MFT API - Authentication & Authorization 3.10.3

This API scope covers all endpoints related to user authentication, Single Sign-On (SSO), Multi-Factor Authentication (MFA), Windows Integrated Authentication, token management, and authorization checks within the MFT system. The base endpoint URL for all operations is http://localhost:8010/vault_rest. Most authenticated endpoints require an API key (bearer token) provided in the Authorization: Bearer <token> header. This token can be obtained from the /vault_rest/authenticate endpoint using basic authentication (username and password) or through SSO/Windows authentication flows. For initial authentication endpoints like /vault_rest/authenticate, basic authentication (Authorization: Basic <base64(username:password)>) is required. API keys have an expiration time and can be extended or recycled using the token management endpoints.

Server

http://localhost:8010

Authentication

http basicAuth

Basic authentication using username and password.

http bearerAuth

Bearer token authentication using an API key.

Authentication

Endpoints for user login, logout, and session management.

GET

/vault_rest/authenticate

DELETE

/vault_rest/authenticate

Request an API key

Requests an API key (authentication token) for subsequent API calls. This endpoint typically requires basic authentication (username and password) in the Authorization header to obtain a bearer token.

Auth

GET /vault_rest/authenticate

xxxxxxxxxx
 
curl --get \ --url 'http://localhost:8010/vault_rest/authenticate' \ --header 'Authorization: Basic {token}'
Copy

Responses

200

API key successfully generated.

object	object	Result of an authentication attempt, including the API key.
Result	string	The outcome of the authentication attempt. Enum: `Success`,`ErrorServiceUnavailable`,`ErrorInvalidCredentials`,`ErrorMfaRequired`
Token	string	The generated authentication token (API key).
Expires	date-time	The expiration date and time of the token.
ExpiresString	string	The expiration date and time of the token as a string.
UiMessageKey	string	A key for UI messages related to the authentication result.
Message	string	A human-readable message related to the authentication result.

Response

xxxxxxxxxx
 
{ "Result": "{string}", "Token": "{string}", "Expires": "{date-time}", "ExpiresString": "{string}", "UiMessageKey": "{string}", "Message": "{string}"}
Copy

Log out and invalidate the current API key

Invalidates the current authentication token (API key), effectively logging out the user. The token can no longer be used for subsequent authenticated requests.

Auth

DELETE /vault_rest/authenticate

xxxxxxxxxx
 
curl --request DELETE \ --url 'http://localhost:8010/vault_rest/authenticate' \ --header 'Authorization: Bearer {token}'
Copy

Responses

200

Authentication token successfully invalidated.

object	object	Result of cancelling an authentication token.
success	boolean	Indicates if the token cancellation was successful.

Response

xxxxxxxxxx
 
{ "success": "{boolean}"}
Copy

Sso

Endpoints for Single Sign-On (SSO) authentication flows.

GET

/vault_rest/pre-authenticate-sso

GET

/vault_rest/authenticate-sso

POST

/vault_rest/authenticate-sso

GET

/vault_rest/authenticate-sso-token

Initiate SSO pre-authentication

Initiates the pre-authentication process for Single Sign-On (SSO) using OIDC. This endpoint typically returns information needed to redirect the user to the identity provider.

Auth

GET /vault_rest/pre-authenticate-sso

xxxxxxxxxx
 
curl --get \ --url 'http://localhost:8010/vault_rest/pre-authenticate-sso' \ --header 'Authorization: Basic {token}'
Copy

Responses

200

SSO pre-authentication initiated successfully.

object	object	Result of the SSO pre-authentication process.
redirectUrl	string	The URL to redirect the user to for SSO authentication.
state	string	A state parameter to maintain state between the request and the callback.

Response

xxxxxxxxxx
 
{ "redirectUrl": "{string}", "state": "{string}"}
Copy

Complete SSO authentication via GET

Completes the Single Sign-On (SSO) authentication process by receiving an authorization code and state via a GET request. This is commonly used as a redirect URI callback from an identity provider after successful authentication.

Auth

Query String

code	string	The authorization code received from the identity provider.
state	string	The state parameter used for CSRF protection, echoed back from the identity provider.

GET /vault_rest/authenticate-sso

xxxxxxxxxx
 
curl --get \ --url 'http://localhost:8010/vault_rest/authenticate-sso' \ --header 'Authorization: Basic {token}' \ --data code={code} \ --data state={state}
Copy

Responses

200

SSO authentication completed successfully.

No response body

Response

xxxxxxxxxx
 
No response
Copy

Complete SSO authentication via POST

Completes the Single Sign-On (SSO) authentication process by receiving authentication data via a POST request. This is typically used for callback mechanisms from an identity provider.

Auth

Request Body

SSO authentication details.

object	object
ssoData	string	Encoded SSO data from the identity provider.

POST /vault_rest/authenticate-sso

xxxxxxxxxx
 
curl --request POST \ --url 'http://localhost:8010/vault_rest/authenticate-sso' \ --header 'Authorization: Basic {token}' \ --data '{  "ssoData": "{string}"}'
Copy

Responses

200

SSO authentication completed successfully.

No response body

Response

xxxxxxxxxx
 
No response
Copy

Authenticate using an SSO token

Authenticates a user using an existing Single Sign-On (SSO) token. This endpoint validates the provided SSO token to establish an authenticated session.

Auth

GET /vault_rest/authenticate-sso-token

xxxxxxxxxx
 
curl --get \ --url 'http://localhost:8010/vault_rest/authenticate-sso-token' \ --header 'Authorization: Bearer {token}'
Copy

Responses

200

SSO token authenticated successfully.

No response body

Response

xxxxxxxxxx
 
No response
Copy

Mfa

Endpoints for Multi-Factor Authentication (MFA) configuration and validation.

POST

/vault_rest/validate-otp

GET

/vault_rest/settings/mfa

POST

/vault_rest/settings/mfa

Validate a One-Time Password (OTP)

Validates a provided One-Time Password (OTP) as part of a multi-factor authentication (MFA) flow. This is typically called after initial authentication to complete the login process.

Auth

Request Body

OTP validation request.

object	object	Request body for validating a One-Time Password.
otp	string	The One-Time Password to validate.

POST /vault_rest/validate-otp

xxxxxxxxxx
 
curl --request POST \ --url 'http://localhost:8010/vault_rest/validate-otp' \ --header 'Authorization: Bearer {token}' \ --data '{  "otp": "123456"}'
Copy

Responses

200

OTP validated successfully.

object	object	Result of OTP validation.
success	boolean	Indicates if the OTP validation was successful.
message	string	A message related to the OTP validation result.

Response

xxxxxxxxxx
 
{ "success": "{boolean}", "message": "{string}"}
Copy

Get Multi-Factor Authentication (MFA) settings

Retrieves the current Multi-Factor Authentication (MFA) settings for the current user or system.

Auth

GET /vault_rest/settings/mfa

xxxxxxxxxx
 
curl --get \ --url 'http://localhost:8010/vault_rest/settings/mfa' \ --header 'Authorization: Bearer {token}'
Copy

Responses

200

MFA settings retrieved successfully.

object

Result of retrieving MFA settings.

enabled

boolean

Whether MFA is currently enabled.

configuredMethods

array[string]

List of configured MFA methods.

Enum: TOTP,SMS,Email

Response

xxxxxxxxxx
 
{ "enabled": "{boolean}", "configuredMethods": [  "{array[string]...}" ]}
Copy

Update Multi-Factor Authentication (MFA) settings

Updates the Multi-Factor Authentication (MFA) settings for the current user or system. This can include enabling/disabling MFA, configuring methods, etc.

Auth

Request Body

MFA settings update request.

object	object	Request body for updating MFA settings.
enabled	boolean	Whether MFA should be enabled or disabled.

POST /vault_rest/settings/mfa

xxxxxxxxxx
 
curl --request POST \ --url 'http://localhost:8010/vault_rest/settings/mfa' \ --header 'Authorization: Bearer {token}' \ --data '{  "enabled": "{boolean}"}'
Copy

Responses

200

MFA settings updated successfully.

object	object	Result of updating MFA settings.
success	boolean	Indicates if the MFA settings update was successful.

Response

xxxxxxxxxx
 
{ "success": "{boolean}"}
Copy

Tokens

Endpoints for managing API keys (authentication tokens), including creation, extension, and revocation.

POST

/vault_rest/pre-exchange-token

POST

/vault_rest/exchange-token

/vault_rest/token/extend_session

GET

/vault_rest/tokens/generate

GET

/vault_rest/tokens/{start}/{count}

POST

/vault_rest/token/recycle

Initiate token exchange for MFA

Initiates the process to exchange an existing authentication token for a new one, typically in scenarios involving Multi-Factor Authentication (MFA) where an OTP is required for the exchange.

Auth

POST /vault_rest/pre-exchange-token

xxxxxxxxxx
 
curl --request POST \ --url 'http://localhost:8010/vault_rest/pre-exchange-token' \ --header 'Authorization: Bearer {token}'
Copy

Responses

200

Token exchange pre-initiated successfully.

object	object	Model for initiating token exchange with MFA.
mfaRequired	boolean	Indicates if MFA is required for the token exchange.
challenge	string	A challenge string for MFA.

Response

xxxxxxxxxx
 
{ "mfaRequired": "{boolean}", "challenge": "{string}"}
Copy

Complete token exchange with OTP

Completes the token exchange process by providing the necessary information, including an OTP, to receive a new authentication token. This is part of an MFA-enabled token refresh or upgrade flow.

Auth

Request Body

Token exchange request with OTP.

object	object	Request body for completing token exchange.
otp	string	The One-Time Password for token exchange.

POST /vault_rest/exchange-token

xxxxxxxxxx
 
curl --request POST \ --url 'http://localhost:8010/vault_rest/exchange-token' \ --header 'Authorization: Bearer {token}' \ --data '{  "otp": "{string}"}'
Copy

Responses

200

Token exchange completed successfully.

object	object	Result of token exchange.
token	string	The new authentication token.
expires	date-time	The expiration date and time of the new token.

Response

xxxxxxxxxx
 
{ "token": "{string}", "expires": "{date-time}"}
Copy

Extend the expiration of an authentication token

Extends the expiration time of an existing authentication token. This allows users to maintain their session without needing to re-authenticate fully.

Auth

Request Body

Request to extend token expiration.

object	object	Request body for extending an authentication token.
tokenId	string	The ID of the token to extend.
extensionDuration	int32	Duration in minutes to extend the token.

PUT /vault_rest/token

xxxxxxxxxx
 
curl --request PUT \ --url 'http://localhost:8010/vault_rest/token' \ --header 'Authorization: Bearer {token}' \ --data '{  "tokenId": "{string}",  "extensionDuration": "{int32}"}'
Copy

Responses

200

Token expiration extended successfully.

object	object	Result of extending an authentication token.
success	boolean	Indicates if the token extension was successful.
newTokenExpires	date-time	The new expiration date and time of the token.

Response

xxxxxxxxxx
 
{ "success": "{boolean}", "newTokenExpires": "{date-time}"}
Copy

Create a new authentication token

Creates a new authentication token. This endpoint can be used by administrators or authorized users to generate tokens for other users or service accounts.

Auth

Request Body

Request to create a new authentication token.

object	object	Request body for creating a new authentication token.
userId	string	The ID of the user for whom to create the token.
durationMinutes	int32	The duration in minutes for which the token should be valid.

POST /vault_rest/token

xxxxxxxxxx
 
curl --request POST \ --url 'http://localhost:8010/vault_rest/token' \ --header 'Authorization: Bearer {token}' \ --data '{  "userId": "{string}",  "durationMinutes": "{int32}"}'
Copy

Responses

200

New authentication token created successfully.

object	object	Result of creating a new authentication token.
token	string	The newly created authentication token.
expires	date-time	The expiration date and time of the new token.

Response

xxxxxxxxxx
 
{ "token": "{string}", "expires": "{date-time}"}
Copy

Delete a specific authentication token

Deletes a specific authentication token, rendering it invalid for future API requests. This can be used to revoke access for a particular token.

Auth

Request Body

Request to delete an authentication token.

object	object	Request body for deleting an authentication token.
tokenId	string	The ID of the token to delete.

DELETE /vault_rest/token

xxxxxxxxxx
 
curl --request DELETE \ --url 'http://localhost:8010/vault_rest/token' \ --header 'Authorization: Bearer {token}' \ --data '{  "tokenId": "{string}"}'
Copy

Responses

200

Authentication token deleted successfully.

object	object	Result of deleting an authentication token.
success	boolean	Indicates if the token deletion was successful.

Response

xxxxxxxxxx
 
{ "success": "{boolean}"}
Copy

Extend the idle session timeout

Extends the idle session timeout for the current authenticated session. This prevents the session from expiring due to inactivity.

Auth

GET /vault_rest/token/extend_session

xxxxxxxxxx
 
curl --get \ --url 'http://localhost:8010/vault_rest/token/extend_session' \ --header 'Authorization: Bearer {token}'
Copy

Responses

200

Idle session timeout extended successfully.

object	object	Result of extending an idle session.
success	boolean	Indicates if the idle session extension was successful.
newIdleTimeout	date-time	The new idle session timeout.

Response

xxxxxxxxxx
 
{ "success": "{boolean}", "newIdleTimeout": "{date-time}"}
Copy

Generate a new API key

Generates a new API key (authentication token) for the current authenticated user. This can be used to replace an existing token or generate an additional one.

Auth

GET /vault_rest/tokens/generate

xxxxxxxxxx
 
curl --get \ --url 'http://localhost:8010/vault_rest/tokens/generate' \ --header 'Authorization: Bearer {token}'
Copy

Responses

200

New API key generated successfully.

string

The newly generated authentication token.

Response

xxxxxxxxxx
 
{ "schema": "{string}"}
Copy

Enumerate authentication tokens

Retrieves a paginated list of authentication tokens. This endpoint is typically used by administrators to manage and monitor active tokens.

Auth

Path Params

start

integer

The starting index for the list of tokens (0-based).

minimum: 0

count

integer

The maximum number of tokens to retrieve.

minimum: 1

GET /vault_rest/tokens/{start}/{count}

xxxxxxxxxx
 
curl --get \ --url 'http://localhost:8010/vault_rest/tokens/%7Bstart%7D/%7Bcount%7D' \ --header 'Authorization: Bearer {token}'
Copy

Responses

200

List of authentication tokens retrieved successfully.

object	object	Result of enumerating authentication tokens.
tokens	array[object]
id	string
userId	string
expires	date-time
created	date-time
totalCount	int32

Response

xxxxxxxxxx
 
{ "tokens": [  {   "id": "{string}",   "userId": "{string}",   "expires": "{date-time}",   "created": "{date-time}"  } ], "totalCount": "{int32}"}
Copy

Recycle the current authentication token

Recycles the current authentication token, effectively invalidating it and generating a new one in its place. This is useful for rotating tokens without a full logout/login cycle.

Auth

POST /vault_rest/token/recycle

xxxxxxxxxx
 
curl --request POST \ --url 'http://localhost:8010/vault_rest/token/recycle' \ --header 'Authorization: Bearer {token}'
Copy

Responses

200

Authentication token recycled successfully.

object	object	Result of recycling an authentication token.
success	boolean	Indicates if the token recycling was successful.
newToken	string	The newly generated authentication token.
newExpires	date-time	The expiration date and time of the new token.

Response

xxxxxxxxxx
 
{ "success": "{boolean}", "newToken": "{string}", "newExpires": "{date-time}"}
Copy

Authorization

Endpoints for checking user permissions against specific resources.

GET

/vault_rest/authorization/{resourceType}

Check authorization for a specific resource type

Checks if the current authenticated user has authorization to access or perform actions on a specified resource type. The resourceType parameter identifies the type of resource being checked.

Auth

Path Params

resourceType

string

The type of resource to check authorization for (e.g., "file", "user", "settings").

GET /vault_rest/authorization/{resourceType}

xxxxxxxxxx
 
curl --get \ --url 'http://localhost:8010/vault_rest/authorization/%7BresourceType%7D' \ --header 'Authorization: Bearer {token}'
Copy

Responses

200

Authorization check result.

object	object	Result of an authorization check.
isAuthorized	boolean	Indicates if the user is authorized for the resource.
message	string	A message providing more details about the authorization result.

Response

xxxxxxxxxx
 
{ "isAuthorized": "{boolean}", "message": "{string}"}
Copy

Windows Authentication

Endpoints for authenticating users via Windows Integrated Authentication.

GET

/vault_rest/authenticate-windows

Authenticate using Windows Integrated Authentication

Authenticates a user based on their Windows Integrated Authentication (WIA) identity. This endpoint leverages the existing Windows authentication context to generate an API key (authentication token) for the user. The X-Forwarded-For header is used to determine the client IP address if present. This endpoint does not require an explicit Authorization header in the API request, as Windows authentication occurs at the HTTP transport layer.

Auth

Headers

X-Forwarded-For

string

The client IP address if the request is proxied.

GET /vault_rest/authenticate-windows

xxxxxxxxxx
 
curl --get \ --url 'http://localhost:8010/vault_rest/authenticate-windows' \ --header 'X-Forwarded-For: {X-Forwarded-For}'
Copy

Responses

200

Windows authentication successful, API key generated.

object	object	Result of an authentication attempt, including the API key.
Result	string	The outcome of the authentication attempt. Enum: `Success`,`ErrorServiceUnavailable`,`ErrorInvalidCredentials`,`ErrorMfaRequired`
Token	string	The generated authentication token (API key).
Expires	date-time	The expiration date and time of the token.
ExpiresString	string	The expiration date and time of the token as a string.
UiMessageKey	string	A key for UI messages related to the authentication result.
Message	string	A human-readable message related to the authentication result.

503

Service unavailable or user could not be uniquely identified.

Response

xxxxxxxxxx
 
{ "Result": "{string}", "Token": "{string}", "Expires": "{date-time}", "ExpiresString": "{string}", "UiMessageKey": "{string}", "Message": "{string}"}
Copy

MFT API - Authentication & Authorization 3.10.3

Authentication

Authentication

Request an API key

Log out and invalidate the current API key

Sso

Initiate SSO pre-authentication

Complete SSO authentication via GET

Complete SSO authentication via POST

Authenticate using an SSO token

Mfa

Validate a One-Time Password (OTP)

Get Multi-Factor Authentication (MFA) settings

Update Multi-Factor Authentication (MFA) settings

Tokens

Initiate token exchange for MFA

Complete token exchange with OTP

Extend the expiration of an authentication token

Create a new authentication token

Delete a specific authentication token

Extend the idle session timeout

Generate a new API key

Enumerate authentication tokens

Recycle the current authentication token

Authorization

Check authorization for a specific resource type

Windows Authentication

Authenticate using Windows Integrated Authentication

This Website Uses Cookies

Functional Cookies

Performance Cookies

Strictly Necessary Cookies

Targeting Cookies