Skip to main content



Cisco Defense Orchestrator

API Tokens

Developers use CDO API tokens when making CDO REST API calls. The API token must be inserted in the REST API authorization header for a call to succeed. API tokens are "long-lived" access tokens which do not expire; however, you can renew and revoke them.

You can generate API tokens from within CDO. These tokens are only visible immediately after they're generated and for as long as the General Settings page is open. If you open a different page in CDO and return to the General Settings page, the token is no longer visible, although it is clear that a token has been issued. 

Individual users can create their own tokens for a particular tenant. One user cannot generate a token on behalf of another. Tokens are specific to an account-tenant pair and cannot be used for other user-tenant combinations.

API Token Format and Claims

The API token is a JSON Web Token (JWT). To learn more about the JWT token format, read the Introduction to JSON Web Tokens.

The CDO API token provides the following set of claims:  

  • id - user/device uid
  • parentId - tenant uid
  • ver - the version of the public key (initial version is 0, for example, cdo_jwt_sig_pub_key.0)
  • subscriptions - SSE subscriptions (optional)
  • client_id - "api-client
  • jti - token id

Token Management

See General Settings for information about generating, renewing, and revoking an API token.

  • Was this article helpful?