What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags

View all Tags

Using HTTP API without putting credentials in the path



Is there any way of using the HTTP API without putting credentials (in plain text) in URL parameters? I'm a little baffled that this is even allowed. This is a security faux pas as literally anyone in between the request initiator and the PRTG endpoint will have the credentials.

I would expect to pass them in as part of the body or as part of the headers.

Is this possible?

authentication http-api security

Created on Jan 8, 2018 5:29:47 PM

2 Replies



Hello Justin,

Use parameter passhash instead of password in the API call. You can find the passhash in your user account's settings (Setup | Account Settings | My Account). It can only be used to run API calls, but not for logging in to PRTG's webinterface.

Kind regards,


Created on Jan 9, 2018 9:03:47 AM by  Erhard Mikulik [Paessler Support]



Hey Erhard,

This doesn't really solve the issue that Justin was flagging AFAICT. The point Justin was making is that the urls all contain the username and password for each request. URLs are useful debugging tools and often get logged, so having creds, even hashed creds that work for an extended duration, in the URL is not a common practice. Any use of the PRTG api requires end users to be meticulous about avoiding logging URLs.

Does that make sense?


Created on Sep 7, 2021 9:56:35 PM

Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.