Feature Request: Support JWT Authentication for N‑able N‑central Extension (Surface Command)

Extension: N‑able N‑central
Use case: Surface Command / InsightConnect ingestion
Extension page: Rapid7 Extensions
Category: Extensions / Surface Command

Summary

We are currently unable to use the N‑able N‑central extension with accounts that have MFA enabled, as the extension requires username/password authentication. This blocks integration in environments where MFA is enforced (which is increasingly non‑negotiable).

N‑central already supports JSON Web Token (JWT) authentication for API access, including API‑only users. We are therefore requesting that the Rapid7 N‑central extension be enhanced to support JWT‑based authentication instead of (or in addition to) username/password.

Current Issue

• The N‑central extension authenticates using username + password

• This fails when MFA is enabled on the account

• Disabling MFA for service accounts is not acceptable from a security or audit perspective

• This prevents use of the extension in security‑mature environments

Supporting Documentation

N‑able explicitly documents JWT authentication for N‑central API access, including:

• API‑only users

• Username + JWT or JWT‑only authentication

• Role‑based permissions tied to the token

Relevant documentation:

• N‑central JWT / role‑based permissions:
  https://documentation.n-able.com/N-central/userguide/Content/User_Management/Role%20Based%20Permissions/role_based_permissions_JSON_webtoken.htm [documentat...n-able.com]

• N‑central REST API authentication using JWT:
  https://developer.n-able.com/n-central/docs/managing-authentication [developer.n-able.com]

This is a first‑class, supported authentication mechanism in N‑central and is specifically designed for automation and integrations.

Requested Enhancement

Update the N‑able N‑central extension to support:

• Authentication via JSON Web Token (JWT) for API access

• Ideally via an API‑only user

• Either as:

  • A replacement for username/password authentication, or

  • An alternative authentication option in the extension configuration

Benefits

• Enables use of the extension without weakening MFA controls

• Aligns with N‑able’s documented best practices

• Improves security posture and audit defensibility

• Removes the need for insecure workarounds (e.g. MFA exceptions)

Impact

Without this change, organisations enforcing MFA are effectively blocked from using the N‑central → Surface Command integration, despite both platforms supporting secure API‑based access.

Ben, thank you for this post. I’ve booked an internal RFE ticket for the requested change. If you don’t mind, please book an “IDEA” support ticket also, so that we can link that request to the internal RFE ticket.

Done, thanks Jee