Command API

Overview

The Command APIs are designed to send commands to your BeyondTrust Privileged Remote Access site from an outside application. Commands can start or transfer a session, get a list of logged-in Users, or obtain a list of teams and issues. You can also check the health of your appliance, change an appliance's failover role, or get information about the permissions of the current API Account.

Authentication

The BeyondTrust Privileged Remote Access Command APIs require OAuth 2 credentials for authentication. To authenticate to the API, you must create an API account on the /login > Management > API Configuration page. The account must have permission to access the Command APIs. Copy the OAuth Client ID and OAuth Client Secret values before saving the API Account. API requests require a token to be generated using this client id and secret and then submitted with each API request.

ℹ️
The OAuth Client Secret cannot be viewed again after the API Account has been saved, but it can be regenerated when you edit the API Account. Regenerating a client secret and then saving the account immediately invalidates any OAuth tokens associated with the account. Any API calls using those tokens will be unable to access the API. A new token must be generated using the new client secret.

The command API URL is https://support.example.com/api/command/v2.

Create a token

Create a token by sending an HTTP POST request to the URL of your BeyondTrust Privileged Remote Access site followed by /oauth2/token:

https\:\/\/support.example.com/oauth2/token

The OAuth client ID and client secret associated with the API account should be Base64 encoded and included in an HTTP basic authorization header:

Authorization: Basic \<base64-encoded "client_id:secret">

Include the following POST body in the request:

grant_type=client_credentials

If the request is processed without error, you receive an access token JSON response:

{
    "access_token": "<token>",
    "token_type": "Bearer",
    "expires_in": 3600
}

ℹ️
This token expires after one hour. Any calls to the API past that point must have a new token. Each API account can have a maximum of 30 valid tokens. If an API account attempts to generate more than 30 tokens, then the oldest token is invalidated before a new one is generated.

Request an API resource

Now that you have an access token, you can make HTTPS requests to the Command APIs. The token obtained above must be included in an Authorization HTTP header with each request:

Authorization: Bearer <token>

If the token is valid, you gain access to the requested URL.

Authentication errors

Requests made to the web API with expired or invalid tokens result in a JSON error response:

{
    "error": "access_denied",
    "message": "The resource owner or authorization server denied the request."
}

🚧
When making consecutive API calls, you must close the connection after each API call.

Request rate limits

Requests are limited to 20 per second and 15,000 per hour. This limit applies to all API endpoints and is per API account. Responses include headers with the rate limit information: Example:

X-RateLimit-Limit: 15000
X-RateLimit-Remaining: 14996

Required Request Headers

In addition to the Authorization header mentioned above for OAuth 2 authentication,

for GET and DELETE requests, you must include an Accept header with the value application/json.
for all other requests where you are sending a JSON request body, you must include a Content-Type header with a value of application/json.

HTTP Request Methods

The documentation below lists the allowed HTTP request methods for each API. Not all methods are allowed for all APIs.

All APIs that document GET requests also accept HEAD requests. Responses to HEAD requests never include a body. This might be useful if you only wish to use the HTTP status code to determine the existence of a resource or resources identified by the URI, and you do not need the response body.

In addition to the human-readable documentation for each API below, the OPTIONS method may be used with any URI to obtain the list of allowed HTTP methods for a given URI.

For example, the request

OPTIONS https\:\/\/support.example.com/api/command/v2/user

responds with an Allow header containing a comma-separated list of the HTTP methods that can be used with that URI:

Allow: GET,HEAD

If you attempt to use an HTTP method with an API that does not support that method, you receive an HTTP 405 "Method Not Allowed" response.

Common HTTP Status Codes

Individual APIs may provide specific documentation for certain status codes, but not all possible status codes are documented on every API. The following is a list of the HTTP status codes commonly returned by these APIs and what they usually mean.

Status Code	Description
200	For a GET query, this indicates the query was successful, though the response may or may not include an empty resource array depending on whether your query parameters matched any resources. For a PATCH request, this indicates the resource was updated successfully, and the response should contain the updated resource object.
204	Indicates an operation—such as a DELETE—completed successfully. The response body should be empty.
400	For a GET operation, this indicates you supplied unrecognized query string parameters; for a POST or PATCH operation, this indicates you supplied unrecognized fields in the request body. Check the documentation to ensure all parameters are spelled correctly.
403	The API Account whose authentication credentials were used for the request does not have permission to use this API. Edit this account on the API Account page and ensure it has permission to use the Command APIs.
404	A request for a specific resource - usually by id - did not match any known resources.
405	Your request contained an HTTP method that is not supported for the URI of the request. The documentation below indicates which methods are allowed for each API endpoint. Methods that are not specifically documented are not allowed, except for HEAD and OPTIONS as mentioned in the HTTP Request Methods section above.
422	This can happen when attempting to create or update a resource with malformed data. The response body should contain a validation error dictionary indicating which fields are invalid and how they are invalid.
500	An internal server error occurred. Please contact BeyondTrust support.

Date-Time Formatting and Time Zones

All date-time values should be in RFC3339 Internet Date-Time Format in UTC unless otherwise noted. When submitting date-time values to these APIs, milliseconds are optional and are ignored. A UTC timezone must be included to avoid ambiguity, represented with either the "Z" suffix or a "+00:00" offset suffix.

Valid Examples

2025-10-16T14:46:25.930+00:00
2026-10-16T14:46:23+00:00
2025-10-16T14:46:25.930Z
2026-10-16T14:46:23Z

Invalid Examples

INVALID 2025-10-16T14:46:25.930: Missing timezone; not a valid RFC3339 string.
INVALID 2026-10-16T14:46:23: Missing timezone; not a valid RFC3339 string.
INVALID 2025-10-16T14:46:25.930-08:00: Non-UTC timezone; valid RFC3339 string but not allowed by these APIs.
INVALID 2026-10-16T14:46:23+04:00: Non-UTC timezone; valid RFC3339 string but not allowed by these APIs.

Date-time strings in responses always include a "+00:00" timezone offset suffix - never a "Z" suffix.

Integers

Request body parameters that are marked as type "integer" must be supplied as actual JSON numbers, not strings containing a number. For example, if the documentation indicates a request body field named team_id is an integer, then the object {team_id: 42} is valid, but the object {team_id: "42"} is invalid.

Changes

From time to time, new fields may be added to existing API responses to support new features, without changing any existing fields. Ensure that your client code is written in such a way it can handle or ignore these minor additions to existing API responses.

Base Path

The base path on all API call URLs must be /api/command/v2. In the documentation below, the base path is omitted for brevity. When constructing the URL for a particular API, combine your hostname, the base path, and then the documented path of the API you wish to call. For example, the full URL for the API to get a user with a specific id is:

"https://" + "support.example.com" (hostname) + "/api/command/v2" (base path) + "/user/{id}" (API path)

If you wanted to get the user with id 5, your final URL would be

<https://support.example.com/api/command/v2/user/5>

Miscellaneous

`GET` /openapi.yaml

Returns a YAML document containing an OpenAPI specification for all available BeyondTrust Privileged Remote Access Command APIs. Many tools exist that can read this document and generate useful resources, such as:

Client code for interacting with the API
Various forms of API documentation

ℹ️
If you're reading this on a web page, the page was likely generated from a response to this API.

Responses

Status	Content-Type	Description
200 OK	application/yaml	Returns an OpenAPI specification object.

API Info

`GET` /info

Returns general information about the Command APIs, such as version, as well as the permissions of the API Account whose credentials were used to authenticate the request.

Responses

Status	Content-Type
200 OK	application/yaml

Schema

permissions object - The current API Account's permissions.

Field	Type	Description
`perm_backup`	boolean	Permission to use the Backup API
`perm_command`	string	Command API access level: `full_access`, `read_only`, or `deny`
`perm_configuration`	boolean	Permission to use the Configuration API
`perm_configuration_vault_account`	boolean	Permission to manage Vault accounts via the Configuration API
`perm_ecm`	boolean	Permission for use by an Endpoint Credential Manager client
`perm_real_time_state`	boolean	Permission to use the Real-Time State API
`perm_reporting_archive`	boolean	Permission to use the Archive Reporting API
`perm_reporting_asset`	boolean	Permission to use the Asset Reporting API
`perm_reporting_license`	boolean	Permission to use the License Usage Reporting API
`perm_reporting_session`	boolean	Permission to view session reports and recordings
`perm_reporting_syslog`	boolean	Permission to download Syslog reports
`perm_reporting_vault`	boolean	Permission to run Vault Activity reports
`perm_vault_backup`	boolean	Permission to back up the Vault encryption key
`perm_scim`	boolean	Permission to use the SCIM API

Top-level fields

Field	Type	Description
`current_time`	string (date-time)	Server's current date and time in UTC
`command_api_version`	string	Version of the Command API used for this request
`config_api_version`	string	Latest supported version of the Configuration API
`reporting_api_version`	string	Latest supported version of the Reporting API
`backup_api_version`	string	Latest supported version of the Backup API
`realtime_state_api_version`	string	Latest supported version of the Real-Time State API
`product`	string	Appliance product type: `rs` (Remote Support) or `pra` (Privileged Remote Access)

Health

`GET` /health

Returns appliance health and status information needed for failover purposes.

ℹ️
If this request is sent more than once per minute, a cached response may be returned.

Responses

Status	Content-Type	Description
200 OK	application/json	A healthy response. Returns a HealthBase object.
500 Internal Server Error	application/json	An unhealthy response. Returns a HealthBase object combined with a MessageResponse containing an error message. Some fields may be `null`.

Appliances

`GET` /appliance

Returns information about all configured appliances, including their failover role and cluster role.

Responses

Status	Content-Type	Description
200 OK	application/json	Returns an array of appliance objects.

`GET` /appliance/client-count

Get a list of appliances along with counts for each type of client connected to that appliance.

Query Parameters

Parameter	Type	Required	Description
`type`	string	No	Filters results by client type. If omitted, all client types are returned. Allowed values: `access_console`, `asset_client`, `gateway`

Responses

Status	Content-Type	Description
200 OK	application/json	Returns an array of appliance objects, each including client counts per type.

Clients

`GET` /client

Get details of all connected BeyondTrust Privileged Remote Access clients, optionally filtered by client type.

Query Parameters

Parameter	Type	Required	Description
`type`	string	No	Filters results by client type. If omitted, all client types are returned. Allowed values: `access_console`, `asset_client`, `gateway`

Responses

Status	Content-Type	Description
200 OK	application/json	Returns an array of connected client objects. Each object is one of the following types depending on the client: AccessConsole AssetClient Gateway

`GET` /client/{id}

Get details of a connected client identified by {id}.

ℹ️
The id is only valid while the client is connected. Requests for a client that has since disconnected return 404.

Path Parameters

Parameter	Type	Required	Description
`id`	integer	Yes	Unique identifier for the connected client. See ObjectId.

Responses

Status	Content-Type	Description
200 OK	application/json	Returns an array of connected client objects. Each object is one of the following types depending on the client: AccessConsole AssetClient Gateway
404 Not Found	application/json	No connected client was found with the given `id`. See 404NotFound.

`GET` /client/{id}/connections

Get a list of connections and an event log about those connections for the client with the given {id}.

ℹ️
The id is only valid while the client is connected. Requests for a client that has since disconnected return 404.

Path Parameters

Parameter	Type	Required	Description
`id`	integer	Yes	Unique identifier for the connected client. See ObjectId.

Responses

Status	Content-Type	Description
200 OK	application/json	Returns an object with the following fields: id connections events
404 Not Found	application/json	No connected client was found with the given `id`. See 404NotFound.

Sessions

`GET` /session/{lsid}

Returns attributes for an active support session identified by {lsid}.

Path Parameters

Parameter	Type	Required	Description
`lsid`	string	Yes	Unique identifier for the session. See LSID.

Responses

Status	Content-Type	Description
200 OK	application/json	Returns an array of objects describing the session's attributes.

`PATCH` /session/{lsid}

Set the external key or other custom attributes for an active support session identified by {lsid}. Each field is identified by its code name as configured in /login > Configuration > Custom Fields.

Path Parameters

Parameter	Type	Required	Description
`lsid`	string	Yes	Unique identifier for the session. See LSID.

Request Body - application/json

A key/value object of custom field code names and their values.

ℹ️
Custom Fields

Fields must be configured in /login > Configuration > Custom Fields before use

Maximum of 30 fields per request

Maximum of 1024 characters per value

Responses

Status	Content-Type	Description
200 OK	application/json	Session attributes updated successfully. See MessageResponse.
400 Bad Request	application/json	Too many attributes were sent in the request. See MessageResponse.
404 Not Found		No active session was found with the given `lsid`. See 404NotFound.
422 Unprocessable Entity		One or more request parameters are invalid. See 422UnprocessableEntity.

`DELETE` /session/{lsid}

Terminates an active support session identified by {lsid}.

🚧
This action immediately terminates the session for all participants. It cannot be undone.

Path Parameters

Parameter	Type	Required	Description
`lsid`	string	Yes	Unique identifier for the session to terminate. See LSID.

Responses

Status	Description
204 No Content	Session terminated successfully. No response body is returned.
404 Not Found	No active session was found with the given `lsid`. See 404NotFound.

Users

`GET` /user

Get a list of all logged-in Users, both normal and invited.

Responses

Status	Content-Type	Description
200 OK	application/json	Returns an array of User objects.

`POST` /user/{id}/logout

Force a logged-in User identified by {id} to log out.

🚧
This immediately terminates the User's console session. Any sessions they are participating in may be affected.

Path Parameters

Parameter	Type	Required	Description
`id`	integer	Yes	Unique identifier for the User to log out. See ObjectId.

Responses

Status	Description
204 No Content	User logged out successfully. No response body is returned.
404 Not Found	No logged-in User was found with the given id. See 404NotFound.
422 Unprocessable Entity	One or more path parameters are invalid. See 422UnprocessableEntity.

Failover

`POST` /failover-role

Set the failover role of an appliance to either primary or backup.

🚧
This is a disruptive operation. Setting data_sync_first to true disconnects all users on the existing primary appliance and blocks all other operations until the swap is complete.

Request Body - application/json

Field	Type	Required	Default	Description
`role`	string	Yes	—	The role to assign to the appliance. Allowed values: `primary` or `backup`.
`data_sync_first`	boolean	No	`false`	If `true`, performs a data sync with the peer appliance before failing over. All users on the existing primary are disconnected during the sync and no other operations are available until the swap completes.
`force`	boolean	No	`false`	Only applicable when contacting the primary appliance and setting its role to `backup`. If `true`, the appliance becomes the backup even if the peer cannot be contacted.

Responses

Status	Content-Type	Description
200 OK	application/json	Failover role updated successfully. See MessageResponse.
422 Unprocessable Entity		One or more request parameters are invalid. See 422UnprocessableEntity.
500 Internal Server Error	application/json	The failover operation failed for an unexpected reason. See MessageResponse.

Schemas

ObjectId

A numeric identifier used throughout the API to reference resources such as Users.

Property	Value
Type	integer (int32)
Minimum	1
Maximum	2147483647

ApplianceId

A GUID that uniquely identifies an appliance.

Property	Value
Type	string
Pattern	`^[0-9a-fA-F]{32}$`

Username

The username of a User.

Property	Value
Type	string

LSID

A string that uniquely identifies a session.

Property	Value
Type	string
Pattern	`^[0-9a-fA-F]{32}$`

CodeName

The code name of a resource. Must be unique.

Property	Value
Type	string
Min Length	0
Max Length	64
Pattern	`^[a-zA-Z0-9_\-]+$`

MessageResponse

A general success or failure message returned by many endpoints.

Field	Type	Description
`message`	string	A message describing the outcome of the request.

ErrorBagResponse

Key/value pairs returned for input validation errors. Keys are request field names; values are arrays of error messages for that field.

Property	Value
Type	object

IPv4Address

Property	Value
Type	string (ipv4)

IPv6Address

Property	Value
Type	string (ipv6)

Client

Base schema shared by AccessConsole, AssetClient, and Gateway.

Field	Type	Required	Description
`id`	integer (int32, 1–2147483647)	Yes	Unique identifier for the client. Valid only while the client is connected.
`type`	string	Yes	Client type. Allowed values: `access_console`, `asset_client`, `gateway`.
`hostname`	string	Yes	Hostname of the client machine.
`platform`	string	Yes	Operating system of the client machine.
`timezone_offset`	string	Yes	Number of seconds the client machine is offset from UTC.

AccessConsole

Extends Client. Represents a User logged into the Access Console.

Field	Type	Description
`user_id`	integer	The User's ID. See ObjectId.
`user_type`	string	Account type: `normal` or `invited`.
`username`	string	Username assigned to the User.
`private_display_name`	string	The User's private display name.
`public_display_name`	string	The User's public display name.
`start_session_url`	string	URL that can be sent to a customer to start a session with this User.
`showing_on_rep_list`	boolean	`true` if the User appears in the public site's User list.
`routing_idle`	boolean	`true` if the User's status is idle.
`routing_busy`	boolean	`true` if the User's status is busy.
`routing_status`	string	Code name of the User's current status. See CodeName.
`routing_available`	boolean	`true` if the User is available for automatic session assignment.
`session_count`	integer	Number of sessions the User is currently participating in.
`session_lsids`	array of string	LSID for each session the User is currently participating in. See LSID.

ℹ️
The private_display_name and public_display_name field descriptions appear transposed in the source. Verify the correct mapping in your environment.

AssetClient

Extends Client. Represents a non-interactive client connection.

Field	Type	Description
`non_interactive`	string	Indicates the session type: `shell` or `rdp`. If the session is neither, this field is not returned.
`lsid`	string	Unique identifier for the session. See LSID.

Gateway

Extends Client. No additional fields beyond the base Client schema.

HealthBase

Returned by GET /health. Contains appliance health and failover status information.

Field	Type	Required	Nullable	Description
`version`	string	Yes	No	BeyondTrust Privileged Remote Access product version.
`build`	string	Yes	No	Product build number.
`appliance_hostname`	string	Yes	No	Hostname of the appliance.
`appliance_id`	string	Yes	No	Hostname of the appliance.
`cluster_role`	string	Yes	No	The appliance's role in a cluster. Allowed values: `single`, `primary`, `traffic`.
`failover_role`	string	Yes	No	The appliance's role in a failover relationship. Allowed values: `none`, `primary`, `backup`.
`enabled_shared_ips`	array	Yes	Yes	IP addresses shared between primary and backup appliances. Each entry is an IPv4Address or IPv6Address. Not returned if no shared IPs are enabled.
`last_data_sync`	string (date-time)	Yes	Yes	Date and time of the last data sync. Only populated on the primary appliance; `null` otherwise.
`last_data_sync_status`	string	Yes	Yes	Status of the last data sync. Only populated on the primary appliance; `null` otherwise.

Parameters

IdParam

A reusable path parameter used across endpoints to identify a specific resource by its numeric ID.

Property	Value
In	path
Type	integer
Required	Yes
Schema	ObjectId

Responses

404NotFound

Status	Content-Type	Description
404 Not Found	application/json	The specified resource was not found. See MessageResponse.

422UnprocessableEntity

Status	Content-Type	Description
422 Unprocessable Entity	application/json	One or more request parameters are invalid. The response body contains both a general error message and a validation error dictionary.

Field	Type	Description
`message`	string	A general description of the error. See MessageResponse.
`errors`	object	Key/value pairs where keys are field names and values are arrays of validation error messages for that field. See ErrorBagResponse.

Example Response

json
{
  "message": "Validation failed.",
  "errors": {
    "queue_id": ["The queue_id field must be an integer."],
    "priority": ["The priority field must be between 1 and 3."]
  }
}

Overview

Authentication

Create a token

Request an API resource

Authentication errors

Request rate limits

Required Request Headers

HTTP Request Methods

Common HTTP Status Codes

Date-Time Formatting and Time Zones

Valid Examples

Invalid Examples

Integers

Changes

Base Path

Miscellaneous

GET /openapi.yaml

API Info

GET /info

Health

GET /health

Appliances

GET /appliance

GET /appliance/client-count

Clients

GET /client

GET /client/{id}

GET /client/{id}/connections

Sessions

GET /session/{lsid}

PATCH /session/{lsid}

Custom Fields

DELETE /session/{lsid}

Users

GET /user

POST /user/{id}/logout

Failover

POST /failover-role

Schemas

ObjectId

ApplianceId

Username

LSID

CodeName

MessageResponse

ErrorBagResponse

IPv4Address

IPv6Address

Client

AccessConsole

AssetClient

Gateway

HealthBase

Parameters

IdParam

Responses

404NotFound

422UnprocessableEntity

`GET` /openapi.yaml

`GET` /info

`GET` /health

`GET` /appliance

`GET` /appliance/client-count

`GET` /client

`GET` /client/{id}

`GET` /client/{id}/connections

`GET` /session/{lsid}

`PATCH` /session/{lsid}

`DELETE` /session/{lsid}

`GET` /user

`POST` /user/{id}/logout

`POST` /failover-role