Authentication API

If you are running Grafana Enterprise, for some endpoints you would need to have relevant permissions. Refer to Role-based access control permissions for more information.

Tokens

Currently, you can authenticate via an API Token or via a Session cookie (acquired using regular login or OAuth).

X-Grafana-Org-Id Header

X-Grafana-Org-Id is an optional property that specifies the organization to which the action is applied. If it is not set, the created key belongs to the current context org. Use this header in all requests except those regarding admin.

Example Request:

  1. POST /api/auth/keys HTTP/1.1
  2. Accept: application/json
  3. Content-Type: application/json
  4. X-Grafana-Org-Id: 2
  5. Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk
  6. {
  7. "name": "mykey",
  8. "role": "Admin",
  9. "secondsToLive": 86400
  10. }

Basic Auth

If basic auth is enabled (it is enabled by default), then you can authenticate your HTTP request via standard basic auth. Basic auth will also authenticate LDAP users.

curl example:

  1. curl http://admin:admin@localhost:3000/api/org
  2. {"id":1,"name":"Main Org."}

Create API Token

Open the sidemenu and click the organization dropdown and select the API Keys option.

You use the token in all requests in the Authorization header, like this:

Example:

  1. GET http://your.grafana.com/api/dashboards/db/mydash HTTP/1.1
  2. Accept: application/json
  3. Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk

The Authorization header value should be Bearer <your api key>.

The API Token can also be passed as a Basic authorization password with the special username api_key:

curl example:

  1. curl http://api_key:eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk@localhost:3000/api/org
  2. {"id":1,"name":"Main Org."}

Auth HTTP resources / actions

Api Keys

GET /api/auth/keys

Required permissions

See note in the introduction for an explanation.

ActionScope
apikeys:readapikeys:*

Example Request:

  1. GET /api/auth/keys HTTP/1.1
  2. Accept: application/json
  3. Content-Type: application/json
  4. Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk

Query Parameters:

  • includeExpired: boolean. enable listing of expired keys. Optional.

Example Response:

  1. HTTP/1.1 200
  2. Content-Type: application/json
  3. [
  4. {
  5. "id": 3,
  6. "name": "API",
  7. "role": "Admin"
  8. },
  9. {
  10. "id": 1,
  11. "name": "TestAdmin",
  12. "role": "Admin",
  13. "expiration": "2019-06-26T10:52:03+03:00"
  14. }
  15. ]

Create API Key

POST /api/auth/keys

Required permissions

See note in the introduction for an explanation.

ActionScope
apikeys:createn/a

Example Request:

  1. POST /api/auth/keys HTTP/1.1
  2. Accept: application/json
  3. Content-Type: application/json
  4. Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk
  5. {
  6. "name": "mykey",
  7. "role": "Admin",
  8. "secondsToLive": 86400
  9. }

JSON Body schema:

  • name – The key name
  • role – Sets the access level/Grafana Role for the key. Can be one of the following values: Viewer, Editor or Admin.
  • secondsToLive – Sets the key expiration in seconds. It is optional. If it is a positive number an expiration date for the key is set. If it is null, zero or is omitted completely (unless api_key_max_seconds_to_live configuration option is set) the key will never expire.

Error statuses:

  • 400api_key_max_seconds_to_live is set but no secondsToLive is specified or secondsToLive is greater than this value.
  • 500 – The key was unable to be stored in the database.

Example Response:

  1. HTTP/1.1 200
  2. Content-Type: application/json
  3. {"name":"mykey","key":"eyJrIjoiWHZiSWd3NzdCYUZnNUtibE9obUpESmE3bzJYNDRIc0UiLCJuIjoibXlrZXkiLCJpZCI6MX1=","id":1}

Delete API Key

DELETE /api/auth/keys/:id

Required permissions

See note in the introduction for an explanation.

ActionScope
apikeys:deleteapikeys:*

Example Request:

  1. DELETE /api/auth/keys/3 HTTP/1.1
  2. Accept: application/json
  3. Content-Type: application/json
  4. Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk

Example Response:

  1. HTTP/1.1 200
  2. Content-Type: application/json
  3. {"message":"API key deleted"}