A10 Harmony API

Harmony Controller is the central management platform for A10 products. The controller exposes APIs for all the configuration and management tasks as well getting analytics data. These APIs are called A10 Harmony API.

A10 Harmony API provide RESTful interface and use JSON as data exchange format. All API calls work on secure HTTP (HTTPS) protocol and is authenticated. API micro-service of HarmonyTM Controller serves the APIs. This is different from the micro-service that serves Harmony Portal. Base URL of API server must be prepended to the URI of the specific API before making the API call.

<API Server URL>/<API URI>

In this example,

API Server URL




The Basics

A10 Harmony API follow the principles of REST APIs and have objects and their properties. Each object has a rest endpoint and support common methods GET, POST, PUT and DELETE.

REST Interface

GET call on the collection lists all the objects in the collection.

GET /{object_collection}
GET /applications

POST call on collection adds new object in the collection.

POST /{object_collection}
POST /applications

GET, PUT and DELETE calls on individual object read, update and delete the object respectively.

DELETE /{object_collection}/{object_name}
DELETE /applications/MyApp

For nested objects, URIs extend as per hirarachy.

GET /{parent_object_collection}/{parent_object_name}/{child_object_collection}/{child_object_name}
GET /applications/MyApp/hosts/default-host

Data Input

The APIs accept data in form of JSON objects. In this documentation, request object and well as JSON schema is provided for each API call. In some cases (mostly GET or DELETE calls), sending data may not be required.

  "name": "MyServiceEndpoint",
  "description": "Some Description"


Other than standard HTTP headers, Harmony APIs require some customer headers. One custom header is used for authentication purpose. Other headers are required for Provider and Tenant information. Content-Type header is also required to be set to correct value (application/json) as input data is in JSON format.

'provider": MyProvider'
'Content-Type: application/json'
'Access-Control-Allow-Origin: controller.mydomain.com'

Authentication and Authorization

Each API call is authenticated and checked for authorization before it is accepted by the controller. Encrypted credentials of the user or a session token is required to be sent with each API call for the purpose of Authentication and authorization. This is done via “Authorization” header.

Two schemes of Authorization are supported - Basic and Session.

'Authorization: Basic YWtzaGF5QGFwcGNpdG8ubmV0OndlbGNvbWUxMjM='

Value of Basic Authorization header is constructed with base64 encoded value of user credential string. User credential string is created by concatenating username and password separated with a colon (:).


Value of Session Authorization header is constructed with the session ID obtained from controller in return of a ‘sessions’ API call.

'Authorization: Session b9629bb9-1bae-4a03-a59e-2737246f7697'

Getting Started

Typical flow of working with APIs is:

  1. Create Session

  2. Call Required APIs

  3. Delete Session

Create Session

First step is to create a session with controller and obtain session ID. This session ID can now be used for making other calls. POST call on Sessions collection create a new session.

curl 'https://controller.a10networks.com/api/v2/sessions' \
-H 'Content-Type: application/json' \
-H 'Authorization: Basic c29tZW9uZUBleGFtcGxlLm5ldDpwYXNzd29yZA==' \
-H 'provider: root' \
--data-binary '{"userId":"someone@example.net"}'

The newly created session object is returned in JSON format.

  "id" : "914cc8d1-3df0-4910-beea-6b0016ba626b",
  "providerId" : "067e6162-3b6f-4ae2-a171-2470b63dff00",
  "provider" : {
    "name" : "root",
    "id" : "067e6162-3b6f-4ae2-a171-2470b63dff00",
    "authenticationProvider" : {
      "type" : "default",
      "inheritable" : "optional"
    "services" : [ ]
  "authenticationProvider" : {
    "type" : "default",
    "inheritable" : "optional"
  "userId" : "someone@example.com",
  "createdAt" : "Jul 28, 2017 09:02:09 AM UTC",
  "lastAccessedAt" : "Jul 28, 2017 09:02:09 AM UTC"

‘id’ from the session object will be used for session authentication in all subsequent calls. This session expires after 60 minutes of inactivity and required to be created again.

Call Required APIs

Sequence of APIs can be called to perform the required task. All these API calls can use the session authentication by including session id obtained in previous step as part of Authorization header.

curl 'https://controller.a10networks.com/api/v2/roles' \
-H 'Content-Type: application/json' \
-H 'Authorization: Session 914cc8d1-3df0-4910-beea-6b0016ba626b' \
-H 'provider: root'

Any number of API calls can use the same session.

curl 'https://controller.a10networks.com/api/v2/providers/root/tenants' \
-H 'Content-Type: application/json' \
-H 'Authorization: Session 914cc8d1-3df0-4910-beea-6b0016ba626b' \
-H 'provider: root'

Delete Session

Though the session automatically expires in 60 minutes, it is a good practice to delete the session after use. Calling session object’s URI with DELETE method deletes the session. After delete, session id can’t be used for session authentication.

curl 'https://controller.a10networks.com/api/v2/sessions/914cc8d1-3df0-4910-beea-6b0016ba626b' \
-H 'Content-Type: application/json' \
-H 'Authorization: Session 914cc8d1-3df0-4910-beea-6b0016ba626b' \
-H 'provider: root' \