Can't figure out Authorization to use API

Hi there,
I have been trying to use API provided by InsightVM to get some data, but I just can’t figure out the Authorization part of the API

I have imported the swagger file in postman available here and as mentioned in the doc I am passing username:password (the same ones I use to login in rapid7) as base64 in the Authorization header as you can see in the image below.


But it’s always giving me a 401 “Unauthorized” although interestingly when I pass “X-api-key” header with the API key it gives me a 404 as you can see below


The error implies that the resource doesn’t exist, but I can clearly see them in my dashboard on the rapid7’s website.
Can anyone please help me out with this part ??

If you log in to InsightVM normally and then navigate to https://{{baseUrl}}/api/3/assets in your address bar (obviously replacing baseUrl with with whatever FQDN you are using), does the server return the expected data, or a 401 error?

If the server returns valid data when accessed via browser, then there’s probably something incorrect around Authorization header; try decoding the BASE64 and making sure it matches up with what you expected. Also, if you use 2FA, make sure you’re specifying the Token header. Finally, if your organization uses SSO to log in to Rapid7, that could be part of the problem as well, in which case you could verify by creating a designated API user that is not associated with SSO.

If the server returns a 404 error when accessed via browser, then you will want to make sure that you have the right FQDN defined for baseUrl.

Hope this helps!

I have check everything and I also think the problem lies in the FQDN part, can you help me understand what’s supposed to go in {{baseUrl}}.
Currently my {{baseUrl}} is “” maybe that’s where I am making a mistake and it’s supposed to be something else.

Please somebody correct me if am wrong.

I think the base URL is the security console URL and not the insight platform API url.
In the reference you have shared it specifically states the below:
“Versioning is specified in the URL and the base path of this API is: `https://:/api/3/

That means to me as it pointing to the security console, like if you have an IP base then it should be
https://IP:3780/api/3/assets/ or if its FQDN then https://FQDN:3780/api/3/assets/

Tried it on my postman and seems like it.

I believe you’re correct Nowel. We use MVM (Rapid7 hosts our console) and when I log in to InsightVM and click the Home icon in the left toolbar, I get the following URL:

The FQDN in this URL matches the same URL that I connect to with the API. So when I want to get the assets using the API, I connect to the following URL:

I believe you have the right URL for on-premise, but am unable to verify personally.

Sorry if I am asking a very stupid question but how would I know if I have an IP base or FQDN.
Unfortunately, I was not the one set who configured InsightVM, I have access to the dashboard and Admin privileges to figure out API part.

I can see some Assets in the Asset Panel with their IP address, Name, OS, etc. and while using the IP address from the Asset Panel and put it in the GET Query as you mentioned then it’s showing request timeout.

So the issue you’re facing is because of the authentication. For Postman you don’t need to pass the Authentication into the Headers.

For Postman, you can go to the collection in the left sidebar for the InsightVM API and go to the authorization tab. From there, select Basic authentication and simply fill in your username and password in cleartext. Postman will then take those credentials and put them into each request for you properly.

Your question of whether or not to use IP or FQDN comes down to whether or not you are using SSL verification. If you have a signed cert then it’s for the FQDN e.g. and you would need to specify that FQDN and the certificate loaded into Postman. However if you have already disabled SSL verification through Postman then it doesn’t care if you use the FQDN or the IP in the baseUrl.

So you could use either https://consolename.domain:3780 OR and either should work just fine.

Also as mentioned above by @nowel , the Platform API is completely separate and that’s when you would use

The platform API is considered the v4 API built for cloud integrations. This API is very limited compared to the console API v3