Authenticate. For internal use.

  • Published on Mar 2, 2026
  • 3 minute read
Prev Next
Post
/authentication

API Scripts are recommended to use the Login call instead of separate Authentication & Authorization calls.

First step for logging in is sending the credentials and retrieving partial AuthToken. If the response has the "needTwoFactorAuth:true", then either API user must be extempt from Admin MFA or two-step MFA process must be completed before Authorization.

Security
HTTP
Type bearer
Body parameters

Login Credentials.

object
providerName
string Required

Display name of the Identity Provider name.

Exampleldap
username
string

Username. Required if a credentials based Identity Provider is used.

Exampleuser
password
string

Password. Required if a credentials based Identity Provider is used.

ExampletSW3!QBv(rj{UuLY
deviceId
string (uuid) Required

UUID to distinguish the Client device making the request. It is supposed to be same for every login request from the same server.

Example4c07bc67-57ea-42dd-b702-c2d6c45419fc
samlResponse
string

SAMLResponse received from SAML provider. Required if a SAML based Identity Provider is used.

idToken
string

ID Token received from OIDC provider. Required if an OIDC based Identity Provider is used.

accessToken
string

Access Token received from OIDC provider. Required if an OIDC based Identity Provider is used.

Responses
200

Login Response.

Expand All
object
user
object

Information about logged in user, such as username and email address, if exists.

name
string

Username.

Exampleadmin
needTwoFactorAuth
boolean

If true, it is not possible to complete login process without providing MFA.

Examplefalse
canAccessAuditLogs
boolean

Whether there is a LogServer deployed and the user has privileges to access to it.

privileges
Array of object (AdministrativePrivilege)

The privileges the user has.

object

Administrative Privilege item. Use type-target-map API to get the details on which types are valid for which targets and their scopes.

type
string

The type of the Privilege defines the possible administrator actions.

Valid values[ "All", "View", "Create", "Edit", "Tag", "Delete", "Revoke", "Export", "Upgrade", "RenewCertificate", "DownloadLogs", "Test", "GetUserAttributes", "Backup", "CheckStatus", "Reevaluate", "Reboot", "AssignFunction" ]
target
string

The target of the Privilege defines the possible target objects for that type.

Valid values[ "All", "Appliance", "Condition", "CriteriaScript", "Entitlement", "AdministrativeRole", "IdentityProvider", "MfaProvider", "IpPool", "LocalUser", "ServiceUser", "Policy", "Site", "DeviceClaimScript", "EntitlementScript", "RingfenceRule", "ApplianceCustomization", "TrustedCertificate", "UserClaimScript", "OtpSeed", "Fido2Device", "Blacklist", "License", "UserLicense", "RegisteredDevice", "AllocatedIp", "SessionInfo", "AuditLog", "AdminMessage", "GlobalSetting", "CaCertificate", "File", "AutoUpdate", "RiskModel", "Ztp", "ClientProfile", "Secret", "DiscoveredApp" ]
scope
object

The scope of the Privilege. Only applicable to certain type-target combinations. Some types depend on the IdP/MFA type, such as GetUserAttributes. This field must be omitted if not applicable.

all
boolean

'If "true", all objects are accessible. For example, "type: Edit - target: Condition - scope.all: true" means the administrator can edit all Conditions in the system.'

ids
Array of string

Specific object IDs this Privilege would have access to.

string (uuid)
Example4c07bc67-57ea-42dd-b702-c2d6c45419fc
tags
Array of string

Object tags this privilege would have access to.

string
Exampletag
defaultTags
Array of string

The items in this list would be added automatically to the newly created objects' tags. Only applicable on "Create" type and targets with tagging capability. This field must be omitted if not applicable.

string
Exampleapi-created
functions
Array of string (ApplianceFunction)

Privilege for changing Appliance Functions. Only applicable on "AssignFunction" type with Appliance or All target. This field must be omitted if not applicable.

string
Valid values[ "Controller", "Gateway", "LogServer", "LogForwarder", "Connector", "Portal", "Metrics Aggregator", "Connection Broker" ]
token
string

The AuthToken required for subsequent API calls.

expires
string (date-time)

Token expiration time.

messageOfTheDay
string

Message of the day configured by an admin.

ExampleWelcome to Appgate SDP.
ztpCollectiveType
string

ZTP type of the collective.

Valid values[ "hosted", "connected" ]
ztpAccountType
string

ZTP account type.

Valid values[ "standard", "demo" ]
crlEnabled
boolean

Whether X509 CRL is enabled for the system or not. Issued Certificates is disabled if it's not enabled.

400

JSON error. Check the JSON format.

object

Generic HTTP error.

id
string

Machine readable error code.

message
string

Human readable error details.

401

Login Failed.

object
id
string

Machine readable error code.

message
string

Human readable error details.

reason
string

The authentication failure reason.

ExampleInvalid username or password.
406

Invalid 'Accept' header.

object

Generic HTTP error.

id
string

Machine readable error code.

message
string

Human readable error details.

422

Request validation error. Check "errors" array for details.

Expand All
object

Http 422 error for object validation.

id
string

Machine readable error code.

message
string

Human readable error details.

errors
Array of object

List of fields with validation errors.

object
field
string

Name of the field that failed validation.

Examplename
message
string

Failure reason.

Examplemay not be null
500

Unexpected server side error.

object

Generic HTTP error.

id
string

Machine readable error code.

message
string

Human readable error details.

©AppGate 2026. All Rights Reserved.