This section of the user guide describes how you can programmatically interact with the MetaDefender for Secure Storage REST API. Below are some common tasks that can be done using the available REST APIs:
- Authenticate to obtain a JSON Web Token(JWT)
- Start or stop a process(scan)
- Add / remove storage units
About this REST API
The exposed endpoint is located by default at http(s)://md-storage-server/api/ (for example, the authentication endpoint is available at http(s)://md-storage-server/api/user/authenticate). All requests are handled by the NGINX web server before being proxied to the backend API Gateway service.
All endpoints perform authentication and authorization checks. For these checks to succeed, a valid token should be presented in the Authorization header in the form of Bearer
Please note that all issued tokens have a timestamp and signature associated in order to prevent long-term usage without re - authentication.The lifespan of the token is currently set to 60 minutes, meaning you will have to request a new token before it expires in order to avoid error responses.
Useful links
As mentioned earlier, all endpoints perform authentication and authorization checks. In order for these checks to succeed, a valid token should be presented in the Authorization header in the form of Bearer .
Suggested application logic
If you plan to integrate MetaDefender for Secure Storage in your custom application or workflow, please consider the following scenarios for successfully making REST API requests:
| Scenario | Possible use cases |
|---|---|
| Short-lived integration | You are building or enhancing an application that requires sporadic or on-demand access to MetaDefender for Secure Storage REST APIs. |
| The application is not expected to make more than a few REST API calls per hour. | |
| The application does not need to preserve a session. | |
| Long-lived integration | You are building or enhancing an application that requires continuous, uninterrupted, or hard to predict access to MetaDefender for Secure Storage REST APIs. |
| Requests are being triggered based on external factors and your application should maintain connectivity with MetaDefender for Secure Storage REST API. | |
| Session preserving is necessary and authentication should happen without user-interaction. | |
| Your application will make a significant number of REST API requests and you need increased performance. |
Short-lived integration
Obtain a signed accessToken by calling /api/user/authenticate API
Use this token to call your desired REST API by providing it in the Authorization header
Expire the token by calling /api/user/logout
Repeat steps 1-3 the next time your application needs to call a REST API
Long-lived integration
Obtain a signed token by calling /api/user/authenticate API
Securely save the received accessToken and the refreshToken
Use the accessToken to call your desired REST API by providing it in the Authorization header
Add an exception handler in case you receive a 401 Unauthorized response because the JWT has expired call /api/user/refreshToken to obtain a new accessToken by providing the saved refreshToken.
a) the accessToken expires after an hour of creation; the expiry time is represented in UTC format by the accessTokenExpiryTime value.
b) the refreshToken expires after an hour of creation; the expiry time is represented in UTC format by the refreshTokenExpiryTime value.
c) if the refreshToken has expired as well, obtain a signed token by calling /api/user/authenticate APIUse the newly issued accessToken to call your desired REST API by providing it in the Authorization header
General considerations
The access token expiration date cannot be extended. By default, the access token is valid for an hour after calling /api/user/authenticate API to obtain it.The refresh token is also valid for an hour but can be extended by calling /api/user/refreshToken and it is also automatically extended with an hour with each non-GET request.
A refresh token is used to request a new access token when the current one expires without requiring re-authentication using a username and password.
The refresh token is used to forcibly expire any previously issued JWT when the refresh token expires or is removed by calling /api/user/logout.
A 3rd party application that needs persistent connectivity with MetaDefender for Secure Storage should implement a timeout mechanism to ensure that the refresh token is renewed before it expires by calling /api/user/refreshToken whenever the JWT (access token) is expired but before the refresh token expires as well.
Audit
List audit information
Fetch audit logs
Success
Configuration
Import or export configuration file
Export configuration file
Success
Import configuration file
Success
enabledModules
Success
Deep Cdr
Manage sanitized files
Revert encrypted file
Success
External Logger
Manage external loggers
Retrieve external loggers
Success
Update external logger state
Success
Update a Syslog server configuration
Success
Add a new Syslog server configuration
Success
Delete external logger
Success
File
Retrieve processed files information
Fetch processing results for a file
File processing is done asynchronously and each analysis request is tracked by a file ID. Because processing a file is a potentially time-consuming operation, scheduling a file for processing and retrieving the results needs to be done using two separate API calls.
This request needs to be made multiple times until the analysis is complete. Analysis completion can be tracked using the processingState and the progress values from the response..
Success
Enumerate processed files
Success
Ocm
Manage OPSWAT Central Management integration
ocm
Success
ocm
Success
ocm
Success
Onboarding
Manage onboarding
Fetch onboarding configuration
Success
Finish onboarding
Success
Report
Generate reports
Get scans report
Success
Scan Configuration
List, add, update and delete Scan Configurations
Get Scan Configurations
Success
Add a new Scan Configuration
Success
Update an existing Scan Configuration
Success
Get Scan Configuration by ID
Success
Delete a Scan Configuration
Success
Set a Scan Configuration as default
Success
Get scan by ID
Success
Get scan by ID with information regarding the previous and next scan
Success
Start a scan
Success
Stop a scan
Success
Get next scheduled scan
Success
Delete scans
Success
Scan Instance
List, add, update and delete Scan Instances
Get Scan Instances
Success
Update an existing Scan Instance
Success
Add a new Scan Instance
Success
Get Scan Instance by ID
Success
Delete a Scan Instance
Success
Scan Pool
List, add, update and delete Scan Pools
Get Scan Pools
Success
Update an existing Scan Pool
Success
Add a new Scan Pool
Success
Get Scan Pool by ID
Success
Delete a Scan Pool
Success
Scan Workflow Snapshot
List scan workflow snapshots
Get all scan workflow snapshots by scan ID
Success
Fetch storage security checklist
Success
Fetch security checklist details
Success
Update security checklist item
Success
Verify the security checklist for storage
Success
Enable/Disable the security checklist
Success
Enable all security checklist items
Success
Settings
List or update your settings
Get email notifications configuration
Success
Update email notifications configuration
Success
Fetch SMTP configuration
Success
Update SMTP configuration
Success
Online license activation
Success
Offline license activation
Success
Get license details
Success
Deactivate license
Success
Fetch retention configuration
Success
Update retention configuration
Success
Sso
Sso Authentication and Sso configuration update
Get Sso Configuration
Success
Update Sso Configuration
Success
Storage
Manage your storages
Fetch all storages
Success
Fetch storage by ID
Success
Delete a storage
Success
Update a storage
Note! The following are templates for what is expected in the Credentials, CredentialsFile and Source fields. Please provide the correct values for your storage integration instead of null/false
Alibaba Cloud storage units:
Credentials: "{"Endpoint":null,"AccessKeyId":null,"AccessKeySecret":null,"UseRamRole":false}"
Source: "{"BucketName":null,"FolderLocation":null}"
Amazon S3 / S3 Compatible storage units:
Credentials: "{"ServiceUrl":null,"AccessKeyId":null,"SecretAccessKey":null,"RegionEndpoint":null,"AssumeRoleArn":null,"UseIamRole":false}"
Source: "{"BucketName":null,"FolderLocation":null}"
Azure Blob storage units:
Credentials: "{"TenantId":null,"ClientId":null,"ClientSecret":null,"StorageAccount":null}"
Source: "{"Container":null}"
Azure Files storage units:
Credentials: "{"AccountName":null,"AccountKey":null,"ShareName":null}"
Source: "{"FolderLocation":null}"
Box storage units:
CredentialsFile: upload the credentials file
Source: "{"FolderLocation":null}"
Dell Isilon / SMB Compatible storage units:
Credentials: "{"User":null,"Password":null,"Server":null}"
Source: "{"SharePath":null}"
Google Cloud storage units:
CredentialsFile: upload the credentials file
Credentials: "{"UseAdc":false}"
Source: "{"BucketName":null,"FolderLocation":null}"
OneDrive storage units:
Credentials: "{"TenantId":null,"ClientId":null,"ClientSecret":null}"
Source: "{"Group":null}"
Success
Fetch storage users
Success
Add a storage
Note! The following are templates for what is expected in the Credentials, CredentialsFile and Source fields. Please provide the correct values for your storage integration instead of null/false
Alibaba Cloud storage units:
Credentials: "{"Endpoint":null,"AccessKeyId":null,"AccessKeySecret":null,"UseRamRole":false}"
Source: "{"BucketName":null,"FolderLocation":null}"
Amazon S3 / S3 Compatible storage units:
Credentials: "{"ServiceUrl":null,"AccessKeyId":null,"SecretAccessKey":null,"RegionEndpoint":null,"AssumeRoleArn":null,"UseIamRole":false}"
Source: "{"BucketName":null,"FolderLocation":null}"
Azure Blob storage units:
Credentials: "{"TenantId":null,"ClientId":null,"ClientSecret":null,"StorageAccount":null}"
Source: "{"Container":null}"
Azure Files storage units:
Credentials: "{"AccountName":null,"AccountKey":null,"ShareName":null}"
Source: "{"FolderLocation":null}"
Box storage units:
CredentialsFile: upload the credentials file
Source: "{"FolderLocation":null}"
Dell Isilon / SMB Compatible storage units:
Credentials: "{"User":null,"Password":null,"Server":null}"
Source: "{"SharePath":null}"
Google Cloud storage units:
CredentialsFile: upload the credentials file
Credentials: "{"UseAdc":false}"
Source: "{"BucketName":null,"FolderLocation":null}"
OneDrive storage units:
Credentials: "{"TenantId":null,"ClientId":null,"ClientSecret":null}"
Source: "{"Group":null}"
Success
Update scan configuration
Success
Add a scan schedule
Success
Update a scan schedule
Success
Fetch scan schedules
Success
Delete scan schedules
Success
Retrieve storage user name
Success
User
Create, list and update user accounts
Fetch active users
Success
Register a user
Success
Create a user
Success
Authenticate with a username and password
Authenticate with a username and password to obtain a JWT token,Most of the APIs require authentication in the form of providing a JWT token. Call this API in order to receive a token but please note that it's only valid for an hour so it should be periodically refreshed.
Success
Refresh user token
Success
Logout
Success
Update user role
Success
Fetch users
Success
Delete a user
Success
Update a user
Success
Request password reset
Success
Reset user password
Success
Deprecated Soon To Be Removed
CorePoolDeprecated
Fetch MetaDefender Core Pools
Success
CorePoolDeprecated
Update an existing MetaDefender Core Pool
Success
CorePoolDeprecated
Add a new MetaDefender Core Pool
Success
{corePoolId}Deprecated
Get MetaDefender Core Pool by ID
Success
{id}Deprecated
Delete MetaDefender Core Pool
Success
MetaDefenderCoreDeprecated
Fetch MetaDefender Core servers
Success
MetaDefenderCoreDeprecated
Update MetaDefender Core server
Success
MetaDefenderCoreDeprecated
Add a new MetaDefender Core Server
Success
{metaDefenderId}Deprecated
Get MetaDefender Core server by ID
Success
{metaDefenderId}Deprecated
Delete MetaDefender Core server
Success
{activeFileId}Deprecated
(Deprecated) Get an active scan by scan ID and file ID
Success
{storageId}Deprecated
(Deprecated) Get Real-Time scan
Success
{storageId}Deprecated
(Deprecated) Fetch last completed scan
Success
amazons3Deprecated
(Deprecated - use /storage) Add an Amazon S3 storage
Success
{storageId}Deprecated
(Deprecated - use /storage/{storageId}) Update an Amazon S3 storage
Success
onedriveDeprecated
(Deprecated - use /storage) Add an One Drive storage
Success
{storageId}Deprecated
(Deprecated - use /storage/{storageId}) Update an One Drive storage
Success
boxDeprecated
(Deprecated - use /storage) Add a Box storage
Success
{storageId}Deprecated
(Deprecated - use /storage/{storageId}) Update a Box storage
Success
smbDeprecated
(Deprecated - use /storage) Add Dell Isilon/SMB Compatibile
Success
{storageId}Deprecated
(Deprecated - use /storage/{storageId}) Update a Dell Isilon/SMB Compatibile
Success
azureblobDeprecated
(Deprecated - use /storage) Add an Azure Blob storage
Success
{storageId}Deprecated
(Deprecated - use /storage/{storageId}) Update an Azure Blob storage
Success
alibabacloudDeprecated
(Deprecated - use /storage) Add an Alibaba Cloud storage
Success
{storageId}Deprecated
(Deprecated - use /storage/{storageId}) Update an Alibaba Cloud storage
Success
googlecloudDeprecated
(Deprecated - use /storage) Add a Google Cloud storage
Success
{storageId}Deprecated
(Deprecated - use /storage/{storageId}) Update a Google Cloud storage
Success
azurefilesDeprecated
(Deprecated - use /storage) Add an Azure Files storage
Success
{storageId}Deprecated
(Deprecated - use /storage/{storageId}) Update an Azure Files storage
Success
Webhook
Object event trigger of real time processing
Success