API Token Authentication Not Working - Enterprise v1.32.4089.16

Environment

  • Version: Pritunl Enterprise 1.32.4089.16
  • Platform: Ubuntu 20.04 LTS, MongoDB 5.0.30
  • License: Active Enterprise subscription verified in database

Use Case

I’m trying to integrate Pritunl with a Slack application for automated VPN profile generation.

Problem

Despite having a valid Pritunl Enterprise license (v1.32.4089.16) with auth_api: true enabled for administrators, ALL API endpoints return 401 Unauthorized when using token authentication:

curl -k -H "Auth-Token: [token]" -H "Auth-Secret: [secret]" https://server/organization
# Returns: 401 Unauthorized 

On Source Code Analysis I noticed that the API route handlers in /usr/lib/pritunl/handlers/
and all endpoints use @auth.session_auth decorator, not token authentication. There is no evidence of @auth.token_auth or similar decorators in codebase. API requests generate no application logs suggesting it is being rejected at web server level.

However passing the 2fa session token to curl works:

curl -k -X POST \
  -H "Content-Type: application/json" \
  -d '{"username": "rachana@example.com", "password": "password", "otp_code": "123456"}' \
  https://localhost:443/auth/session

Response:

{"authenticated": true, "default": false}

This approach is unsuitable for automated systems due to 2FA requirements and session expiration.

Questions

  1. Does the Enterprise license actually support API token authentication for ANY endpoints in v1.32.4089.16?
  2. Are there dedicated API endpoint paths that support token authentication (e.g., /api/* vs direct paths)?
  3. Is the auth_api: true database flag supposed to enable token authentication, or is it used for a different purpose?
  4. Are there additional server configuration steps required beyond setting the administrator’s auth_api flag?
  5. Was API token authentication deprecated/removed in recent versions, or moved to a different authentication mechanism?
  6. Is there ANY way to programmatically access Pritunl API data without web session authentication and 2FA?

Any guidance on proper API token authentication setup would be greatly appreciated.

It’s HMAC-SHA256 authentication, there is an example of this being done in pritunl/tools/add_aws_ranges.py. To find API usage use Chrome Developer Tools, it is import when sending PUT requests that all fields from the GET are included. If there are issues with 401 errors set auditing mode to all in the top right settings than watch /var/log/pritunl_journal.log. This log will report the causes of 401 errors.