Getting started with the Secure Private Access API
The topic captures the basic information on using the Secure Private Access API.
Points to note
To use the Secure Private Access API, use the service URL defined in the OpenAPI specification and https protocol for all your requests.
You must also specify the following in each API request:
- Set the
AuthorizationandCitrix-CustomerIdheaders appropriately by using the right Customer ID for the admin account and a valid bearer token. Else, you get the401 Unauthorizederror response. For more details, see Authorization Credentials. - Always set the
Acceptheader asapplication/json. Else, you get the406 Not Acceptableerror response. - For POST or PUT requests where a request body is sent, set the
Content-Typeheader asapplication/json; charset=utf-8. Else, you get the415 Unsupported Media Typeerror response. All data provided in the request bodies must be in the appropriate JSON formats. - Once you receive a
Citrix-TransactionIdheader after your first request, continue to provide the same header with the same value so that a flow of requests and responses can be easily traced in case support is needed. TheCitrix-TransactionIdheader is not strictly required for an operation to be processed. If not set in a request, a new one is provided in the response.
In all cases where results are returned, you can expect them to be in JSON format.
Authorization credentials
Creating an API client
If you don’t have an API client, you can create one. For details, see Getting started section for Citrix Cloud. When you create a client, client_secret and a client_id are generated. The client ID and client secret are required to generate an authentication token.
Getting the Citrix customer ID
Each request requires a Citrix customer ID passed through a header. To get the customer ID:
- Log in to the Citrix Cloud.
- Select the Identity and Access Management option from the hamburger menu.
- Click API Access. The customer ID is displayed in the description above the Create Client button.
Getting an authorization bearer token
Using the {{clientId}}, {{clientSecret}}, and the {{Citrix-CustomerId}}, you can get an authorization bearer token that you can use in your requests to the Secure Private Access API.
POST request:
POST https://api.cloud.com/cctrustoauth2/{{Citrix-CustomerId}}/tokens/clients
with a body of:
{
"clientId": "\{\{clientId\}\}",
"clientSecret": "\{\{clientSecret\}\}"
}
<!--NeedCopy-->
and you can expect a response with a body as follows that you can parse and use the value of the token property as the bearer token in the authorization header.
{
"principal": "...",
"locale": "en-US",
"subject": "...",
"token": "...",
"openIdToken": "...",
"expiresIn": 3600
}
<!--NeedCopy-->
Errors
For the errors, such as 400 BAD REQUEST, 406 NOT ACCEPTABLE, 415 UNSUPPORTED MEDIA TYPE, 500 INTERNAL SERVER ERROR, you can expect a response body in JSON with more details, in the following format:
{
"type": "https://errors-api.cloud.com/common/Error",
"detail": "Input payload validation failed",
"parameters": [
{
"name": "priority",
"value": "167.72 is not of type 'integer'"
},
{
"name": "active",
"value": "1 is not of type 'boolean'"
}
]
}
<!--NeedCopy-->
Rate limits
Call rates are limited to 10 calls per 5 seconds for API requests. If the rate limit is surpassed, the requests result in 429 Too Many Requests responses. In such case, consider introducing some delay between your requests.
Call rates are limited to 10 calls per 5 seconds for API requests.
API specification
You can also get the OpenAPI specification file directly from the service, in YAML or JSON format, with a GET request:
GET https://api.cloud.com/accessSecurity/apiSpecification
Specify the following headers for a JSON formatted file:
...
Accept: application/json
Citrix-CustomerId: \{\{customerId\}\}
Authorization: CWSAuth Bearer=\{\{bearerToken\}\}
Citrix-TransactionId: \{\{Citrix-TransactionId\}\}
...
<!--NeedCopy-->
or with Accept: application/x-yaml for a YAML formatted file.