Authentication with the F5 REST API

You must provide authentication to make a successful F5 REST API call. Authentication is the process of verifying the identity of the API call originator. Currently, there are two authentication methods supported: standard HTTP basic authentication and an F5 proprietary token scheme. If both authentication methods are used simultaneously, the token scheme takes precedence.

Basic authentication

To use basic authentication, include a standard HTTP header as part of the API call. The header looks similar to the following.

Authorization: Basic

Where is the Base-64 encoding of the string that is formed by joining the user name to the password using a colon (:). For example, to submit a user name “admin” and the password “default”, the header would be:

Authorization: Basic YWRtaW46ZGVmYXVsdA
The basic authentication method is supported only for local authentication. If you are using an external authentication provider (for example, Radius or Active Directory), you cannot use basic authentication and must use token-based authentication. For additional detail, see the HTTP1.1 RFCs, especially RFC 2616 and RFC 7235.

Token Based Authentication

To create an authentication token with the User authentication API submit a POST to https://BIG-IP-ADDRESS/mgmt/shared/authn/login ) including a data parameter that triggers the generation of an authentication token. No authentication (basic or token-based) is required to submit the particular API call that creates the authentication token. A typical data parameter for this call looks similar to the following example with actual values for the username, password.


"loginProviderName": "tmos"


The REST response to this API call includes a lot of information, including the authentication token. In the example here, the authentication token is VUT2YR667OICEHAEKWBGWOJ3HF.

The BIG-IP API Reference documentation contains community-contributed content. F5 does not monitor or control community code contributions. We make no guarantees or warranties regarding the available code, and it may contain errors, defects, bugs, inaccuracies, or security vulnerabilities. Your access to and use of any code available in the BIG-IP API reference guides is solely at your own risk.