generated: '2026-07-11' method: derived source: openapi/palo-alto-aiops-ngfw-bpa-api-openapi-original.yml, openapi/palo-alto-autonomous-dem-api-openapi-original.yml, openapi/palo-alto-cloud-ngfw-api-openapi-original.yml, openapi/palo-alto-cortex-xdr-api-openapi-original.yml, openapi/palo-alto-cortex-xpanse-api-openapi-original.yml, openapi/palo-alto-cortex-xsiam-api-openapi-original.yml, openapi/palo-alto-cortex-xsoar-api-openapi-original.yml, openapi/palo-alto-dlp-api-openapi-original.yml, openapi/palo-alto-dns-security-api-openapi-original.yml, openapi/palo-alto-email-dlp-api-openapi-original.yml, openapi/palo-alto-iot-security-api-openapi-original.yml, openapi/palo-alto-pan-os-rest-api-openapi-original.yml ... summary: types: - apiKey - http - oauth2 api_key_in: - header oauth2_flows: - clientCredentials schemes: - name: oauth2Bearer type: http scheme: bearer bearerFormat: JWT description: OAuth 2.0 Bearer token for SASE platform authentication. Obtain using the client_credentials grant with your SASE service account client ID and client secret. sources: - openapi/palo-alto-aiops-ngfw-bpa-api-openapi-original.yml - openapi/palo-alto-dlp-api-openapi-original.yml - openapi/palo-alto-email-dlp-api-openapi-original.yml - openapi/palo-alto-prisma-access-browser-api-openapi-original.yml - openapi/palo-alto-prisma-access-insights-api-openapi-original.yml - openapi/palo-alto-prisma-airs-ai-red-teaming-api-openapi-original.yml - openapi/palo-alto-prisma-cloud-compute-api-openapi-original.yml - openapi/palo-alto-prisma-cloud-cspm-api-openapi-original.yml - openapi/palo-alto-prisma-cloud-dspm-api-openapi-original.yml - openapi/palo-alto-prisma-cloud-mssp-api-openapi-original.json - openapi/palo-alto-saas-security-api-openapi-original.yml - openapi/palo-alto-sase-5g-api-openapi-original.yml - openapi/palo-alto-sase-aggregate-monitoring-api-openapi-original.yml - openapi/palo-alto-sase-config-orchestration-api-openapi-original.yml - openapi/palo-alto-sase-iam-api-openapi-original.yml - openapi/palo-alto-sase-multitenant-notifications-api-openapi-original.yml - openapi/palo-alto-sase-subscription-api-openapi-original.yml - openapi/palo-alto-sase-tenancy-api-openapi-original.yml - openapi/palo-alto-sspm-api-openapi-original.yml - openapi/palo-alto-strata-cloud-manager-api-openapi-original.yml - openapi/palo-alto-strata-logging-service-api-openapi-original.yml - openapi/palo-alto-ztna-connector-api-openapi-original.yml - name: oauth2 type: oauth2 flows: - flow: clientCredentials tokenUrl: https://auth.apps.paloaltonetworks.com/oauth2/access_token scopes: 0 description: OAuth 2.0 client credentials flow for obtaining an access token. Requires a client ID and client secret from the Palo Alto Networks SASE identity provider. sources: - openapi/palo-alto-autonomous-dem-api-openapi-original.yml - openapi/palo-alto-prisma-access-api-openapi-original.yml - openapi/palo-alto-prisma-sd-wan-api-openapi-original.yml - name: awsSigV4 type: apiKey in: header parameter: Authorization description: AWS Signature Version 4 (SigV4) signed request. Use an AWS IAM role or user with CloudNGFW IAM permissions. Sign requests using the service name cloudngfw and the target AWS region. Include x-amz-date and x-amz-security-token headers as required. sources: - openapi/palo-alto-cloud-ngfw-api-openapi-original.yml - openapi/palo-alto-cortex-xsoar-api-openapi-original.yml - name: xdrAuth type: apiKey in: header parameter: x-xdr-hmac-v2 description: 'Cortex XDR uses a custom HMAC-SHA256 authentication scheme. Each request requires four headers: x-xdr-auth-id (API key ID), x-xdr-nonce (64-character random string), x-xdr-timestamp (Unix epoch milliseconds), and x-xdr-hmac-v2 (SHA-256 hash of apikey + nonce + timestamp). Generate API keys from Cortex XDR Settings > Configurations > API Keys.' sources: - openapi/palo-alto-cortex-xdr-api-openapi-original.yml - openapi/palo-alto-cortex-xpanse-api-openapi-original.yml - openapi/palo-alto-cortex-xsiam-api-openapi-original.yml - name: dnsApiKey type: apiKey in: header parameter: X-DNS-API-APIKEY description: DNS Security API key. Requires an active DNS Security subscription associated with a Palo Alto Networks support account. Obtain from the DNS Security portal under API settings. sources: - openapi/palo-alto-dns-security-api-openapi-original.yml - name: keyId type: apiKey in: header parameter: X-Key-Id description: IoT Security API key identifier. Generated from the IoT Security portal under Settings > API Keys. sources: - openapi/palo-alto-iot-security-api-openapi-original.yml - name: accessKey type: apiKey in: header parameter: X-Access-Key description: IoT Security API access key. Generated alongside the key identifier from the IoT Security portal. sources: - openapi/palo-alto-iot-security-api-openapi-original.yml - name: apiKey type: apiKey in: header parameter: X-PAN-KEY description: PAN-OS API key generated via the /api/?type=keygen endpoint or from the web interface under Device > Administrators. The key is tied to an administrator account and inherits its role-based permissions. sources: - openapi/palo-alto-pan-os-rest-api-openapi-original.yml - name: apiKeyAuth type: apiKey in: header parameter: x-pan-token description: API key for authenticating requests to the Prisma AIRS API. Generate keys in the Palo Alto Networks AI Runtime Security console under Settings > API Keys. sources: - openapi/palo-alto-prisma-airs-api-openapi-original.yml - name: redlockAuth type: apiKey in: header parameter: x-redlock-auth description: JWT token obtained from the Prisma Cloud /login endpoint. Pass the token value in the x-redlock-auth header. Tokens are valid for 10 minutes. sources: - openapi/palo-alto-prisma-cloud-code-security-api-openapi-original.yml - name: basicAuth type: http scheme: basic description: HTTP Basic authentication using Prisma Cloud Compute credentials. sources: - openapi/palo-alto-prisma-cloud-compute-api-openapi-original.yml - name: authKey type: http scheme: Bearer sources: - openapi/palo-alto-sase-multitenant-interconnect-api-openapi-original.yml - name: apiKey type: apiKey in: header parameter: X-API-KEY description: Threat Vault API key. Generate your API key from the Palo Alto Networks customer support portal or the Developer Portal at pan.dev. The API key controls access level and daily quota limits. sources: - openapi/palo-alto-threat-vault-api-openapi-original.yml