Authentication

The Catalyst Center APIs use token-based authentication. The users must send their credentials using Basic Authentication. We use the authentication endpoint /dna/system/api/v1/auth/token. The HTTP method for this endpoint is POST.

Basic Authentication

Authentication is done by using the Basic authentication scheme, as defined in RFC 7617.

The format of the credentials is USERNAME:PASSWORD and it must be base64 encoded. Then, send the encoded string as part of the Authorization header over clear text. Therefore, it's highly recommended to do this over an HTTPS/TLS connection.

AES Key Encryption

Catalyst Center now supports AES key encryption for token APIs. This optional feature formats the authorization header as a base 64 encoded string of a 256-bit AES key.

The format of the string is CSCO-AES-256 credentials=Base64Encode(AESEncrypt(username:password , aes256 key)).

The AESEncrypt first encrypts the username:password pair with a 256-bits AES key and then Base64Encode encodes the result in base 64 string format.

The AES256 scheme authorizes, as defined in RFC 2617.

Note:

• You can enable the AES key encryption from the Catalyst Center system configuration.
• If you disable the AES key encryption from the Catalyst Center system configuration, the default basic authentication is enabled by default.

Token

After authentication, the user receives a token from the API endpoint. The user must include this token in every request as part of the X-Auth-Token header.

Validity of a Token

The lifetime of a token is 60 minutes.

When the token expires, the APIs return a 401 UNAUTHORIZED response code. In such cases, the user must request a new token by initiating the authentication process again.

For information on creating a script to authenticate and obtain the authorization token, see Authentication and Authorization.

To authenticate using Postman, see Generating an Authorization Token.