KACE API Access - No CSRF Token


I am trying to access my KACE instance API for scripting purposes (such as getting a list of all our device/software/...). I'm using this page https://support.quest.com/technical-documents/kace-systems-management-appliance/12.0%20common%20documents/api-reference-guide to help me however here is my situation :

A "POST" with my username/password to http://myKACE/ams/shared/api/security/login returns HTTP 200 with the following headers : X-Kace-Authorization, X-Kace-Appliance, X-Kace-Esmp-Performance. But no "X-Kace-CSRF-Token" ! However the X-Kace-Authorization seems very promising as it contains an authentication method ("Bearer") and token... I guess I might use this for further requests but I have no information as of how I should do it.

Here are examples of responses I get with further calls :

- /api/accounts ==> 401 Unauthorized / The request has not been authenticated. Allowed secure types for the resource are: ''.

- /api/inventory/machines ==> 500 Internal Server Error / No route found for \"GET /inventory/machines\"

Could you help me with this issue ? My KACE server version is 12.1.169, without MFA.

0 Comments   [ + ] Show comments

Answers (4)

Answer Summary:
Posted by: Unsullied 1 month ago
Senior White Belt

Top Answer

Hi @SeRil,

I think the latest versions of the SMA utilizes JWT authentication method. Thus, you will see 'x-kace-authorization' in the header containing the bearer token. For authentication, try this:

  1. POST request to http://mykace/ams/shared/api/security/login with username and password (ensure 'Mobile Device Access' is enabled for designated/service user, Settings > Users )
    Retrieve responded header ['x-kace-authorization'] and cookies. Cookies should contain your logged session and kbox info. These are required and to be included for subsequent API calls.

  2. Try GET request to http://mykace/api/users/users/ 

    Good luck as I think this is sufficient for you to start! 
Posted by: KevinG 1 month ago
Red Belt

What programing language are you using to make the API calls?

Or are you using Postman?

Posted by: SeRil 1 month ago
White Belt

Hi ! I am using Powershell, but also a "manual" REST client called Boomerang (Chrome Extension), similar to Postman.

Posted by: SeRil 1 month ago
White Belt

Thank you so much for your answer, it was a huge help!

I managed to re-use the cookies, and actually got data with :

http://mykace/api/users (but not with http://mykace/api/users/users)

http://mykace/api/machines (but not with http://mykace/api/inventory/machines)

The most problematic part is that "api/machines" is indeed returning a list of machines, but I have no documentation on how to handle those. I tried following the same rules as for the theoretical "/api/inventory/machines" (from https://support.quest.com/de-de/technical-documents/kace-systems-management-appliance/12.0%20common%20documents/api-reference-guide#TOPIC-1681523), but it doesn't work the same : with "/api/machines", I can't use filters, nor append a "/{id}", it just keeps returning the same array.

The API version returned is "16". Is there any reference guide to help me somewhere ? 

  • OK eventually a colleague of mine rolled v13 of KACE, and here I realized that I need to add a "x-kace-api-version" header to get results. The number in this header can be anything (even tried with ridiculously high numbers, it worked), but you can't enter "latest" (needs to be a number I guess).

    So everything is now working fine for me, thanks @Unsullied for your precious help. - SeRil 1 month ago
    • Kudos, glad to hear that - Unsullied 1 month ago

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

View more:


This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ