This is a lightweight Python SDK designed to interact with Palo Alto Networks Cloud Management API.

It consists of an object-oriented library that simplifies OAuth 2.0 session establishment, access token validation, and automatic access token refresh.

Each configuration API endpoint is represented as unique object instances that provide a common set of create, read, update, delete, and list functions.


  • OAuth 2.0 session management (subclassed from requests_oauthlib.Session)
  • Supports credential config file (~/panapi/config)
  • JSON Web Key Set (JWKS) retrieval
  • JWT access token decoding and validation
  • Common create, read, update, delete, and list methods for all config objects
  • Automatic and transparent access token refresh


Upgrade to the latest pip

pip install --upgrade pip

Install using pip

pip install panapi

Upgrade to the latest version

pip install --upgrade panapi


The Cloud Management API utilizes OAuth 2.0 to authenticate and authorize incoming API calls.

This requires requesting an access token from an Authorization Server.

The credentials needed to request an access token can be defined in a configuration located at $HOME/.panapi/config.yml

# my-tenant
client_secret: feea5864-f557-11ec-b939-0242ac120002
scope: tsg_id:1808050139


The following is a brief overview of how to use the pan-api-python SDK. For comprehensive details on its usage, please refer to the documentation here.

Import the modules

The entire SDK can be imported into your project.

import panapi

Specific modules can be imported as well.

from panapi.config import security, network

Individual classes can also be imported.

from import RemoteNetwork, IKEGateway, IPSecTunnel

Establish the OAuth 2.0 session

Instantiate the PanApiSession handler and authenticate to the Authorization Server.

session = panapi.PanApiSession()

If successful, the access token will become an attribute of the PanApiSession instance.


Token validation is done automatically with each API call using the pan-api-python SDK.

However, manual validation of the JWT token claims and cryptographic signature can be done as well.


Working with configuration objects

Instantiate a new configuration object.

addr1 = panapi.config.objects.Address(
    folder = 'Shared',
    name = 'server1',
    ip_netmask = '',
    description = 'App server 1',
    tag = ['production']

Create the new configuration on the cloud management tenant.


The HTTP status code resulting from PanApiSession API transactions attached to the session instance.

result = session.status_code

Retrieve a configuration object by name.

gw1 =
    folder = 'Remote Networks',
    name = 'Seattle-GW'

Display the JSON payload of a configuration object.

json.dumps(gw1.payload, indent=4)

Update elements of a configuration object.

rule =
    folder = 'Shared',
    named = 'Allow monitoring'
rule1.applications = ['snmpv2', 'snmpv3']
rule1.description = 'Allow SNMPv2 and v3 from NOC'

Delete a configuration from the cloud management tenant.

id1 = panapi.config.identity.SAMLProfile(
    folder = 'Shared',
    name = 'AD-SAML'

Developer Sites


Copyright © 2024 Palo Alto Networks, Inc. All rights reserved.