I was wondering this too.

When I first started using the API I was not using SSL to encrypt the API calls. So I was wondering how long the "auth token" would be valid in the instance someone intercepted it. That said, if they had the opportunity to intercept the token, they had the opportunity to intercept the username and password used to generate the token, thus making the life of the token a moot point.

Typically my API calls only take a few seconds to execute, and I imagine the overhead in generating the token is minimal, so I generate a new token for each "batch" of API calls.

But I can still see value in reusing a token over a longer period (say if your API calls were constantly changing and updating objects). Or even when you don't want to hard code the API username and password into multiple scripts. Perhaps you could have a secure system use the API username and password to generate the token, then post the token to a reference point for all the distributed scripts that need API access.

I'm rambling now...

So yeah, does anyone know how long API tokens are valid for?

-Timbo

I have a slightly different desire. Essentially I want to design a widget for a portal that refreshes itself looking for alerts, and that can do it indefinitely (as long as browser is open). Once I authenticate, I just want to use the token from there on out.

Ah, there you go. I have only ever used the API for "Configuration" and "Administration", I didn't realise there was a "Monitoring" component.

history.get - That's cool. I'm probably going to kill my Zabbix server requesting bulk data from that.

-Timbo

Yikes. I just started looking at the API. You are right, it does seem to be geared mostly towards configuration. I was really hoping for a way to pull the latest alerts! Maybe I will have to skim the mysql database!

For anyone stumbling upon this thread, I posted an answer over here:


-Timbo

Zabbix API: When does "auth" token expire?

For all intents and purposes, it looks like the Zabbix API token does not expire. There is nothing in the Zabbix documentation that says it expires.

Does zabbix token automatically expire after some time?
Is there a problem if i have an API user who just does user.login but doesn't do user.logout,
What impact will it have on zabbix database session table?

In frontend under Reports --> Audit, I see this user has lots of login actions. Does this information from session table is DB ?

does frontend --> General --> Housekeeping --> user sessions delete inactive sessions from session table?

can any one pleas reply?