FMC REST API Reference

API Architecture

Three API Services

Service Base Path Purpose

Service	Base Path	Purpose
fmc_config	`/api/fmc_config/v1/domain/{domainUUID}/`	Device configuration, policies, objects, rules, NAT, routing, VPN, deployment.
fmc_platform	`/api/fmc_platform/v1/`	Authentication, token management, server info, domain listing, task status.
fmc_tid	`/api/fmc_tid/v1/domain/{domainUUID}/`	Threat Intelligence Director — TAXII feeds, indicators, observables.

fmc_config

/api/fmc_config/v1/domain/{domainUUID}/

Device configuration, policies, objects, rules, NAT, routing, VPN, deployment.

fmc_platform

/api/fmc_platform/v1/

Authentication, token management, server info, domain listing, task status.

fmc_tid

/api/fmc_tid/v1/domain/{domainUUID}/

Threat Intelligence Director — TAXII feeds, indicators, observables.

FMC vs FDM

FMC REST API FDM API

	FMC REST API	FDM API
Manages	Multiple FTDs centrally	Single FTD locally (no FMC)
Base path	`/api/fmc_config/v1/domain/{UUID}/`	`/api/fdm/v6/`
Auth	Token via header (`X-auth-access-token`)	OAuth 2.0
Reference	`<FMC>/api/api-explorer`	`developer.cisco.com/docs/ftd-api-reference/latest/`

Manages

Multiple FTDs centrally

Single FTD locally (no FMC)

Base path

/api/fmc_config/v1/domain/{UUID}/

/api/fdm/v6/

Auth

Token via header (X-auth-access-token)

OAuth 2.0

Reference

<FMC>/api/api-explorer

developer.cisco.com/docs/ftd-api-reference/latest/

The Cisco DevNet FTD API Reference documents the FDM API, not FMC. FDM endpoints do not work against FMC.

API Explorer

Every FMC has a built-in API Explorer at <FMC_HOST>/api/api-explorer that documents every endpoint for your specific version.

Authentication

Token Lifecycle

Property Value

Property	Value
Token lifetime	30 minutes
Refresh limit	3 refreshes per token pair
Maximum session	~120 minutes (30 min + 3 × 30 min refreshes)
Concurrent tokens	3 per user
GUI conflict	Same user cannot use GUI and API simultaneously — one gets logged out
Auth method	HTTP Basic Auth for token generation; `X-auth-access-token` header for all subsequent requests

Token lifetime

30 minutes

Refresh limit

3 refreshes per token pair

Maximum session

~120 minutes (30 min + 3 × 30 min refreshes)

Concurrent tokens

3 per user

GUI conflict

Same user cannot use GUI and API simultaneously — one gets logged out

Auth method

HTTP Basic Auth for token generation; X-auth-access-token header for all subsequent requests

Endpoints

Endpoint Method Purpose

Endpoint	Method	Purpose
`/api/fmc_platform/v1/auth/generatetoken`	POST	Generate access + refresh token (Basic Auth required)
`/api/fmc_platform/v1/auth/refreshtoken`	POST	Refresh token (both tokens in headers, no credentials)
`/api/fmc_platform/v1/info/domain`	GET	List domains and their UUIDs
`/api/fmc_platform/v1/info/serverversion`	GET	FMC software version

/api/fmc_platform/v1/auth/generatetoken

POST

Generate access + refresh token (Basic Auth required)

/api/fmc_platform/v1/auth/refreshtoken

POST

Refresh token (both tokens in headers, no credentials)

/api/fmc_platform/v1/info/domain

GET

List domains and their UUIDs

/api/fmc_platform/v1/info/serverversion

GET

FMC software version

Query Parameters

Parameter Default Description

Parameter	Default	Description
expanded	false	`true` returns full object details. Always use for audit work.
limit	25	Items per page. Maximum: 1000.
offset	0	Starting position for pagination.
filter	(none)	Object-specific filtering. Varies by endpoint.

expanded

false

true returns full object details. Always use for audit work.

limit

Items per page. Maximum: 1000.

offset

Starting position for pagination.

filter

(none)

Object-specific filtering. Varies by endpoint.

Rate Limiting

Constraint	Value
GET requests	120/min per IP (300/min on FMC 7.6+)
Non-GET	1 at a time per device (serialized)
Concurrent connections	10 per IP
Max payload	2,048,000 bytes (~2 MB)
Rate limit error	HTTP 429

Constraint

Value

GET requests

120/min per IP (300/min on FMC 7.6+)

Non-GET

1 at a time per device (serialized)

Concurrent connections

10 per IP

Max payload

2,048,000 bytes (~2 MB)

Rate limit error

HTTP 429

Error Codes

Code	Meaning
200	Success
201	Created
400	Bad request — malformed JSON or invalid parameters
401	Unauthorized — token expired or missing
403	Forbidden — RBAC insufficient
404	Not found
422	Payload too large or validation failure
429	Rate limited — back off
500	FMC internal error

Code

Meaning

200

Success

201

Created

400

Bad request — malformed JSON or invalid parameters

401

Unauthorized — token expired or missing

403

Forbidden — RBAC insufficient

404

Not found

422

Payload too large or validation failure

429

Rate limited — back off

500

FMC internal error

Endpoint Reference — fmc_config

All paths relative to /api/fmc_config/v1/domain/{domainUUID}/

Devices

Endpoint Methods

Endpoint	Methods
`/devices/devicerecords`	GET
`/devices/devicerecords/{id}/physicalinterfaces`	GET
`/devices/devicerecords/{id}/subinterfaces`	GET
`/devices/devicerecords/{id}/etherchannelinterfaces`	GET
`/devicegroups/devicegrouprecords`	GET, POST
`/deviceclusters/ftddevicecluster`	GET
`/devicehapairs/ftddevicehapairs`	GET

/devices/devicerecords

GET

/devices/devicerecords/{id}/physicalinterfaces

GET

/devices/devicerecords/{id}/subinterfaces

GET

/devices/devicerecords/{id}/etherchannelinterfaces

GET

/devicegroups/devicegrouprecords

GET, POST

/deviceclusters/ftddevicecluster

GET

/devicehapairs/ftddevicehapairs

GET

Objects — Network

Endpoint Methods

Endpoint	Methods
`/object/hosts`	GET, POST, PUT, DELETE
`/object/networks`	GET, POST, PUT, DELETE
`/object/ranges`	GET, POST, PUT, DELETE
`/object/fqdns`	GET, POST, PUT, DELETE
`/object/networkaddresses`	GET (read-only aggregate)
`/object/networkgroups`	GET, POST, PUT, DELETE
`/object/securityzones`	GET, POST, PUT, DELETE

/object/hosts

GET, POST, PUT, DELETE

/object/networks

GET, POST, PUT, DELETE

/object/ranges

GET, POST, PUT, DELETE

/object/fqdns

GET, POST, PUT, DELETE

/object/networkaddresses

GET (read-only aggregate)

/object/networkgroups

GET, POST, PUT, DELETE

/object/securityzones

GET, POST, PUT, DELETE

Objects — Service / Port

Endpoint Methods

Endpoint	Methods
`/object/protocolportobjects`	GET, POST, PUT, DELETE
`/object/icmpv4objects`	GET, POST, PUT, DELETE
`/object/portobjectgroups`	GET, POST, PUT, DELETE

/object/protocolportobjects

GET, POST, PUT, DELETE

/object/icmpv4objects

GET, POST, PUT, DELETE

/object/portobjectgroups

GET, POST, PUT, DELETE

Objects — Other

Endpoint Methods

Endpoint	Methods
`/object/urls`	GET, POST, PUT, DELETE
`/object/urlgroups`	GET, POST, PUT, DELETE
`/object/vlantags`	GET, POST, PUT, DELETE
`/object/geolocations`	GET
`/object/isesecuritygrouptags`	GET
`/object/dnsservergroups`	GET, POST, PUT, DELETE
`/object/slamonitors`	GET, POST, PUT, DELETE

/object/urls

GET, POST, PUT, DELETE

/object/urlgroups

GET, POST, PUT, DELETE

/object/vlantags

GET, POST, PUT, DELETE

/object/geolocations

GET

/object/isesecuritygrouptags

GET

/object/dnsservergroups

GET, POST, PUT, DELETE

/object/slamonitors

GET, POST, PUT, DELETE

Policies — Access Control

Endpoint Methods

Endpoint	Methods
`/policy/accesspolicies`	GET, POST, PUT, DELETE
`/policy/accesspolicies/{id}/accessrules`	GET, POST, PUT, DELETE
`/policy/accesspolicies/{id}/categories`	GET, POST, PUT, DELETE
`/policy/accesspolicies/{id}/defaultactions/{id}`	GET, PUT

/policy/accesspolicies

GET, POST, PUT, DELETE

/policy/accesspolicies/{id}/accessrules

GET, POST, PUT, DELETE

/policy/accesspolicies/{id}/categories

GET, POST, PUT, DELETE

/policy/accesspolicies/{id}/defaultactions/{id}

GET, PUT

Policies — Prefilter, NAT, Intrusion

Endpoint Methods

Endpoint	Methods
`/policy/prefilterpolicies`	GET, POST, PUT, DELETE
`/policy/prefilterpolicies/{id}/prefilterrules`	GET, POST, PUT, DELETE
`/policy/ftdnatpolicies`	GET, POST, PUT, DELETE
`/policy/ftdnatpolicies/{id}/natrules`	GET, POST, PUT, DELETE
`/policy/ftdnatpolicies/{id}/autonatrules`	GET, POST, PUT, DELETE
`/policy/intrusionpolicies`	GET, POST, PUT, DELETE
`/policy/filepolicies`	GET, POST, PUT, DELETE

/policy/prefilterpolicies

GET, POST, PUT, DELETE

/policy/prefilterpolicies/{id}/prefilterrules

GET, POST, PUT, DELETE

/policy/ftdnatpolicies

GET, POST, PUT, DELETE

/policy/ftdnatpolicies/{id}/natrules

GET, POST, PUT, DELETE

/policy/ftdnatpolicies/{id}/autonatrules

GET, POST, PUT, DELETE

/policy/intrusionpolicies

GET, POST, PUT, DELETE

/policy/filepolicies

GET, POST, PUT, DELETE

VPN

Endpoint Methods

Endpoint	Methods
`/policy/ftds2svpns`	GET, POST, PUT, DELETE
`/policy/ravpns`	GET, POST, PUT, DELETE

/policy/ftds2svpns

GET, POST, PUT, DELETE

/policy/ravpns

GET, POST, PUT, DELETE

Routing

Endpoint Methods

Endpoint	Methods
`/devices/devicerecords/{id}/routing/ipv4staticroutes`	GET, POST, PUT, DELETE
`/devices/devicerecords/{id}/routing/ipv6staticroutes`	GET, POST, PUT, DELETE
`/devices/devicerecords/{id}/routing/virtualrouters`	GET, POST, PUT, DELETE

/devices/devicerecords/{id}/routing/ipv4staticroutes

GET, POST, PUT, DELETE

/devices/devicerecords/{id}/routing/ipv6staticroutes

GET, POST, PUT, DELETE

/devices/devicerecords/{id}/routing/virtualrouters

GET, POST, PUT, DELETE

Assignment / Deployment

Endpoint Methods Note

Endpoint	Methods	Note
`/assignment/policyassignments`	GET, POST, PUT	Policy-to-device mapping
`/deployment/deployabledevices`	GET	Devices with pending changes
`/deployment/deployabledevices/{id}/pendingchanges`	GET	What changed
`/deployment/deploymentrequests`	POST	Trigger deployment (write)

/assignment/policyassignments

GET, POST, PUT

Policy-to-device mapping

/deployment/deployabledevices

GET

Devices with pending changes

/deployment/deployabledevices/{id}/pendingchanges

GET

What changed

/deployment/deploymentrequests

POST

Trigger deployment (write)

Audit

Endpoint Methods

Endpoint	Methods
`/audit/auditrecords`	GET

/audit/auditrecords

GET

Endpoint Reference — fmc_platform

Endpoint Methods

Endpoint	Methods
`/api/fmc_platform/v1/auth/generatetoken`	POST
`/api/fmc_platform/v1/auth/refreshtoken`	POST
`/api/fmc_platform/v1/info/serverversion`	GET
`/api/fmc_platform/v1/info/domain`	GET
`/api/fmc_platform/v1/domain/{domainUUID}/taskstatuses`	GET

/api/fmc_platform/v1/auth/generatetoken

POST

/api/fmc_platform/v1/auth/refreshtoken

POST

/api/fmc_platform/v1/info/serverversion

GET

/api/fmc_platform/v1/info/domain

GET

/api/fmc_platform/v1/domain/{domainUUID}/taskstatuses

GET

There is no token introspection endpoint. GET /auth/token returns an error ("Authentication resource supports only POST action"). To verify your API user’s role, check the FMC GUI: System → Users.

Operational Notes

Terminal Function Definitions

Do not paste multi-line shell functions into the terminal — line wrapping corrupts tokens inside strings (e.g., Content-T + ype). Define functions as single lines:

fmc_get() { /usr/bin/curl -sS -k -H "X-auth-access-token: ${ACCESS_TOKEN}" -H "Content-Type: application/json" "https://${FMC_HOST}/api/fmc_config/v1/domain/${DOMAIN_UUID}${1}"; }

Multi-line format is safe only in sourced scripts.

Pagination

Default limit is 25. Always pass limit=1000 (maximum) for audit queries. Check jq '.paging' to verify you’re not truncated.

`-k` and `--cacert`

When using -k (TLS bypass), --cacert has no effect — omit it. After certificate renewal, remove -k and restore --cacert.

EtherChannel Interfaces

If physical interfaces show no zone assignments, check EtherChannel (port-channel) interfaces — zones may be assigned there instead.

Canonical Sources

Cisco DevNet — FMC API Portal
Cisco Learning — FMC REST Token Authentication
Cisco Learning — Introduction to FMC APIs
Cisco TAC — How to Generate Authentication Token
<YOUR_FMC>/api/api-explorer — definitive reference for your FMC version