API Authentication Patterns
API authentication patterns I’ve actually used. Every entry has a date and context.
2026-03-15: ISE ERS Basic Auth with -k Flag
Problem: ISE uses self-signed certificates by default. curl fails with SSL verification error.
Context: ISE ERS API access, home enterprise with internal CA
The Fix:
# WRONG: SSL verification fails on self-signed cert
curl -u "$ISE_API_USER:$ISE_API_PASS" https://ise-01.inside.domusdigitalis.dev:9060/ers/config/endpoint
# RIGHT: skip verification for lab (-k) or specify CA cert (production)
curl -k -u "$ISE_API_USER:$ISE_API_PASS" https://ise-01.inside.domusdigitalis.dev:9060/ers/config/endpoint
# BETTER: specify CA cert for production
curl --cacert /path/to/ca-chain.crt -u "$ISE_API_USER:$ISE_API_PASS" \
https://ise-01.inside.domusdigitalis.dev:9060/ers/config/endpointRule: Use -k for lab only. Production: use --cacert with your CA chain. Never -k in scripts that run unattended.
Worklog: WRKLOG-2026-03-15
2026-04-03: Vault Token Authentication
Problem: Vault API requires X-Vault-Token header, not Basic auth.
Context: P16g deployment, Vault PKI cert issuance
The Fix:
# Source credentials
ds d000 dev/vault
# Vault uses token auth, not Basic
curl -s \
-H "X-Vault-Token: $VAULT_TOKEN" \
-X POST \
https://vault-01.inside.domusdigitalis.dev:8200/v1/pki_int/issue/domus-client \
-d '{"common_name": "modestus-p16g.inside.domusdigitalis.dev", "ttl": "8760h"}'Rule: Vault = X-Vault-Token header. ISE ERS = Basic auth. Wazuh = JWT (POST /security/user/authenticate first). Know your vendor’s auth scheme.
Worklog: WRKLOG-2026-04-03
2026-03-10: dsource Credential Sourcing Pattern
Problem: Hardcoding credentials in scripts is a security violation. Environment variables need consistent sourcing.
Context: All API interactions across 18 vendors
The Fix:
# Source credentials for specific environment + service
dsource d000 dev/ise # Sets ISE_HOST, ISE_API_USER, ISE_API_PASS, ISE_ERS_PORT...
dsource d000 dev/vault # Sets VAULT_ADDR, VAULT_TOKEN...
dsource chla prod/ise # Sets CHLA-specific ISE credentials
# Then use env vars in commands
netapi ise mnt sessions
curl -k -u "$ISE_API_USER:$ISE_API_PASS" https://$ISE_HOST:$ISE_ERS_PORT/ers/config/endpointRule: Always dsource before API calls. Never hardcode credentials. dsource sets environment-specific vars from gopass.
Worklog: WRKLOG-2026-03-10