This section of the user guide describes how you can programmatically interact with the MetaDefender Storage Security REST API. Below are some common tasks that can be done using the available REST APIs:
- Authenticate to obtain a JSON Web Token(JWT)
- Start or stop a process(scan)
- Add / remove storage units
About this REST API
The exposed endpoint is located by default at http(s)://md-storage-server/api/ (for example, the authentication endpoint is available at http(s)://md-storage-server/api/user/authenticate). All requests are handled by the NGINX web server before being proxied to the backend API Gateway service.
All endpoints perform authentication and authorization checks. For these checks to succeed, a valid token should be presented in the Authorization header in the form of Bearer
Please note that all issued tokens have a timestamp and signature associated in order to prevent long-term usage without re - authentication.The lifespan of the token is currently set to 60 minutes, meaning you will have to request a new token before it expires in order to avoid error responses.
Useful links
As mentioned earlier, all endpoints perform authentication and authorization checks. In order for these checks to succeed, a valid token should be presented in the Authorization header in the form of Bearer .
Suggested application logic
If you plan to integrate MetaDefender Storage Security in your custom application or workflow, please consider the following scenarios for successfully making REST API requests:
| Scenario | Possible use cases |
|---|---|
| Short-lived integration | You are building or enhancing an application that requires sporadic or on-demand access to MetaDefender Storage Security REST APIs. |
| The application is not expected to make more than a few REST API calls per hour. | |
| The application does not need to preserve a session. | |
| Long-lived integration | You are building or enhancing an application that requires continuous, uninterrupted, or hard to predict access to MetaDefender for Secure Storage REST APIs. |
| Requests are being triggered based on external factors and your application should maintain connectivity with MetaDefender Storage Security REST API. | |
| Session preserving is necessary and authentication should happen without user-interaction. | |
| Your application will make a significant number of REST API requests and you need increased performance | |
| API Key integration | You are building or enhancing an application that requires continuous, uninterrupted, or hard to predict access to MetaDefender for Secure Storage REST APIs. |
| Requests are being triggered based on external factors and your application should maintain connectivity with MetaDefender Storage Security REST API. | |
| Authentication should happen without user-interaction. | |
| Your application will make a significant number of REST API requests and you need increased performance. |
Short-lived integration
Obtain a signed accessToken by calling /api/user/authenticate API
Use this token to call your desired REST API by providing it in the Authorization header
Expire the token by calling /api/user/logout
Repeat steps 1-3 the next time your application needs to call a REST API
Long-lived integration
Obtain a signed token by calling /api/user/authenticate API
Securely save the received accessToken and the refreshToken
Use the accessToken to call your desired REST API by providing it in the Authorization header
Add an exception handler in case you receive a 401 Unauthorized response because the JWT has expired call /api/user/refreshToken to obtain a new accessToken by providing the saved refreshToken.
a) the accessToken expires after an hour of creation; the expiry time is represented in UTC format by the accessTokenExpiryTime value.
b) the refreshToken expires after an hour of creation; the expiry time is represented in UTC format by the refreshTokenExpiryTime value.
c) if the refreshToken has expired as well, obtain a signed token by calling /api/user/authenticate APIUse the newly issued accessToken to call your desired REST API by providing it in the Authorization header
API Key integration
In the MetaDefender Storage Security interface, Navigate to Settings -> Users
Find your user entry in the user list, click on the three dots on the right side of the entry, and then click on Generate an API Key
Generate the key, copy it, and store it somewhere safe
Use the API Key to call your desired REST API by providing it as a header with the Key: "ApiKey" and Value:
General considerations
The access token expiration date cannot be extended. By default, the access token is valid for an hour after calling /api/user/authenticate API to obtain it.The refresh token is also valid for an hour but can be extended by calling /api/user/refreshToken and it is also automatically extended with an hour with each non-GET request.
A refresh token is used to request a new access token when the current one expires without requiring re-authentication using a username and password.
The refresh token is used to forcibly expire any previously issued JWT when the refresh token expires or is removed by calling /api/user/logout.
A 3rd party application that needs persistent connectivity with MetaDefender for Secure Storage should implement a timeout mechanism to ensure that the refresh token is renewed before it expires by calling /api/user/refreshToken whenever the JWT (access token) is expired but before the refresh token expires as well.
Account
Manage your accounts
Fetch all accounts
Add an account
Update an account
Fetch account by ID
Delete an account
Fetch the number of accounts
Audit
List audit information
Fetch audit logs
Configuration
Import or export configuration file
Export configuration file
Import configuration file
Get enabled modules
Deep Cdr
Manage sanitized files
Revert encrypted file
External Logger
Manage external loggers
Retrieve external loggers
Update external logger state
Update a Syslog server configuration
Add a new Syslog server configuration
Delete external logger
File
Retrieve processed files information
Scan a file on demand
This request is used to update a scanned file with passwords, in case it is an encrypted archive andit could not be scanned because the passwords to decrypt it were not provided. It can also be used withoutproviding any passwords to simply rescan a specific file from a finished scan.
Fetch processing results for a file
File processing is done asynchronously and each analysis request is tracked by a file ID. Because processing a file is a potentially time-consuming operation, scheduling a file for processing and retrieving the results needs to be done using two separate API calls.
This request needs to be made multiple times until the analysis is complete. Analysis completion can be tracked using the processingState and the progress values from the response..
Enumerate processed files
Group
Manage your groups
Fetch all groups
Add a group
Update a group
Fetch group by ID
Delete a group
Fetch the number of groups
Health Status
API that responds with 200 OK if application is running.
Get health status
Opswat Central Management
Manage OPSWAT Central Management integration
Get OCM configuration
Enroll to OCM
UnEnroll to OCM
Get managed status
Check if MDSS is managed by OCM. This is called by OCM v7.
Set managed status
Notify that MDSS is managed. This is called by OCM v7.
Delete managed status
Remove MDSS from being managed. This is called by OCM v7.
Onboarding
Manage onboarding
Fetch onboarding configuration
Finish onboarding
Accept Eula
Report
Generate reports
Get scans report
Scan Configuration
List, add, update and delete Scan Configurations
Get Scan Configurations
Add a new Scan Configuration
Update an existing Scan Configuration
Get Scan Configuration by ID
Delete a Scan Configuration
Set a Scan Configuration as default
Get scan by ID
Get scan by ID with information regarding the previous and next scan
Start a scan
To scan a specific folder using the optional Folder parameter, provide the folder's name if you're using Box, OneDrive, or SharePoint integrations. For other storage integrations, you should provide the absolute path to the folder you want to scan.
Stop a scan
Get next scheduled scan
Delete scans
Scan Instance
List, add, update and delete Scan Instances
Get Scan Instances
Update an existing Scan Instance
Add a new Scan Instance
Get Scan Instance by ID
Delete a Scan Instance
Test
Scan Pool
List, add, update and delete Scan Pools
Get Scan Pools
Update an existing Scan Pool
Add a new Scan Pool
Get Scan Pool by ID
Delete a Scan Pool
Scan Workflow Snapshot
List scan workflow snapshots
Get all scan workflow snapshots by scan ID
Fetch storage security checklist
Fetch security checklist details
Update security checklist item
Verify the security checklist for storage
Enable/Disable the security checklist
Enable all security checklist items
Settings
List or update your settings
Get notifications configuration
Update notifications configuration
Fetch SMTP configuration
Update SMTP configuration
Online license activation
Offline license activation
Get license details
Deactivate license
Fetch retention configuration
Update retention configuration
Sso
Sso Authentication and Sso configuration update
Get Sso Configuration
Update Sso Configuration
Storage
Manage your storages
Fetch all storages
Fetch storage by ID
Delete a storage
Update a storage
Note! The following are templates for what is expected in the Credentials, CredentialsFile and Source fields. Please provide the correct values for your storage integration instead of null/false
Alibaba Cloud storage units:
Credentials: "{"Endpoint":null,"AccessKeyId":null,"AccessKeySecret":null,"UseRamRole":false}"
Source: "{"BucketName":null,"FolderLocation":null}"
Amazon S3 / S3 Compatible storage units:
Credentials: "{"ServiceUrl":null,"AccessKeyId":null,"SecretAccessKey":null,"RegionEndpoint":null,"AssumeRoleArn":null,"UseIamRole":false}"
Source: "{"BucketName":null,"FolderLocation":null}"
Azure Blob storage units:
Credentials: "{"TenantId":null,"ClientId":null,"ClientSecret":null,"StorageAccount":null}"
Source: "{"Container":null}"
Azure Files storage units:
Credentials: "{"AccountName":null,"AccountKey":null,"ShareName":null}"
Source: "{"FolderLocation":null}"
Box storage units:
CredentialsFile: upload the credentials file
Source: "{"FolderLocation":null}"
Dell Isilon / SMB Compatible storage units:
Credentials: "{"User":null,"Password":null,"Server":null}"
Source: "{"SharePath":null}"
Google Cloud storage units:
CredentialsFile: upload the credentials file
Credentials: "{"UseAdc":false}"
Source: "{"BucketName":null,"FolderLocation":null}"
OneDrive storage units:
Credentials: "{"TenantId":null,"ClientId":null,"ClientSecret":null}"
Source: "{"Group":null}"
Fetch storage users
Add a storage
Note! The following are templates for what is expected in the Credentials, CredentialsFile and Source fields. Please provide the correct values for your storage integration instead of null/false
Alibaba Cloud storage units:
Credentials: "{"Endpoint":null,"AccessKeyId":null,"AccessKeySecret":null,"UseRamRole":false}"
Source: "{"BucketName":null,"FolderLocation":null}"
Amazon S3 / S3 Compatible storage units:
Credentials: "{"ServiceUrl":null,"AccessKeyId":null,"SecretAccessKey":null,"RegionEndpoint":null,"AssumeRoleArn":null,"UseIamRole":false}"
Source: "{"BucketName":null,"FolderLocation":null}"
Azure Blob storage units:
Credentials: "{"TenantId":null,"ClientId":null,"ClientSecret":null,"StorageAccount":null}"
Source: "{"Container":null}"
Azure Files storage units:
Credentials: "{"AccountName":null,"AccountKey":null,"ShareName":null}"
Source: "{"FolderLocation":null}"
Box storage units:
CredentialsFile: upload the credentials file
Source: "{"FolderLocation":null}"
Dell Isilon / SMB Compatible storage units:
Credentials: "{"User":null,"Password":null,"Server":null}"
Source: "{"SharePath":null}"
Google Cloud storage units:
CredentialsFile: upload the credentials file
Credentials: "{"UseAdc":false}"
Source: "{"BucketName":null,"FolderLocation":null}"
OneDrive storage units:
Credentials: "{"TenantId":null,"ClientId":null,"ClientSecret":null}"
Source: "{"Group":null}"
Update scan configuration
Add a scan schedule
Update a scan schedule
Fetch scan schedules
Delete scan schedules
Retrieve storage user name
User
Create, list and update user accounts
Fetch active users
Register a user
Create a user
Authenticate with a username and password
Authenticate with a username and password to obtain a JWT token,Most of the APIs require authentication in the form of providing a JWT token. Call this API in order to receive a token but please note that it's only valid for an hour so it should be periodically refreshed.
Refresh user token
Logout
Update user role
Fetch users
Delete a user
Update a user
Request password reset
Reset user password
Object event trigger of real time processing
This endpoint takes the parameters and tries to find the file in the specified storage and applies the scan configuration for the specified file
Object event trigger of real time processing by storage client ID
This endpoint takes the parameter and tries to find the file in the specified storage and applies the scan configuration for the specified file
Deprecated Soon To Be Removed
Deprecated, soon to be removedDeprecated
Fetch MetaDefender Core Pools
Deprecated, soon to be removedDeprecated
Update an existing MetaDefender Core Pool
Deprecated, soon to be removedDeprecated
Add a new MetaDefender Core Pool
Deprecated, soon to be removedDeprecated
Get MetaDefender Core Pool by ID
Deprecated, soon to be removedDeprecated
Delete MetaDefender Core Pool
Deprecated, soon to be removedDeprecated
Fetch MetaDefender Core servers
Deprecated, soon to be removedDeprecated
Update MetaDefender Core server
Deprecated, soon to be removedDeprecated
Add a new MetaDefender Core Server
Deprecated, soon to be removedDeprecated
Get MetaDefender Core server by ID
Deprecated, soon to be removedDeprecated
Delete MetaDefender Core server
Deprecated, soon to be removedDeprecated
(Deprecated) Get an active scan by scan ID and file ID
Deprecated, soon to be removedDeprecated
(Deprecated) Get Real-Time scan
Deprecated, soon to be removedDeprecated
(Deprecated) Fetch last completed scan
Deprecated, soon to be removedDeprecated
(Deprecated - use /storage) Add an Amazon S3 storage
Deprecated, soon to be removedDeprecated
(Deprecated - use /storage/{storageId}) Update an Amazon S3 storage
Deprecated, soon to be removedDeprecated
(Deprecated - use /storage) Add an One Drive storage
Deprecated, soon to be removedDeprecated
(Deprecated - use /storage/{storageId}) Update an One Drive storage
Deprecated, soon to be removedDeprecated
(Deprecated - use /storage) Add a Box storage
Deprecated, soon to be removedDeprecated
(Deprecated - use /storage/{storageId}) Update a Box storage
Deprecated, soon to be removedDeprecated
(Deprecated - use /storage) Add Dell Isilon/SMB Compatibile
Deprecated, soon to be removedDeprecated
(Deprecated - use /storage/{storageId}) Update a Dell Isilon/SMB Compatibile
Deprecated, soon to be removedDeprecated
(Deprecated - use /storage) Add an Azure Blob storage
Deprecated, soon to be removedDeprecated
(Deprecated - use /storage/{storageId}) Update an Azure Blob storage
Deprecated, soon to be removedDeprecated
(Deprecated - use /storage) Add an Alibaba Cloud storage
Deprecated, soon to be removedDeprecated
(Deprecated - use /storage/{storageId}) Update an Alibaba Cloud storage
Deprecated, soon to be removedDeprecated
(Deprecated - use /storage) Add a Google Cloud storage
Deprecated, soon to be removedDeprecated
(Deprecated - use /storage/{storageId}) Update a Google Cloud storage
Deprecated, soon to be removedDeprecated
(Deprecated - use /storage) Add an Azure Files storage
Deprecated, soon to be removedDeprecated
(Deprecated - use /storage/{storageId}) Update an Azure Files storage