Duo Security API
Provides programmatic access to Duo Security's MFA, device trust, and access policy enforcement for verifying user authentications, managing users and devices, and retrieving authentication logs.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
HMAC-SHA1 signing provides strong request integrity but SHA1 is considered weak by modern standards; Duo has not migrated to HMAC-SHA256. Secret key must be stored securely by the agent — exposure compromises the integration entirely. No OAuth scopes mean all Admin API operations use the same credential with no least-privilege granularity beyond choosing Auth API vs Admin API.
⚡ Reliability
Best When
Best for enterprise workflows that need to programmatically enforce or audit MFA policies, retrieve authentication logs for security analysis, or manage device enrollment at scale.
Avoid When
Avoid when you need a simple API key auth system — Duo's HMAC-SHA1 signed request scheme adds significant implementation complexity for basic use cases.
Use Cases
- • Trigger MFA push notifications to users and await approval/denial responses for step-up authentication workflows
- • Query authentication logs and activity history to detect anomalous login patterns or policy violations
- • Manage users, groups, and enrolled devices as part of identity lifecycle automation
- • Evaluate device trust posture (OS version, encryption status) before granting access to sensitive resources
- • Sync users and groups from directory services and assign them to Duo-protected applications
Not For
- • Primary user authentication (Duo is a second factor, not a password replacement)
- • Real-time high-volume event streaming — authentication log polling has inherent latency
- • Consumer or small-scale use cases — Duo is priced and designed for enterprise deployments
Interface
Authentication
All requests are signed using HMAC-SHA1 with an Integration Key (ikey), Secret Key (skey), and API Hostname — all three are required. The canonical request string includes timestamp, method, host, path, and sorted parameters. Timestamp must be within ±5 minutes of Duo's servers (NTP sync critical). Separate integration credentials exist for Auth API vs Admin API vs Accounts API, so agents must manage multiple credential sets if using multiple APIs.
Pricing
Admin API and Accounts API access typically require paid tiers. Auth API is available on all plans. Pricing is not publicly listed for higher tiers — requires sales contact.
Agent Metadata
Known Gotchas
- ⚠ HMAC-SHA1 request signing requires precise canonical form — parameter sorting, URL encoding, and newline handling must be exact or requests silently fail with 401
- ⚠ Timestamp validation is strict (±5 minutes): agents running in environments with NTP drift will see intermittent 401 errors that are hard to diagnose
- ⚠ Auth API and Admin API use separate integration credentials with different hostnames — an agent must maintain multiple credential sets and route requests correctly
- ⚠ Push authentication is asynchronous and can take up to 60 seconds; agents must implement polling or timeout logic and handle 'waiting', 'allow', 'deny', and 'timeout' states
- ⚠ The Admin API returns paginated results using offset/limit but does not provide total count, so agents cannot determine completion without receiving an empty page
Alternatives
Full Evaluation Report
Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for Duo Security API.
Scores are editorial opinions as of 2026-03-06.