This end-point is used to validate local, LDAP and RADIUS user credentials based on realm.
User lockout policy can be changed under Authentication > User Account Policies > Lockouts. The policy will be applied as configured.
- Either password or
token_codeneeds to be specified.
- If both are specified, password will be validated first, then
- If only one is specified (either password or
token_code), only that credential will be validated.
- If a user doesn't have two-factor authentication configured, validation for that user with any
- If a user is configured with only FortiToken authentication (password-based authentication is disabled), specifying any password will fail.
Before being able to validate an email token or SMS token, a token code needs to be sent to the user first. Please refer to either /localusers, /ldapusers or /radiususers documentation on how to send the token code.
|Field||Display name||Type||Required||Other restrictions|
|token_code||Security token code||string||No||Supported token authentication: FortiToken, FortiToken Cloud, email token, SMS token.|
|HTTP Method||Resource URI||Action|
|POST||/api/v1/realmauth/||Validate user's credentials.|
In addition to the general codes defined in General API response codes, a POST request to this resource can result in the following return codes:
|200 OK||User is successfully authenticated.|
User authenticated and password change required.
|401 Unauthorized||User authentication failed||Credential is incorrect.|
|401 Unauthorized||Account is disabled||User account is currently disabled.|
|401 Unauthorized||No token configured||User does not have token-based authentication configured.|
|401 Unauthorized||Token is out of sync||The security token requires synchronization.|
|404 Not Found||User does not exist||The given username does not exist in the system.|