Frequently Asked Question

Proxmox API - Authentication
Last Updated 1 days ago

To configure an API token in Proxmox VE 9.x, you must create a token within the Proxmox Web UI and associate it with a specific user. This token is then used for authentication in API requests.

Please follow these steps:

1. Create the API Token

  1. Log in to the Proxmox VE Web UI.
  2. In the left-hand navigation tree, select the Datacenter node (the top-level node).
  3. Navigate to Permissions > Tokens.
  4. Click Create in the top right corner.
  5. Fill in the following details:
  • Token ID: Enter a descriptive name for the token (e.g., monitoring-token or backup-service).
  • Privilege Separation: Check this box if you want the token to have limited permissions rather than full admin rights.
  • Expire: Set an expiration date if required (optional).
  1. Click Create.

2. Assign Permissions to the Token

If you enabled Privilege Separation in the previous step, you must now assign specific roles and permissions to the token.

  1. In the Permissions > Tokens view, locate the token you just created.
  2. Click on the token name to open its configuration.
  3. In the Privileges section, you will see a list of available roles (e.g., Administrator, PVEAdmin, PVEUser, PVEAuditor).
  4. Select the appropriate role(s) based on the required access level:
  • Administrator: Full access to all resources.
  • PVEAdmin: Access to manage VMs, containers, storage, and network, but not cluster configuration.
  • PVEAuditor: Read-only access.
  1. You can also specify Path restrictions to limit the token’s access to specific nodes, VMs, or storage pools.
  2. Click Save.

3. Retrieve the Token Secret

  1. After creating the token, Proxmox will display the Token Secret (a long alphanumeric string) only once.
  2. Copy and securely store this secret immediately. It cannot be retrieved again from the UI.
  3. The full token identifier is usually in the format: username@realm!tokenname (e.g., admin@pam!monitoring-token).

4. Using the API Token

When making API requests, you must include the token in the request headers. Proxmox VE 9.x supports two methods for API authentication:

Method A: Using the X-APIKey Header (Recommended for simple scripts)

Include the following header in your HTTP requests:

X-APIKey: <token_secret>

Example using curl:

curl -k -H "X-APIKey: <token_secret>" https://<proxmox_ip>:8006/api2/json/cluster/status

Method B: Using Ticket-Based Authentication (More Secure)

  1. Obtain a Ticket:

Send a POST request to /api2/json/access/ticket with the username and token secret.

    curl -k -d "username=<username>@<realm>!<token_name>&password=<token_secret>" https://<proxmox_ip>:8006/api2/json/access/ticket

This returns a CSRFPreventionToken and a Ticket.

  1. Use the Ticket for Subsequent Requests:

Include the following headers in all subsequent API calls:

    PVEAuthCookie: <Ticket>
    CSRFPreventionToken: <CSRFPreventionToken>

Important Notes

  • Security: Never expose the token secret in client-side code or public repositories. Use server-side proxies if client-side access is required.
  • Realm: Ensure the username realm (e.g., pam, pve, pve-ldap) is correct when constructing the token ID.
  • Permissions: Always follow the principle of least privilege. Assign only the permissions necessary for the token’s intended function.
  • Proxmox 9.x: The process remains consistent with previous versions, but ensure you are using the latest API documentation for any endpoint-specific changes.
This FAQ was generated and/or edited by GAIN, GENs Artificial Intelligence Network and should not be considered 100% accurate. Always check facts and do your research, things change all the time. If you are unsure about any information provided, please raise a support ticket for clarification.
This website relies on temporary cookies to function, but no personal data is ever stored in the cookies.
OK
Powered by GEN UK CLEAN GREEN ENERGY

Loading ...