Flexera One API Key Concepts
The following sections provide introduction to key concepts to help you get started with the Flexera One API.
API Refresh and Access Tokens
An API refresh token is a long-lived credential that a user may generate to access the Flexera public API. The refresh token is used to generate a short-lived access token that must be included in requests to the Flexera One API as described in Generating an Access Token From Refresh Token. The most common use case is using a command line tool or SDK to interact with the Flexera One API.
The long-lived refresh token credential is tied only to the user who generates it, and can only be used to make calls to an API that the user has access to. In the Flexera One user interface, access is defined by the roles that a user has been granted in an organization. If a user has been granted a role in more than one organization, they may use the same refresh token to access resources in either organization.
Refresh Token Notes
Note the following key points regarding Flexera One API refresh tokens:
- For security, a Flexera One API refresh token expires in one year if it is not used in that one year.
- The refresh token will never expire if used at least once per year
- There is no limit on the number of active Flexera One API refresh tokens that a user may have.
- Revoked refresh tokens cannot be used to generate new access tokens and may be discarded.
Access Token Notes
Note the following key points regarding Flexera One API access tokens:
- For security, access token are only valid for one hour.
- After an access token expires, requests to the Flexera One API using that access token will no longer succeed.
- To get a new access token, repeat the steps in the Generating an Access Token From Refresh Token section.
API Refresh Token Security
Because refresh tokens are long-lived, the following security protocol should be followed:
- Refresh tokens must be stored securely.
- Tokens should never be shared with anyone else.
- If a refresh token is compromised or lost, you should revoke the token immediately. For more information, refer to Revoking an API Refresh Token.
- Any change to a user's roles will take effect immediately, affecting the access the user has, even if the user already has generated an API refresh token or access token.
- Revoking an API refresh token does not invalidate access tokens that were generated with the refresh token.
Account and Tenant Location Zones
When using the Flexera One API, the command line instructions include calls to URLs that differ based on where your account is located:
- North America accounts use flexera.com
- EU accounts use flexera.eu
- APAC accounts use flexera.au
Accordingly, if your user and tenant are in the EU zone or the APAC zone, you must ensure that any instance of flexera.com in the URL is replaced with flexera.eu or flexera.au to ensure the correct request as shown in the following example:
A request for a North American zone such as:
https://api.flexera.com/iam/v1/refresh-tokens
should be changed to the following for the EU zone:
https://api.flexera.eu/iam/v1/refresh-tokens
or the following for the APAC zone:
https://api.flexera.au/iam/v1/refresh-tokens
Organization ID Unique Identifier
Each organization in Flexera One is assigned an organization ID. The organization ID is a unique identifier that defines your organization for use throughout Flexera One and is also used as part of the request path when consuming the API. After you log in to Flexera One, you will notice that your organization ID is displayed in the URL, where \{orgID\} is the unique identifier for your organization.
https://app.flexera.com/orgs/{orgID}/...
In order to use a Flexera One API, after you have generated your refresh token and then used it to obtain your access token, the specific URI for the API you wish to invoke includes the organization ID. For example, the following shows an example endpoint URI for the Devices with Installed Software REST API:
https://api.flexera.com/fnms/v1/orgs/{orgID}/devices/installed-software/
You will use the organization ID in calls to endpoints.
Service Accounts
A service account is an account used by an application to access Flexera One APIs..
Service accounts, like users, must be assigned roles in an org to access resources within that org. Service accounts may only be assigned roles in the org they were created in, and therefore may only access resources in that org.
For more information, see Using a Service Account With the Flexera One APIs.