Most SASE APIs use a common authentication mechanism and base URL for API requests. (Prisma Access Insights is the exception.) The authentication mechanism is oAuth2. To authenticate SASE API requests, you must:
Identify or create the TSG that you want to use for the scope of the access token. From the TSG, you can find your TSG_ID that you use for the access token's scope.
Either identify or create the service account that you want to use for the request. This gives you the Client ID and Client Secret that you use to obtain the access token.
Using the Client ID, Client Secret, and your TSG_ID, create an access token.
Once you have an access token, you can make requests against the tenants that are within the scope
of your access token. Provide the access token using the
Authorization header, with the
keyword, on your HTTPS request. For example:
curl -o --location "https://api.sase.paloaltonetworks.com/config/v1/jobs" \
-H "Authorization: Bearer <ACCESS_TOKEN>" \
-H "Content-Type: application/json"
Note: At this point you can mechanically make a request, but you still need to assign one or more roles to the service account. Without at least one role, the service account will not have permissions to perform any actions on the SASE product or service.