Contents
The Duo Admin API provides programmatic access to the administrative functionality of Duo Security's two-factor authentication platform.
Version 1 Note
The Admin API v1 handlers listed on this page remain supported, but will be deprecated in the future. These endpoints may not receive updates. If you're trying Admin API for the first time you should check out the current version.
Overview
Duo Admin API is automatically available to paying Duo Premier, Duo Advantage, and Duo Essentials plan customers and new customers with an Advantage or Premier trial. Learn how to sign up for a Duo account and receive a free 30-day Duo Advantage trial.
The Admin API lets developers integrate with Duo Security's platform at a low level. The API has methods for creating, retrieving, updating, and deleting the core objects in Duo's system: users, phones, hardware tokens, admins, and integrations.
Developers can write applications that programmatically read their Duo account's authentication logs, administrator logs, and telephony logs; read or update account settings; and retrieve reports and other information.
Review the API Details to see how to construct your first API request.
Are you a software vendor looking to integrate Duo into your application? Join our free Duo Technology Partner Program for developer accounts, joint marketing support, and more!
About Admin API Version 1
We have started implementing v2 and v3 handlers for endpoints. In these cases, the API v1 handlers listed on this page remain supported, but will be deprecated in the future. These endpoints may not receive updates. We encourage use of the most current endpoints where available and recommend migrating existing API implementations to the v2 or v3 handlers.
Admin API endpoints with v2 or v3 handlers implemented have their v1 handlers classified as legacy. Endpoints with only v1 handlers are considered most current and aren't legacy.
About the Admin API
Documented properties will not be removed within a stable version of the API. Once a given API endpoint is documented to return a given property, a property with that name will always appear (although certain properties may only appear under certain conditions, like if the customer is using a specific edition). When Duo deprecates a property, the API continues to accept that property in requests, although it no longer has any effect.
Properties that enumerate choices may gain new values at any time, e.g. the device platform value could return new device platforms that did not previously exist. Duo may cease to return legacy values for properties as well. Duo will update our API documentation with changes to property values in a timely fashion, adding new property values or indicating changes to existing property values.
New, undocumented properties may also appear at any time. For instance, Duo may make available a beta feature involving extra information returned by an API endpoint. Until the property is documented here its format may change or it may even be entirely removed from our API.
Please note that all Unix timestamps are in seconds, except where noted.
First Steps
Role required: Owner
Note that only administrators with the Owner role can create or modify an Admin API application in the Duo Admin Panel.
-
Sign up for a Duo account if you aren't already a customer. Your free 30-day Duo Advantage trial includes Admin API access.
-
Log in to the Duo Admin Panel and navigate to Applications → Protect an Application.
-
Locate the entry for Admin API in the applications list. Click Protect to the far-right to configure the application and get your integration key, secret key, and API hostname. You'll need this information to complete your setup. See Protecting Applications for more information about protecting applications with Duo and additional application options.
Treat your secret key like a passwordThe security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!
-
Determine the permissions you want to grant to this Admin API application. Refer to the API endpoint descriptions throughout this document for information about required permissions for operations.
Permission Details Grant administrators - Read The Admin API application can read information about Duo administrators and administrative units. Grant administrators - Write The Admin API application can read, add, modify, and delete information about Duo administrators and administrative units. Grant read information The Admin API application can read information about the Duo customer account's utilization. Grant applications The Admin API application can add, modify, and delete applications (referred to as "integrations" in the API), including permissions on itself or other Admin API applications. Grant settings The Admin API application can read and change global Duo account settings. Grant read log The Admin API application can read authentication, offline access, telephony, and administrator action log information. Grant resource - Read The Admin API application can read information about resource objects such as end users, policies, and devices. Grant resource - Write The Admin API application can create, update, and delete resource objects such as end users, policies, and devices. Grant set Admin API permissions The Admin API application can add or remove the permissions listed above via API for other Admin API applications. When this permission is not granted, permissions for an Admin API application must be set from the Duo Admin Panel. -
Optionally specify which IP addresses or ranges are allowed to use this Admin API application in Networks for API Access. If you do not specify any IP addresses or ranges, this Admin API application may be accessed from any network.
The Admin API performs the IP check after verifying the authentication signature in a request. If you restrict the allowed networks for API access and see logged events for blocked Admin API requests from unrecognized IP addresses, this may indicate compromise of your Admin API application's secret key.
This application communicates with Duo's service on SSL TCP port 443.
Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review Duo Knowledge Base article 1337.
Effective June 30, 2023, Duo no longer supports TLS 1.0 or 1.1 connections or insecure TLS/SSL cipher suites. See Duo Knowledge Base article 7546 for additional guidance.
API Clients
Duo Security has demonstration clients available on GitHub to call the Duo API methods.
- Python (duo_client_python)
- Java (duo_client_java)
- C# (duo_api_csharp)
- Go (duo_api_golang)
- Node (duo_api_nodejs)
- Ruby (duo_api_ruby)
- Perl (duo_api_perl)
- PHP (duo_api_php)
API Details
Base URL
All API methods use your API hostname, https://api-XXXXXXXX.duosecurity.com. Obtain this value from the Duo Admin Panel and use it exactly as shown there.
Methods always use HTTPS. Unsecured HTTP is not supported.
Request Format
All requests must have "Authorization" and "Date" headers.
If the request method is GET or DELETE, URL-encode parameters and send them in the URL query string like this: /admin/v1/users?realname=First%20Last&username=root. They still go on a separate line when creating the string to sign for an Authorization header.
Send parameters for POST requests in the body as URL-encoded key-value pairs (the same request format used by browsers to submit form data).
The header "Content-Type: application/x-www-form-urlencoded" must also be present.
When URL-encoding, all bytes except ASCII letters, digits, underscore ("_"), period ("."), tilde ("~"), and hyphen ("-") are replaced by a percent sign ("%") followed by two hexadecimal digits containing the value of the byte. For example, a space is replaced with "%20" and an at-sign ("@") becomes "%40". Use only upper-case A through F for hexadecimal digits.
A request with parameters, as a complete URL, would look like this: https://api-XXXXXXXX.duosecurity.com/admin/v1/users?realname=First%20Last&username=root.
Response Format
Responses are formatted as a JSON object with a top-level stat key.
Successful responses will have a stat value of "OK" and a
response key. The response will either
be a single object or a sequence of other JSON types, depending
on which endpoint is called.
{
"stat": "OK",
"response": {
"key": "value"
}
}Values are returned as strings unless otherwise documented.
Unsuccessful responses will have a stat value of "FAIL", an integer code, and a message key that further describes the failure. A message_detail key may be present if additional information is available (like the specific parameter that caused the error).
{
"stat": "FAIL",
"code": 40002,
"message": "Invalid request parameters",
"message_detail": "username"
}The HTTP response code will be the first three digits of the more specific code found inside the JSON object. Each endpoint's documentation lists HTTP response codes it can return. Additionally, all API endpoints that require a signed request can return the following HTTP response codes:
| Response | Meaning |
|---|---|
| 200 | The request completed successfully. |
| 401 | The "Authorization", "Date", and/or "Content-Type" headers were missing or invalid. |
| 403 | This integration is not authorized for this endpoint or the ikey was created for a different integration type (for example, using an Auth API ikey with Admin API endpoints). |
| 405 | The request's HTTP verb is not valid for this endpoint (for example, POST when only GET is supported). |
| 429 | The account has made too many requests of this type recently. Try again later. |
Response Paging
Some API endpoints return a paged list of results on GET, up to the API endpoint's limit, or maximum results per page.
A successful response when the total results exceed the endpoint's default page size will include a metadata section with information about the total number of objects found and the results returned in the paged response. If the request returns no paging metadata, then either the endpoint does not support paged results or the total results do not exceed one page.
Specifying incorrect paging parameters results in a 400 invalid parameters response.
| Metadata Information | Description |
|---|---|
total_objects |
An integer indicating the total number of objects retrieved by the API request across all pages of results. |
next_offset |
An integer indicating The offset from If not present in the metadata response, then there are no more pages of results left. |
prev_offset |
An integer indicating the offset from 0 at which the previous paged set of results started. If you did not specify next_offset in the request, this defaults to 0 (the beginning of the results). |
Use the metadata information returned to change the paging parameters for your request.
| Paging Parameter | Required? | Description |
|---|---|---|
limit |
Optional |
The maximum number of records returned in a paged set of results. Each endpoint that supports paged results has its own If a request specifies a value greater than the endpoint's maximum |
offset |
Optional |
The offset from When used with "limit", the handler will return "limit" records starting at the n-th record, where n is the offset. Default: |
To retrieve the full set of results for a request with paged results, repeat the call, specifying the offset parameter value, until there are no more results (indicated by the absence of next_offset).
Paging Metadata Examples:
The metadata response will look like these examples except where noted for an individual API endpoint.
This metadata information indicates that there are 951 total objects returned by that endpoint, and no offset or limit was specified so the response set defaulted to the first 100 objects:
{
"metadata": {
"next_offset": 100,
"prev_offset": 0,
"total_objects": 951
}This metadata information indicates that the request specified offset=500 limit=200, so the response set was objects 500-699:
{
"metadata": {
"next_offset": 700,
"prev_offset": 300,
"total_objects": 11318
}This metadata information indicates that there are 2342 total objects, and the request specified offset=2300 and used that endpoint's default limit of 100, so the response set was the end of the list (objects 2300-2342):
{
"metadata": {
"prev_offset": 2200,
"total_objects": 2342
}Authentication
The API uses HTTP Basic Authentication to authenticate requests. Use your Duo application's integration key as the HTTP Username.
Generate the HTTP Password as an HMAC signature of the request. This will be different for each request and must be re-generated each time.
To construct the signature, first build an ASCII string from your request, using the following components:
| Component | Description | Example |
|---|---|---|
date |
The current time, formatted as RFC 2822. This must be the same string as the "Date" header. | Tue, 21 Aug 2012 17:29:18 -0000 |
method |
The HTTP method (uppercase) | POST |
host |
Your API hostname (lowercase) | api-xxxxxxxx.duosecurity.com |
path |
The specific API method's path | /admin/v1/users |
params |
The URL-encoded list of If the request does not have any parameters one must still include a blank line in the string that is signed. Do not encode unreserved characters. Use upper-case hexadecimal digits A through F in escape sequences. |
An example realname=First%20Last&username=root
|
Then concatenate these components with (line feed) newlines. For example:
Tue, 21 Aug 2012 17:29:18 -0000
POST
api-xxxxxxxx.duosecurity.com
/admin/v1/users
realname=First%20Last&username=rootGET requests also use this five-line format:
Tue, 21 Aug 2012 17:29:18 -0000
GET
api-xxxxxxxx.duosecurity.com
/admin/v1/users
username=rootLastly, compute the HMAC-SHA1 of this canonical representation, using your Duo Admin API application's secret key as the HMAC key. Send this signature as hexadecimal ASCII (i.e. not raw binary data). Use HTTP Basic Authentication for the request, using your integration key as the username and the HMAC-SHA1 signature as the password. Signature validation is case-insensitive, so the signature may be upper or lowercase.
For example, here are the headers for the above POST request to api-XXXXXXXX.duosecurity.com/admin/v1/users, using DIWJ8X6AEYOR5OMC6TQ1 as the integration key and Zh5eGmUq9zpfQnyUIu5OL9iWoMMv5ZNmk3zLJ4Ep as the secret key:
Date: Tue, 21 Aug 2012 17:29:18 -0000
Authorization: Basic RElXSjhYNkFFWU9SNU9NQzZUUTE6YzFlZjQzNzY3YzNlYjNiMzI1OGRiZGRjYTZmOGQwOTQxZTA4NWI5Mg==
Host: api-XXXXXXXX.duosecurity.com
Content-Length: 35
Content-Type: application/x-www-form-urlencodedSeparate HTTP request header lines with CRLF newlines.
The following Python function can be used to construct the "Authorization" and "Date" headers:
import base64, email.utils, hmac, hashlib, urllib
def sign(method, host, path, params, skey, ikey):
"""
Return HTTP Basic Authentication ("Authorization" and "Date") headers.
method, host, path: strings from request
params: dict of request parameters
skey: secret key
ikey: integration key
"""
# create canonical string
now = email.utils.formatdate()
canon = [now, method.upper(), host.lower(), path]
args = []
for key in sorted(params.keys()):
val = params[key].encode("utf-8")
args.append(
'%s=%s' % (urllib.parse.
quote(key, '~'), urllib.parse.quote(val, '~')))
canon.append('&'.join(args))
canon = '\n'.join(canon)
# sign canonical string
sig = hmac.new(bytes(skey, encoding='utf-8'),
bytes(canon, encoding='utf-8'),
hashlib.sha1)
auth = '%s:%s' % (ikey, sig.hexdigest())
# return headers
return {'Date': now, 'Authorization': 'Basic %s' % base64.b64encode(bytes(auth, encoding="utf-8")).decode()}import base64, email, hmac, hashlib, urllib
def sign(method, host, path, params, skey, ikey):
"""
Return HTTP Basic Authentication ("Authorization" and "Date") headers.
method, host, path: strings from request
params: dict of request parameters
skey: secret key
ikey: integration key
"""
# create canonical string
now = email.Utils.formatdate()
canon = [now, method.upper(), host.lower(), path]
args = []
for key in sorted(params.keys()):
val = params[key]
if isinstance(val, unicode):
val = val.encode("utf-8")
args.append(
'%s=%s' % (urllib.quote(key, '~'), urllib.quote(val, '~')))
canon.append('&'.join(args))
canon = '\n'.join(canon)
# sign canonical string
sig = hmac.new(skey, canon, hashlib.sha1)
auth = '%s:%s' % (ikey, sig.hexdigest())
# return headers
return {'Date': now, 'Authorization': 'Basic %s' % base64.b64encode(auth)}If you receive 401 error responses to your API requests, check the following:
- Is the
Authorizationheader correctly formatted? If not, you may receive a 40101 error. - Does your framework override the
Dateheader? The HTTPDate:header must be exactly the same string as was signed. This could result in a 40103 error. - Are the
Dateand time zone used RFC 3339 compliant?? If not, you may get a 40104 or 40105 response. - Are the parameters lexicographically sorted?
- Did you include a line for parameters when constructing the signature, even if you're not passing in any parameters?
- Are any hex digits lower-case?
- Are the
Content-LengthandContent-Typeparameters correct? If not, your parameters may be ignored or you may receive a 40103 response because your signature considered parameters that the service didn't receive.
Groups
Get Group Info
This legacy v1 endpoint will be deprecated in the future. Consider migrating to the v2 endpoint.
The v1 groups endpoint limits the response to the first 4,000 group members. Requires "Grant resource - Read" API permission.
GET /admin/v1/groups/[group_id]Parameters
This API endpoint has no parameters.
Response Codes
| Response | Meaning |
|---|---|
| 200 | Success. |
| 404 | Group with given ID was not found. |
Response Format
| Key | Value |
|---|---|
desc
|
The group's description. |
push_enabled
|
Legacy parameter; no effect if specified and always returns |
sms_enabled
|
Legacy parameter; no effect if specified and always returns |
voice_enabled
|
Legacy parameter; no effect if specified and always returns |
mobile_otp_enabled
|
Legacy parameter; no effect if specified and always returns |
group_id
|
The group's ID. |
name
|
The group's name. If managed by directory sync, then the name returned here also indicates the source directory. |
status
|
The group's authentication status. See Retrieve Groups for a list of possible values. |
users
|
A list of the users in the group. |
Example Response
{
"response": {
"desc": "Group description",
"group_id": "DGBDKSSH37KSJ373JKSU",
"mobile_otp_enabled": false,
"name": "Group Name",
"push_enabled": false,
"sms_enabled": false,
"status": "active",
"users": [
{
"user_id": "DUJ424R8DP0OL5D4DAFJ",
"username": "User A"
},
{
"user_id": "DUJSP005D4DJFJ05HASD",
"username": "User B"
}
],
"voice_enabled": false
},
"stat": "OK"
}Integrations
Retrieve Integrations
This legacy v1 endpoint will be deprecated in the future. Consider migrating to the v3 endpoint.
Returns a paged list of integrations. To fetch all results, call repeatedly with the offset parameter as long as the result metadata has a next_offset value. This v1 API endpoint cannot retrieve Duo Single Sign-On applications and returns integrations' secret keys in plain text. Requires "Grant resource - Read" API permission.
GET /admin/v1/integrationsParameters
Use the paging parameters to change the number of results shown in a response or to retrieve additional results. See Response Paging for details.
| Paging Parameter | Required? | Description |
|---|---|---|
limit |
Optional |
The maximum number of records returned. Default: |
offset |
Optional |
The offset from When used with "limit", the handler will return "limit" records starting at the n-th record, where n is the offset. Default: |
This API endpoint has no additional parameters.
Response Codes
| Response | Meaning |
|---|---|
| 200 | Success. |
Response Format
| Key | Value | ||||||
|---|---|---|---|---|---|---|---|
adminapi_admins |
Integer value of |
||||||
adminapi_admins_read |
Integer value of |
adminapi_allow_to_set_permissions |
Integer value of |
||||
adminapi_info |
Integer value of |
||||||
adminapi_integrations |
Integer value of |
||||||
adminapi_read_log |
Integer value of |
||||||
adminapi_read_resource |
Integer value of |
||||||
adminapi_settings |
Integer value of |
||||||
adminapi_write_resource |
Integer value of |
||||||
enroll_policy |
Legacy parameter; no effect if specified and returns no value. Use Duo New User policies to configure this setting. |
||||||
frameless_auth_prompt_enabled |
Integer value of |
||||||
greeting |
Voice greeting read before the authentication instructions to users who authenticate with a phone callback. |
||||||
groups_allowed |
A list of groups, as group IDs, that are allowed to authenticate with the integration. If empty, all groups are allowed. |
||||||
integration_key |
Integration ID. |
||||||
ip_whitelist |
Legacy parameter; no effect if specified and always returns an empty list. Use Duo Authorized Network policies to configure this for an application. |
||||||
ip_whitelist_enroll_policy |
Legacy parameter; no effect if specified and always returns no value. Use Duo Authorized Network policies to configure this for an application. |
||||||
name |
The integration's name. |
||||||
networks_for_api_access |
A comma-separated list of IP addresses, IP ranges, or CIDRs specifying the networks allowed to access this API integration. Only returned for Accounts API and Admin API integrations. |
||||||
notes |
Description of the integration. |
||||||
policy_key |
The identifying policy key for the custom policy attached to the integration. Not shown if no policy attached to the integration. |
||||||
prompt_v4_enabled |
Integer value of |
||||||
secret_key |
Secret used when configuring systems to use this integration. |
||||||
self_service_allowed |
Integer value of Note: The v1 API response does not include information about Duo Single Sign-On applications. |
||||||
type |
Integration type. Refer to Retrieve Integrations for a list of valid values. Note: The v1 API response does not include information about Duo Single Sign-On applications. |
||||||
trusted_device_days |
Legacy parameter; no effect if specified and always returns no value. Use Duo Remembered Devices policies to configure this for an application. |
||||||
username_normalization_policy |
This controls whether or not usernames should be altered before trying to match them to a user account. One of:
|
Example Response
{
"metadata": {
"total_objects": 2
},
"response": [
{
"adminapi_admins": 0,
"adminapi_admins_read": 0,
"adminapi_allow_to_set_permissions": 0,
"adminapi_info": 0,
"adminapi_integrations": 0,
"adminapi_read_log": 0,
"adminapi_read_resource": 0,
"adminapi_settings": 0,
"adminapi_write_resource": 0,
"enroll_policy": "",
"frameless_auth_prompt_enabled": 1,
"greeting": "Welcome to Duo.",
"groups_allowed": [],
"integration_key": "DIRWIH0ZZPV4G88B37VQ",
"ip_whitelist": [],
"ip_whitelist_enroll_policy": "",
"name": "Web Application",
"notes": "",
"policy_key": "POHSLA8SP00LABDAD98Y",
"prompt_v4_enabled": 1,
"secret_key": "QO4ZLqQVRIOZYkHfdPDORfcNf8LeXIbCWwHazY7",
"self_service_allowed": false,
"trusted_device_days": 0,
"type": "websdk",
"username_normalization_policy": "None"
},
{
"adminapi_admins": 0,
"adminapi_admins_read": 0,
"adminapi_allow_to_set_permissions": 0,
"adminapi_info": 0,
"adminapi_integrations": 0,
"adminapi_read_log": 1,
"adminapi_read_resource": 0,
"adminapi_settings": 0,
"adminapi_write_resource": 0,
"enroll_policy": "",
"greeting": "Welcome to Duo.",
"groups_allowed": [],
"integration_key": "DIRWIH0ZZPV4GJ05H7VQ",
"name": "Admin API",
"networks_for_api_access": "",
"notes": "",
"secret_key": "QO4ZLqQVRIOZYkHfdPDORj05h8LeXIbCWwHazY7",
"self_service_allowed": false,
"type": "adminapi",
"username_normalization_policy": "None"
}
]
"stat": "OK"
}Create Integration
This legacy v1 endpoint will be deprecated in the future. Consider migrating to the v3 endpoint.
Create a new integration. The new integration key and secret key are randomly generated and returned in the response. This v1 API endpoint cannot create Duo Single Sign-On applications and returns the integration's secret key in plain text. Requires "Grant applications" API permission.
POST /admin/v1/integrationsParameters
| Parameter | Required? | Description |
|---|---|---|
name
|
Required | The name of the integration to create. |
type
|
Required |
The type of the integration to create. Refer to Retrieve Integrations for a list of valid values. Duo Single Sign-On applications can only be created using the v2 and v3 endpoints. Integrations of type "azure-ca" (Microsoft Azure Active Directory) "microsoft-eam" (Microsoft Entra ID: External Authentication Methods) may not be created via API. If an integration has reached the Duo end of support then new instances of that integration may not be created with the API. |
adminapi_admins
|
Optional |
Set to Default: |
adminapi_admins_read
|
Optional |
Set to Default: |
adminapi_allow_to_set_permissions
|
Optional |
Set to 1 to grant an Admin API integration permission to change the permissions for Admin API integrations via the API. If left at 0 then permissions for Admin API applications must be set in the Duo Admin Panel.
Default: |
adminapi_info
|
Optional |
Set to 0.
|
adminapi_integrations
|
Optional |
Set to 0.
|
adminapi_read_log
|
Optional |
Set to 0.
|
adminapi_read_resource
|
Optional |
Set to 1to grant an Admin API integration permission to retrieve objects like users, phones, and hardware tokens.
Default: |
adminapi_settings
|
Optional |
Set to 0.
|
adminapi_write_resource
|
Optional |
Set to 1to grant an Admin API integration permission to create, modify, and delete objects like users, phones, and hardware tokens.
Default: |
enroll_policy
|
Optional |
Legacy parameter; no effect if specified and returns no value. Use Duo New User policies to configure this setting. What to do after an unenrolled user passes primary authentication. |
greeting
|
Optional | Voice greeting read before the authentication instructions to users who authenticate with a phone callback. |
groups_allowed
|
Optional |
A comma-separated list of group IDs that are allowed to authenticate with the integration. If empty, all groups are allowed.
Object limits: 100 groups per integration. |
ip_whitelist
|
Optional |
Legacy parameter; no effect if specified and always returns an empty list. Use Duo Authorized Network policies to configure this for an application. |
ip_whitelist_enroll_policy
|
Optional |
Legacy parameter; no effect if specified and always returns no value. Use Duo Authorized Network policies to configure this for an application. What to do after a new user from a trusted IP completes primary authentication. |
networks_for_api_access
|
Optional | A comma-separated list of IP addresses, IP ranges, or CIDRs specifying the networks allowed to access this API integration. Only applicable to Accounts API and Admin API integrations. A given API integration may apply a network restriction to itself via API; use a different API integration to apply the network restriction, or edit the API application in the Duo Admin Panel GUI. |
notes
|
Optional | Description of the integration. |
trusted_device_days
|
Optional |
Legacy parameter; no effect if specified and always returns |
self_service_allowed
|
Optional |
Set to 1to grant an integration permission to allow users to manage their own devices. This is only supported by integrations which allow for self service configuration.
|
username_normalization_policy
|
Optional |
Policy for whether or not usernames should be altered before trying to match them to a user account. Refer to Retrieve Integrations for a list of valid values. |
Response Codes
| Response | Meaning |
|---|---|
| 200 | Success. Returns the newly created integration. |
| 400 |
Invalid or missing parameters, one-to-many object limit reached, integration already exists with the given name, or insufficient Admin API permissions.
|
| 500 | Other internal error. |
Response Format
Returns the created single integration object. Refer to Retrieve Integrations for an explanation of the object's keys.
Example Response
Same as Retrieve Integration by Integration Key.
Retrieve Integration by Integration Key
This legacy v1 endpoint will be deprecated in the future. Consider migrating to the v3 endpoint.
Return the single integration with integration_key. This v1 API endpoint cannot retrieve Duo Single Sign-On applications and returns the integration's secret key in plain text. Requires "Grant applications" API permission.
GET /admin/v1/integrations/[integration_key]Parameters
This API endpoint has no parameters.
Response Codes
| Response | Meaning |
|---|---|
| 200 | Success. |
| 404 |
No integration was found with the given integration_key.
|
Response Format
Returns the single integration object. Refer to Retrieve Integrations for an explanation of the object's keys.
Example Response
{
"response": {
"adminapi_admins": 0,
"adminapi_admins_read": 0,
"adminapi_allow_to_set_permissions": 0,
"adminapi_info": 0,
"adminapi_integrations": 0,
"adminapi_read_log": 0,
"adminapi_read_resource": 0,
"adminapi_settings": 0,
"adminapi_write_resource": 0,
"enroll_policy": "",
"frameless_auth_prompt_enabled": 1,
"greeting": "Welcome to Duo.",
"groups_allowed": [],
"integration_key": "DIRWIH0ZZPV4G88B37VQ",
"ip_whitelist": [],
"ip_whitelist_enroll_policy": "",
"name": "Web Application",
"notes": "",
"policy_key": "POHSL88SP00LABDAD98Y",
"prompt_v4_enabled": 1,
"secret_key": "QO4ZLqQVRIOZYkHfdPDORfcNf8LeXIbCWwHazY7",
"self_service_allowed": false,
"trusted_device_days": 0,
"type": "websdk",
"username_normalization_policy": "None"
},
"stat": "OK"
}Modify Integration
This legacy v1 endpoint will be deprecated in the future. Consider migrating to the v3 endpoint.
Change the name, greeting, and/or notes of the integration with integration key integration_key, or reset its secret key. When modifying an Admin API integration permissions can also be added or removed. This v1 API endpoint cannot modifyDuo Single Sign-On applications and returns the integration's secret key in plain text. Requires "Grant applications" API permission.
POST /admin/v1/integrations/[integration_key]Parameters
| Parameter | Required? | Description |
|---|---|---|
name
|
Optional | New name for the integration. |
networks_for_api_access
|
Optional | A comma-separated list of IP addresses, IP ranges, or CIDRs specifying the networks allowed to access this API integration. Only applicable to Accounts API and Admin API integrations. A given API integration may apply a network restriction to itself via API; use a different API integration to apply the network restriction, or edit the API application in the Duo Admin Panel GUI. |
adminapi_admins
|
Optional |
Set to |
adminapi_admins_read
|
Optional |
Set to |
adminapi_allow_to_set_permissions
|
Optional |
Set to 1 to grant an Admin API integration permission to change the permissions for Admin API integrations via the API or 0 to require that permissions for Admin API applications must be set in the Duo Admin Panel.
|
adminapi_info
|
Optional |
Set to |
adminapi_integrations
|
Optional |
Set to |
adminapi_read_log
|
Optional |
Set to |
adminapi_read_resource
|
Optional |
Set to |
adminapi_settings
|
Optional |
Set to |
adminapi_write_resource
|
Optional |
Set to 1to grant an Admin API integration permission to create and modify objects like users, phones, and hardware tokens or 0 to remove access to them.
|
trusted_device_days
|
Optional |
Legacy parameter; no effect if specified and always returns Refer to Retrieve Integrations for a list of supported integrations. |
enroll_policy
|
Optional |
Legacy parameter; no effect if specified and returns no value. Use Duo New User policies to configure this setting. New policy for what to do after an unenrolled user passes primary authentication. Refer to Retrieve Integrations for a list of valid values. |
greeting
|
Optional | New voice greeting. Will be read before the authentication instructions to users who authenticate with a phone callback. |
groups_allowed
|
Optional |
A comma-separated list of group IDs that are allowed to authenticate with the integration. If set to an empty string, all groups will be allowed.
Object limits: 100 groups per integration. |
ip_whitelist
|
Optional |
Legacy parameter; no effect if specified and always returns an empty list. Use Duo Authorized Network policies to configure this for an application. Refer to Retrieve Integrations for a list of supported integrations. |
ip_whitelist_enroll_policy
|
Optional |
Legacy parameter; no effect if specified and always returns no value. Use Duo Authorized Network policies to configure this for an application. New policy for what to do after a new user from a trusted IP completes primary authentication. Refer to Retrieve Integrations for a list of valid values. |
notes
|
Optional | New description of the integration. |
policy_key
|
Optional |
Specify the "Policy Key" value for a custom policy to attach it to the specified integration. Obtain a policy's key by viewing it in the Duo Admin Panel's "Policies" page or from the output of Retrieve Integrations. Leave the value blank to detach the currently attached policy from an integration. |
prompt_v4_enabled
|
Optional |
Set to 1 to activate Duo Universal Prompt for the application, or to 0 to revert back to traditional prompt. Only appears for a given integration when frameless_auth_prompt_enabled is 1 (value set automatically when Duo detects a frameless authentication for the integration).
|
reset_secret_key
|
Optional |
If set to 1, resets the integration's secret key to a new, randomly generated value. The new secret key is returned in the return value. Attempting to reset the secret key for the same Admin API integration whose integration key and secret key are used to make this call will return an error. Can not be used with SSO applications.
|
self_service_allowed
|
Optional |
Set to 1 to grant an integration permission to allow users to manage their own devices. This is only supported by integrations which allow for self service configuration.
|
username_normalization_policy
|
Optional |
New policy for whether or not usernames should be altered before trying to match them to a user account. Refer to Retrieve Integrations for a list of valid values. |
Response Codes
| Response | Meaning |
|---|---|
| 200 |
The integration was modified successfully. Also returns the integration object (see Retrieve Integration by Integration Key). |
| 400 |
Invalid or missing parameters, one-to-many object limit reached, an integration already exists with the given name, insufficient Admin API permissions, or attempting to reset the secret key used to sign this API request.
|
| 404 |
No integration was found with the given integration_key.
|
| 500 | Other internal error. |
Response Format
Returns the modified single integration object. Refer to Retrieve Integrations for an explanation of the object's keys.
Example Response
Same as Retrieve Integration by Integration Key.
Delete Integration
This legacy v1 endpoint will be deprecated in the future. Consider migrating to the v3 endpoint.
Be sure to remove Duo authentication from your product's configuration before you delete the corresponding integration.
Depending on the application this could mean uninstalling Duo software from your systems, or updating your device or application settings to no longer include Duo in the authentication process.
There is no way to restore an integration deleted in error with Admin API.
Delete the integration with integration_key from the system. Attempting to delete the Admin API integration whose secret key is used to sign this request will return an error. This v1 API endpoint cannot delete Duo Single Sign-On applications. Requires "Grant applications" API permission.
DELETE /admin/v1/integrations/[integration_key]Parameters
This API endpoint has no parameters.
Response Codes
| Response | Meaning |
|---|---|
| 200 | The integration was deleted or did not exist. |
| 400 | Attempting to delete the integration whose secret key was used to sign this API request. |
Response Format
Empty string.
Example Response
{
"stat": "OK",
"response": ""
}Logs
Authentication Logs
This legacy v1 endpoint will be deprecated in the future. Consider migrating to the v2 endpoint.
The v2 authentication logs endpoint provides new filtering and querying capabilities unavailable in the legacy v1 handler, like the ability to filter on users, groups, applications, authentication results, factors, and time ranges. Consider migrating to the new handler.
Returns a list of authentication log events ranging from the last 180 days up to as recently as two minutes before the API request. There is an intentional two minute delay in availability of new authentications in the API response. Duo operates a large scale distributed system, and this two minute buffer period ensures that calls will return consistent results. Querying for results more recent than two minutes will return as empty. Requires "Grant read log" API permission.
The 1000 earliest events will be returned; you may need to call this multiple times with mintime to page through the entire log. Note that more or fewer than 1000 events may be returned depending on how many actual events exist for the specified mintime.
We recommend requesting logs no more than once per minute.
GET /admin/v1/logs/authenticationParameters
| Parameter | Required? | Description |
|---|---|---|
mintime
|
Optional |
Only return records that have a Unix |
Response Codes
| Response | Meaning |
|---|---|
| 200 | Success. |
Response Format
| Key | Value | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
access_device
|
Browser, plugin, and operating system information for the endpoint used to access the Duo-protected resource. Values present only when the application accessed features Duo's inline browser prompt. This information is available to Duo Premier and Duo Advantage plan customers.
|
||||||||||||||
alias
|
The username alias used to log in. No value if the user logged in with their username instead of a username alias.
|
||||||||||||||
device
|
Device used to authenticate, if present, otherwise none. | ||||||||||||||
email
|
The email address of the user, if known to Duo, otherwise none. | ||||||||||||||
factor
|
The authentication factor. One of: "Bypass Code", "Digipass GO 7 Token", "Duo Desktop", "Duo Mobile Inline Auth", "Duo Mobile Passcode", "Duo Mobile Passcode (HOTP)", "Duo Mobile Passcode (TOTP)", "Duo Push", "Passcode", "Phone Call", "Hardware Token", "Remembered Device", "Security Key (WebAuthn)", "SMS Passcode", "SMS Refresh", "Touch ID (WebAuthn)", "Trusted Network", "U2F Token", or "Yubikey Passcode". |
||||||||||||||
integration
|
The integration name. | ||||||||||||||
ip
|
The IP address that this request originated from. | ||||||||||||||
isotimestamp
|
ISO8601 timestamp of the event. |
||||||||||||||
location
|
The GeoIP location from which the user authenticated, if available. The response may not include all location parameters.
|
||||||||||||||
new_enrollment
|
true if the user enrolled a new device at the authentication prompt; false if authenticated with a previously enrolled device.
|
||||||||||||||
ood_software
|
If authentication was denied due to out-of-date software, shows the name of the software, i.e. "Chrome", "Flash", etc. No value if authentication was successful or authentication denial was not due to out-of-date software. |
||||||||||||||
reason
|
Provide the reason for the authentication attempt result. If result is "SUCCESS" then one of: "Allow unenrolled user", "Allowed by policy", "Bypass user", "Remembered device", "Trusted location", "Trusted network", "User approved", "Valid passcode". If result is "FAILURE" then one of: "Anonymous IP", "Call timed out", "Couldn't determine if endpoint was trusted", "Denied by policy", "Deny unenrolled user", "Duo Mobile version restricted", "Endpoint is not in Management System", "Factor restricted", "Frequent attempts", "Invalid device", "Invalid passcode", "Location restricted", "Locked out", "No Duo certificate present", "No response", "No disk encryption", "No fingerprint", "No screen lock", "Out of date", "Platform restricted", "Rooted device", "Software Restricted", "User cancelled", "User is disabled", "User mistake", or "User provided an invalid certificate". If result is "ERROR" then: "Error". If result is "FRAUD" then: "User marked fraud". Note that enrollment events have no associated |
||||||||||||||
result
|
The result of the authentication attempt. One of: "success", "denied", "failure", "error", or "fraud". | ||||||||||||||
timestamp
|
An integer indicating the Unix timestamp of the event. | ||||||||||||||
username
|
The authenticating user's username. |
Example Response
{
"response": [{
"access_device": {
"browser": "Chrome",
"browser_version": "56.0.2924.87",
"flash_version": "25.0.0.0",
"java_version": "1.8.0.92",
"os": "Mac OS X",
"os_version": "10.11"
"trusted_endpoint_status": "trusted"
},
"alias": "john.smith",
"device": "503-555-1000",
"email": "jsmith@example.com",
"factor": "Duo Push",
"integration": "Acme Intranet",
"ip": "192.168.0.1",
"isotimestamp": "2020-02-13T18:56:20.351346+00:00",
"location": {
"city": "Ann Arbor",
"state": "Michigan",
"country": "US"
},
"new_enrollment": false,
"ood_software": "",
"reason": "User approved",
"result": "SUCCESS",
"timestamp": 1581620180,
"username": "jsmith"
}],
"stat": "OK"
}Telephony Logs
This legacy v1 endpoint will be deprecated in the future. Consider migrating to the v2 endpoint.
The v2 telephony logs endpoint provides new querying capabilities and contextual information for events unavailable in the legacy v1 handler. Consider migrating to the new handler.
Returns a list of telephony log events. Only the 1000 earliest events will be returned; you may need to call this multiple times with mintime to page through the entire log. Requires "Grant read log" API permission.
We recommend requesting logs no more than once per minute.
GET /admin/v1/logs/telephonyParameters
| Parameter | Required? | Description |
|---|---|---|
mintime
|
Optional |
Only return records that have a Unix timestamp in seconds after mintime. This can help to avoid fetching records that have already been retrieved.
|
Response Codes
| Response | Meaning |
|---|---|
| 200 | Success. |
Response Format
| Key | Value |
|---|---|
context
|
How this telephony event was initiated. One of: "administrator login", "authentication", "enrollment", or "verify". |
credits
|
How many telephony credits this event cost. |
isotimestamp
|
ISO8601 timestamp of the event. |
phone
|
The phone number that initiated this event. |
timestamp
|
An integer indicating the Unix timestamp of the event. |
type
|
The event type. Either "sms" or "phone". |
Example Response
{
"stat": "OK",
"response": [{
"context": "authentication",
"credits": 1,
"isotimestamp": "2020-03-20T15:38:12+00:00",
"phone": "+15035550100",
"timestamp": 1584718692,
"type": "sms"
}]
}