Authentication Methods

All API calls into Tanium should use API Tokens for authentication. This includes the GraphQL api for Tanium Gateway as well as the Platform and Module REST APIs. Username/password authentication continues to work for the REST API only for customers with on-prem Tanium environments. This may change in the future. It is advised that all integrators should migrate to token-based authentication. This ensures the integrations can function regardless of whether the Tanium Environment is Cloud or on-prem.

Generating an API Token

Log into the Tanium console as your integration user and navigate to Administration > Permissions > API Tokens. Give it a name to indicate which integration it is for. Specify the IP address or CIDR block that you will be making your API calls from. For security, you should specify a short duration for your token, generally not to exceed 2 weeks. Your integration should be rotating this token regularly. If your architecture prohibits automating the API token rotation, you should document the recomended process and frequency for the Tanium admin to rotate the token manually. Make sure to save your API token as you will not be able to retrieve it again later.

Generate API Token

Authenticated API Calls

All calls into the Tanium API will include the API Token value in a 'session' header. Make sure to include the 'token-' prefix. Example: 

curl --location --request POST 'https://my_tanium_hostname/api/v2/questions' \
--header 'Content-Type: application/json' \
--header 'session: token-XXXXXXXX' \
--data-raw '{
            "query_text": "Get Computer Name from all machines"

        }'

These API tokens are used for the core platform REST API, the various module REST APIs, and the GraphQL Tanium Gateway.

Rotating API Tokens

The Tanium API tokens will need to be rotated regularly before they expire. Typically, an integration will have a background process that kicks off daily to make a call into the API to rotate the token. Once exchanged, the old token will no longer work. It is important to store the new token value securely.

REST Example

curl --location --request POST 'https://my_tanium_hostname/api/v2/api_tokens' \
--header 'Content-Type: application/json' \
--header 'session: token-XXXXXXXX' \
--data-raw '{"token_string": "token-XXXXXXXX"}'

GraphQL Example

API Token Examples 

curl --location --request POST 'https://mytanium-api.cloud.tanium.com/plugin/products/gateway/graphql' \
--header 'session: token-XXXXXXXX' \
--header 'Content-Type: application/json' \
--data-raw '{"query":"mutation ($token: String!) {\napiTokenRotate(input: {tokenString: $token}) {\n    token {\n      created\n      expiration\n      id\n      lastUsed\n      notes\n      persona {\n        name\n      }\n      tokenString\n      trustedIPAddresses\n    }\n    error {\n      message\n      retryable\n      timedOut\n    }\n  }\n} ","variables":{"token":"token-XXXXXXXX"}}'

Last Updated: