Logins and sessions
Kismet uses HTTP basic-auth to submit login information, and session tokens to retain login state.
2019-04-git, all interaction with the Kismet server requires a login.
2020-10-git, all endpoints on the Kismet server support a role: All login sessions made with the admin username and password are granted the
admin role. The
admin role has access to all endpoints. Additional sessions may be set by creating API keys with an assigned role which restricts the available endpoints of the session.
2022-10-git, Kismet uses a JWT system internally to generate session tokens. This change is essentially invisible to users of the API, but alleviates some internal stress on Kismet for retaining a session database and list.
A session will automatically be created during authentication to any endpoint which requires login information, and returned in the
KISMET session cookie.
Logins may be manually validated against the
/session/check_session endpoint if validating user-supplied credentials.
Kismet accepts logins via HTTP Basic authentication, session cookie, and GET URI parameters.
If the administrator username and password is provided via Basic auth or via get URI parameters, a session cookie is created (if one does not already exist) or found, and returned in the
KISMET cookie parameter.
Added 2020-10 API-token-only consumers of the API should provide ONLY the API token given, and supply it in the
KISMET cookie or URI parameter.
API keys are, essentially, pre-provisioned session tokens stored in the Kismet settings files in the users home directory.
An API key is associated with a role, and can be used with any endpoint which supports that role.
Generally, an API key should be preferred for any tool interacting with Kismet on more than a one-off basis.
Some mechanisms, such as websockets, do not commonly support HTTP Basic Auth or cookie passing, and must use URI parameters:
|KISMET||Kismet session cookie / API token|
The same rules apply to the user and password and session token login process - if a valid username and password is provided, it will return a session token in the set-cookie parameter for future logins.
2020-10, Kismet supports login roles.
Every endpoint supports one or more roles. The provided authentication, session key, or API key must be authorized for that role or the endpoint will return a permission denied error.
Roles are not inherited; a role limits the API token to those roles.
Logins as the Kismet user are given the role
admin, which has access to all endpoints; this retains the standard behavior of endpoints and logins.
The most common use for roles is to limit the access of an API token.
API tokens and roles
2020-11, Kismet supports the use of API tokens and roles to restrict the actions of sessions. Predefined roles include:
|admin||Main role with access to all endpoints. Logins created via HTTP auth are automatically assigned the admin role.|
|readonly||Read-only role with access to endpoints which do not modify any devices, state, or configuration|
|scanreport||Role able to submit device/network scan reports, via the Wi-Fi and Bluetooth scanning-mode API|
|datasource||Role for remote capture websocket sources|
Roles are not inherited or cascading; for instance a
readonly role does not have access to reporting scans or acting as remote datasources. The only role with access to all endpoints is
Login and session API
First-time login check
This API is used by the Kismet web UI, and is available for other alternate full-UI replacements. It is used to indicate if Kismet has been configured fully.
Kismet does not provide a default username or password; instead, if the user has not configured a static account in a configuration file, the UI is expected to prompt the user during the first-tine startup.
The majority of API endpoints will not be available if the account setup process has not been completed.
Set login and password
Configure the initial login.
This causes Kismet to store the initial login in the settings file in the users home directory.
Username used for standard web login. This user will have the
Password string for admin user login.
Setting the initial password does not require a login.
Subsequent attempts to change the login and password will require a valid login session.
Changing the password does not invalidate any current login sessions.
If the password is set in the global Kismet configuration files, such as
kismet_site.conf, this API will not be available
and will return
If a UI or script has a saved session, it can use this endpoint to check if the session is still valid and take an appropriate action (such as using a saved login or prompting the user to log in again) if it is no longer valid.
If basic auth data also provided, a new login will be created and returned if the session is no longer valid.
A UI or script may need to check for a valid login and prompt the user to take an appropriate action if the login credentials are not valid.
Most likely, the session check API is more appropriate as it will return a valid session simultaneously if the login is valid.
Listing API tokens
Fetch a list of created API tokens, descriptions, and associated roles.
httpd_allow_auth_view is set to
false in the Kismet configuration, the results will not include the API
tokens, and the user must look at the Kismet configuration files to view previously created API keys.
Creating API tokens
Create a new API token and assign it a role.
New API tokens can only be generated if the
httpd_allow_auth_creation option is set to
true in the
Kismet config. This is set by default.
httpd_allow_auth_view is not set to
true in the Kismet configuration, API tokens may only be viewed
at the time of creation, or by inspecting the session file in the users Kismet configuration directory.
Name of API key; each API key must have a unique name.
Role of API key; this will restrict what the key is allowed to access.
Duration, in seconds, of token validity, from the time of token creation (now). May be 0 for a permanent token.
httpd_allow_auth_creation must be
true or this API will return an error condition.
Users should be prompted to copy the API token at the time of creation.
Revoking API tokens
Revoke and delete an API token.
All active sessions using the token will be revoked and future sessions prevented.
httpd_allow_auth_creation is not set in the Kismet configuration, this API will return an error.
Name of API token to revoke