attempt result.

If result is "SUCCESS" then one of: "Allow unenrolled user", "Allowed by policy", "Bypass user", "Remembered device", "Trusted location", "Trusted network", "User approved", "Valid passcode".

If result is "FAILURE" then one of: "Anonymous IP", "Call timed out", "Couldn't determine if endpoint was trusted", "Denied by policy", "Deny unenrolled user", "Duo Mobile version restricted", "Endpoint is not in Management System", "Factor restricted", "Frequent attempts", "Invalid device", "Invalid passcode", "Location restricted", "Locked out", "No Duo certificate present", "No response", "No disk encryption", "No fingerprint", "No screen lock", "Out of date", "Platform restricted", "Rooted device", "Software Restricted", "User cancelled", "User is disabled", "User mistake", or "User provided an invalid certificate".

If result is "ERROR" then: "Error".

If result is "FRAUD" then: "User marked fraud".

Note that enrollment events have no associated reason.

result The result of the authentication attempt. One of: "success", "denied", "failure", "error", or "fraud".
timestamp An integer indicating the Unix timestamp of the event.
username The authenticating user's username.

Example Response

{
  "response": [{
      "access_device": {
           "browser": "Chrome",
           "browser_version": "56.0.2924.87",
           "flash_version": "25.0.0.0",
           "java_version": "1.8.0.92",
           "os": "Mac OS X",
           "os_version": "10.11"
           "trusted_endpoint_status": "trusted"
      },
      "alias": "john.smith",
      "device": "503-555-1000",
      "email": "jsmith@example.com",
      "factor": "Duo Push",
      "integration": "Acme Intranet",
      "ip": "192.168.0.1",
      "isotimestamp": "2020-02-13T18:56:20.351346+00:00",
      "location": {
           "city": "Ann Arbor",
           "state": "Michigan",
           "country": "US"
      },
      "new_enrollment": false,
      "ood_software": "",
      "reason": "User approved",
      "result": "SUCCESS",
      "timestamp": 1581620180,
      "username": "jsmith"
  }],
  "stat": "OK"
}

Telephony Logs

This legacy v1 endpoint will be deprecated in the future. Consider migrating to the v2 endpoint.

The v2 telephony logs endpoint provides new querying capabilities and contextual information for events unavailable in the legacy v1 handler. Consider migrating to the new handler.

Returns a list of telephony log events. Only the 1000 earliest events will be returned; you may need to call this multiple times with mintime to page through the entire log. Requires "Grant read log" API permission.

We recommend requesting logs no more than once per minute.

GET /admin/v1/logs/telephony

Parameters

Parameter Required? Description
mintime Optional Only return records that have a Unix timestamp in seconds after mintime. This can help to avoid fetching records that have already been retrieved.

Response Codes

Response Meaning
200 Success.

Response Format

Key Value
context How this telephony event was initiated. One of: "administrator login", "authentication", "enrollment", or "verify".
credits How many telephony credits this event cost.
isotimestamp

ISO8601 timestamp of the event.

phone The phone number that initiated this event.
timestamp An integer indicating the Unix timestamp of the event.
type The event type. Either "sms" or "phone".

Example Response

{
  "stat": "OK",
  "response": [{
      "context": "authentication",
      "credits": 1,
      "isotimestamp": "2020-03-20T15:38:12+00:00",
      "phone": "+15035550100",
      "timestamp": 1584718692,
      "type": "sms"
  }]
}