API Gateway overview
Tanium™ API Gateway provides a single and stable API integration point for various Tanium solutions. It is designed for Tanium partners and customers interested in building integrated solutions with the Tanium™ Core Platform.
API Gateway topology
The API Gateway service runs
With the API Gateway, information passes between users and the
- The API Gateway requires the System User Service to be running to perform background functions.
- Users send requests to the API Gateway to be performed on endpoints, such as action deployment and queries for question results.
- By default, the API Gateway relays user queries to the Tanium Data Service, which continuously collects results for all registered sensors through the
- Users can optionally specify queries that go directly from the API Gateway to the
- Users can specify requests that go from the API Gateway to Tanium solutions to be performed on endpoints. For example, a user might request Tanium™ Direct Connect to establish a direct connection to a specific endpoint.
- The
- Tanium Clients return the question results or action statuses to the
Query explorer
API Gateway includes an interactive query explorer that you can use to write and run queries and mutations in the Tanium Console. Use the query explorer to try new queries and discover what data is available.
You can find the query explorer on the API Gateway Overview page:
If the query explorer does not appear on the API Gateway Overview page, click Customize Page and make sure the Query Explorer option is selected.
Query variables
If a query or mutation uses variables, expand the QUERY VARIABLES pane and include the variables in the pane that expands. 
For the best results, use query variables when passing arguments, such as when you use pagination or filtering in your request. For more information, see Pagination and Filters.
Schema reference
API Gateway contains a schema reference that documents all queries, mutations, and objects that are available in API Gateway. The schema reference is generated directly from the schema; refer to the schema reference in API Gateway for the most up-to-date documentation.
To view the schema reference in the query explorer, click Docs to expand the Documentation Explorer pane of the query explorer.
The query explorer uses the GraphiQL interactive browser to send GraphQL queries and mutations to
Authentication
Requests that are sent from the query explorer in the Tanium Console are authenticated and authorized with the session ID of the user who is signed in.
Requests that are sent from outside the Tanium Console are authenticated and authorized with
Use API tokens to send requests through API Gateway instead of session IDs. While session IDs time out after five minutes of inactivity, you can set a longer timeout for API tokens. You can create API tokens in the Tanium Console, through the Tanium Core Platform REST API, or using the API Gateway. For more information on creating API tokens in the Tanium Console, see Tanium Console User Guide: Managing API tokens. For more information on creating tokens using API Gateway, see API token examples.
Use API tokens to send requests through API Gateway. You can create API tokens in the Tanium Console, through the Tanium Core Platform REST API, or using the API Gateway. For more information on creating API tokens in the Tanium Console, see Tanium Console User Guide: Managing API tokens. For more information on creating tokens using API Gateway, see API token examples.
When requests are sent outside the Tanium Console, make sure to use the correct URL to send requests. See Root endpoint and Example cURL syntax for examples.
Rate limits
API Gateway has no specific rate limits.
Tanium Cloud imposes rate limits on incoming requests. If you exceed the rate limits, any mutations and queries return an HTTP 429 error. For information on rate limits in Tanium Cloud, see Getting started with Tanium Cloud.
Root endpoint
To send queries and mutations outside the Tanium Console, use the following address:
https://<server>/plugin/products/gateway/graphql
https://<customerName>-api.cloud.tanium.com/plugin/products/gateway/graphql
Example cURL syntax
curl --request POST \
--url https://localhost/plugin/products/gateway/graphql \
--header 'Content-Type: application/json' \
--header 'session: token-356d5f5bbb3671f28e24f65be3bdd54d9d81001ca823efaabc5fbff251' \
--data '{"query":"{\n now\n}\n"}'curl --request POST \
--url https://acme-api.cloud.tanium.com/plugin/products/gateway/graphql \
--header 'Content-Type: application/json' \
--header 'session: token-356d5f5bbb3671f28e24f65be3bdd54d9d81001ca823efaabc5fbff251' \
--data '{"query":"{\n now\n}\n"}'
Pagination
Queries that return many results are paginated to reduce resource utilization. API Gateway uses the standard Relay GraphQL pagination specification to provide users the option to explicitly control pagination.
Paginated queries return a connection type that is prefixed with the name of the data type, such as EndpointConnection. Queries accept standard arguments to control the pagination. For more information on pagination syntax, see Reference: Paginated query syntax.
Example of a paginated query:
query paginationExample {
endpoints {
edges {
node {
id
serialNumber
}
}
pageInfo {
hasNextPage
endCursor
}
}
}Cursors
Use cursors to control relay pagination. Cursors are opaque strings that point to records within queried collections, and can be used to request the records after the cursor. All collections support forward traversal, and some also support backward traversal.
Cursors are valid only for the query for which they were returned. Cursors are generally valid for five minutes after their most recent use. Any queries that deviate from this policy are documented in the query field. It is a best practice to use query variables with cursors to quickly update the pagination in your request.
Connection results are stable and consistent when traversed with cursors unless documented in the query field.
Example of an endpoint query with cursors:
query useCursorsForEndpoints ($cursor: Cursor, $results: Int) {
endpoints(after: $cursor, first: $results) {
edges {
node {
name
ipAddress
}
}
pageInfo {
startCursor
endCursor
hasPreviousPage
hasNextPage
}
}
}Include the pagination cursor and results variables in the QUERY VARIABLES panel:
{
"cursor": "NTc2NTM4MDow",
"results": 5
}Connection and edges
The connection includes an edge field that returns a list of typed edges, such as EndpointEdge. Each edge contains at least two fields:
- A node field with the actual data type, such as Endpoint
- A cursor field with a cursor for the record
The connection type also includes a pageInfo field that contains at least two fields:
- hasNextPage indicates if there are more records
- endCursor is the cursor of the last record in the returned page, if any
Some connection types feature other metadata, such as totalRecords.
Arguments
Paginated queries support at least two arguments: first indicates the number of records to return, and after is the value of the record cursor that precedes the records in the requested page. When fully paginated, this value is the same as the endCursor value from the previous page. Both arguments have sensible defaults.
Paginated queries that support backward traversal allow two corresponding arguments: last and before. You must pass both arguments together to traverse backwards in a query.
A single query supports either forward or backward traversal, but not both.
When a paginated request extends beyond the collection, the query returns only the available results.
For the best results, use query variables with the pagination arguments to quickly update the response results.
Example of a request for a page of data within a collection:
query getTenEndpointsAfterCursor ($cursor: Cursor, $results: Int) {
endpoints(after: $cursor, first: $results) {
edges {
node {
id
serialNumber
}
}
pageInfo {
hasNextPage
endCursor
}
}
}Include the pagination cursor and results variables in the QUERY VARIABLES panel:
{
"cursor": "NTc2NTM4MDow",
"results": 10
}Refreshing Collections
The records returned and paginated over in a query are intended to be stable, ensuring callers are able to traverse the entire collection without gaps or duplicates. With certain collections, particularly the results of querying endpoints with the Tanium Server data source, new records may become available after the first stable paginated collection has been returned by the API Gateway. There are two primary use cases for needing these late-arriving data:
-
when fetching live data for a specific endpoint or small set of endpoints, and
-
when fetching live data about as many endpoints as practical.
When you want to obtain the latest data available for a paginated query, you can request a repopulation of the collection with the refresh argument, which takes a cursor as its value. If the gateway can obtain potentially new data for the collection, it obtains the data and returns a new pagination starting at the beginning of the collection. The old cursor values are no longer valid.
Since a common use case for this capability is when no records were initially available, queries that support the refresh argument provide a collectionInfo field on their connection type. This field includes a startCursor field, which is always defined as pointing to the beginning of the entire collection. The collectionInfo might include other fields which help the user decide if they would like to refresh the cursor or read the results.
You can always perform a new query with no cursor instead of using the refresh argument, but this does not take advantage of the ongoing effort to collect records from the previous query. Using the refresh argument is the most efficient and effective way to obtain as complete a collection as possible or required.
Example of an endpoint query against an endpoint that is slow to respond, with collectionInfo.startCursor included in the response:
query getSlowEndpoint($first: Int, $path: String, $value: String, $expectedCount: Int) {
endpoints(
first: $first
filter: {path: $path, value: $value}
source: {ts: {expectedCount: $expectedCount}}
) {
edges {
node {
id
}
}
collectionInfo {
startCursor
success
active
}
}
}Add the pagination and filter variables in the QUERY VARIABLES panel:
{
"first": 1,
"path": "name",
"value": "slow-endpoint",
"expectedCount": 1
}Example response for an ongoing collection with a startCursor value:
{
"data": {
"endpoints": {
"edges": [],
"collectionInfo": {
"startCursor": "4t2cB0ZGNPqy4J4P7O7opwz/24/5zgPi6OinDAA=:0",
"success": false,
"active": true
}
}
}
}Example request refreshing the collection using the returned startCursor value:
query getEndpointRefresh($refresh: Cursor, $first: Int, $path: String, $value: String, $expectedCount: Int) {
endpoints(
refresh: $refresh
first: $first
filter: {path: $path, value: $value}
source: {ts: {expectedCount: $expectedCount}}
) {
edges {
node {
id
}
}
collectionInfo {
startCursor
success
active
}
}
}Add the pagination and filter variables in the QUERY VARIABLES panel:
{
"refresh": "4t2cB0ZGNPqy4J4P7O7opwz/24/5zgPi6OinDAA=:0",
"first": 1,
"path": "name",
"value": "slow-endpoint",
"expectedCount": 1
}Example response with a completed collection:
{
"data": {
"endpoints": {
"edges": [
{
"node": {
"id": 1
}
],
"collectionInfo": {
"startCursor": "4t2cB0ZGNPqy4J4P7O7opwz/24/5zgPi6OinDAA=:0",
"success": true,
"active": true
}
}
}
}Filters
Most queries that return multiple results provide support to filter the results. Such queries provide a filter argument.
It is a best practice to use query variables with filter arguments to quickly update the filter.
For more information on specific filter syntax, see Reference: Filter syntax.
Simple filters
Simple filters are single filters that constrain the values of fields that participate in the query. You can specify simple filters in the path property with a period to separate levels in the graph starting at the record type. For example:
query getEndpointsByEmail ($path:String, $value:String){
endpoints(filter: {path: $path, value: $value}) {
edges {
node {
id
primaryUser {
email
}
}
}
}
}Include the path and value variables in the QUERY VARIABLES panel:
{
"path": "primaryUser.email",
"value": "[email protected]"
}The query does not need to return the filtered path. Not all field paths are filterable. Refer to the schema to see which paths cannot be filtered.
Simple filters must also contain a string value property.
You can specify an operator in the op property, which is an enumerated type and defaults to the equality operator. For example:
query getGTE4ProcessorEndpoints($path: String, $value: String, $fieldfilterop: FieldFilterOp!) {
endpoints(filter: {path: $path, value: $value, op: $fieldfilterop}) {
edges {
node {
id
}
}
}
}Include the path, value, and operator variables in the QUERY VARIABLES panel:
{
"path": "processor.logicalProcessors",
"value": "4",
"fieldfilterop": "GTE"
}Not all operators are valid for all fields.
Compound filters
Compound filters contain multiple simple or compound filters that appear in the filters property. By default, all child filters must pass for a record to be included. If the or argument is given with a true value, then a record is included if any child filter matches.
Example of a simple compound filter:
query getEndpointsTwoFilters($path1: String, $path2: String, $value1: String, $value2: String) {
endpoints(
filter: {filters: [{path: $path1, value: $value1}, {path: $path2, value: $value2}]}
) {
edges {
node {
id
}
}
}
}
Include the path and value variables in the QUERY VARIABLES panel:
{
"path1": "serialNumber",
"value1": "x",
"path2": "name",
"value2": "y"
}Negated filters
You can negate both simple and compound filters with a negated property of true. For example, the following query returns endpoints whose serial number does not contain the letter x:
query getEndpointsNegate($path: String, $value: String, $negated: Boolean!) {
endpoints(
filter: {filters: {path: $path, value: $value, negated: $negated}}
) {
edges {
node {
id
}
}
}
}
Include the path, value, and negated variables in the QUERY VARIABLES panel:
{
"path": "serialNumber",
"value": "x",
"negated" : true
}Field filters
Filters apply to the entire record. Some records contain fields that are collections; you can also filter these fields. When you filter a field, the filter applies to both the child collection and to the records. For example, if you search for endpoints with an installed application named Tanium Client with a filter on the field, API Gateway returns only those endpoints with such an application, as well as only the matching application:
query getEndpointsWithTC ($path: String, $value: String){
endpoints {
edges {
node {
installedApplications(filter: {path: $path, value: $value}) {
name
version
}
}
}
}
}Include the path, value, and negated variables in the QUERY VARIABLES panel:
{
"path": "name",
"value": "Tanium Client"
}Field filters can be simple or compound. Compound filters are limited to one level of children that must use the equality operator, and require all child filters. For example:
query getEndpointsMultipleFilters ($path1: String, $value1: String, $path2: String, $value2: String){
endpoints {
edges {
node {
installedApplications(
filter: {
filters: [
{path: $path1, value: $value1},
{path: $path2, value: $value2}
]
}
) {
name
version
}
}
}
}
}Include the path and value variables in the QUERY VARIABLES panel:
{
"path1": "name",
"value1": "Tanium Client",
"path2": "version",
"value2": "7.5.0.0"
}Interoperability with other Tanium products
API Gateway works with the following solutions:
- Tanium Core Platform
- Actions
- Action groups
- Computer groups
- Tanium™ Data Service
- Tanium™ Direct Connect
- Packages
- Tanium™ Reporting
- Tanium™ Asset
- Tanium™ Blob
- Tanium™ Comply
- Tanium™ Deploy
- Tanium™ Impact
- Tanium™ Performance
- Tanium™ Reveal
- Tanium™ Risk/Benchmark
- Tanium™ Threat Response
Last updated: 9/12/2023 4:58 PM | Feedback