Learn about best practices to secure your Zabbix API using token-based authentication and create seamless and protected integrations with any software.
Previously, the only way to access Zabbix API was to pass Zabbix login credentials through user.login method. So, the common practice was to create a special API-only user with disabled access to frontend and use this user’s login and password for API authorization of a 3rd party service. Since regular users cannot do this themselves, they had to ask a Super admin first to create a user for API, then to delete this user when access is no longer needed.
Zabbix API tokens, introduced in 5.4 release, make authentication simpler and, at the same time, much more secure:
- No more need to create “technical users” for API access
- Now any user can create and manage own API tokens, if this is allowed by their user role settings
- Granular permissions – you decide which users can manage tokens
- API calls do not expose passwords or tokens when requesting data
- Set token expiry dates to control access terms
- Automatically generated token is harder to brute force than login and password
Check out the video below to get familiar with this new functionality:
How to visualize data with the Graph widget:
- Super admins with sufficient permissions can create and manage API tokens in the Administration→General frontend section or via the new ‘token’ group of API methods
- In the web interface, go to Administration-> General menu section, switch to the API tokens screen and press “create a new token”
- Enter a name, then select a user this token should be assigned to. Consider adding an expiration date to limit token validity period
- Press Add to save this token. The token value will appear in a new pop-up window. Make sure to copy and save the token in a safe place
- After closing this window, it will not be possible to view the token value again. But you can regenerate the token to create a new value for it
- Now you can use this token to grant secure access to a 3rd party tool that you’d like to integrate Zabbix with
Tips and best practices:
- The permission to manage API tokens is granted/revoked in the user role settings. Use the principle of least privilege when defining access rights
- Create a unique token for each integration and reveal the value only to the service that needs it
- Treat token value just as any other sensitive information: store it in a secure place, preferably not accessible remotely
- Set token expiration date and time to the required minimum. If you need to grant long-term access, consider changing tokens every now and then
- Always send tokens over HTTPS
