{"id":5201,"library":"duo-client","title":"Duo Security Python Client","description":"The `duo-client` library provides a reference Python client for interacting with Duo Security's Auth, Admin, and Accounts APIs. It is actively maintained with frequent releases, offering programmatic access to manage users, policies, and authentication events. The current version is 5.6.1, and it supports Python 3.7 and higher.","status":"active","version":"5.6.1","language":"en","source_language":"en","source_url":"https://github.com/duosecurity/duo_client_python","tags":["security","2fa","mfa","authentication","api-client"],"install":[{"cmd":"pip install duo-client","lang":"bash","label":"Install latest version"}],"dependencies":[],"imports":[{"symbol":"AdminApi","correct":"from duo_client.admin import AdminApi"},{"symbol":"AuthApi","correct":"from duo_client.auth import AuthApi"},{"symbol":"AccountsApi","correct":"from duo_client.accounts import AccountsApi"}],"quickstart":{"code":"import os\nfrom duo_client.auth import AuthApi\n\n# It's crucial to load credentials from environment variables or a secure secret store.\n# DO NOT hardcode IKEY, SKEY, or HOST in your application code.\nIKEY = os.environ.get('DUO_IKEY', 'DIXXXXXXXXXXXXXXXXXX') # Replace with your actual Integration Key\nSKEY = os.environ.get('DUO_SKEY', 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX') # Replace with your actual Secret Key\nHOST = os.environ.get('DUO_HOST', 'api-xxxxxxxx.duosecurity.com') # Replace with your actual API Hostname\n\nif IKEY == 'DIXXXXXXXXXXXXXXXXXX' or SKEY == 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' or HOST == 'api-xxxxxxxx.duosecurity.com':\n    print(\"Warning: Please set DUO_IKEY, DUO_SKEY, and DUO_HOST environment variables or replace placeholder values.\")\n    print(\"Skipping quickstart execution due to placeholder credentials.\")\nelse:\n    try:\n        # Initialize the Auth API client\n        auth_api = AuthApi(\n            ikey=IKEY,\n            skey=SKEY,\n            host=HOST,\n        )\n\n        # Make a simple API call to check service status\n        response = auth_api.check()\n        print(\"Duo Auth API Check successful:\")\n        print(response)\n    except Exception as e:\n        print(f\"Error checking Duo Auth API: {e}\")","lang":"python","description":"This quickstart demonstrates how to initialize the AuthApi client and perform a basic service check. It emphasizes the importance of loading sensitive API credentials from environment variables for security. Ensure DUO_IKEY, DUO_SKEY, and DUO_HOST are set in your environment or replaced with actual values."},"warnings":[{"fix":"Upgrade your Python environment to version 3.7 or higher. If unable to upgrade, you must use an older version of `duo-client` (e.g., <5.0.0), though this is not recommended due to lack of updates and potential security issues.","message":"Version 5.0.0 dropped support for Python versions below 3.7. Attempting to use `duo-client` 5.0.0 or later on older Python environments will result in errors.","severity":"breaking","affected_versions":">=5.0.0"},{"fix":"Ensure that when interacting with the Admin API for child accounts, the correct child account hostname is explicitly provided during client initialization or API calls.","message":"As of version 5.2.0, the client enforces the documented API usage requiring the child account hostname when using Admin API in conjunction with the Accounts API in multi-account setups. While the client may attempt to look up the hostname if not provided, explicitly defining it is the correct and reliable approach.","severity":"breaking","affected_versions":">=5.2.0"},{"fix":"Review your code for usage of mobile restore parameters in settings-related API calls and remove or replace them with current, supported alternatives.","message":"Version 5.6.0 removed deprecated mobile restore parameters from settings. Code attempting to use these parameters will fail.","severity":"deprecated","affected_versions":">=5.6.0"},{"fix":"Ensure `duo-client` is updated to a recent version (e.g., 5.0.0+ as it supports Python 3.7+, which has TLS 1.2/1.3 support). Additionally, ensure the operating system and client environment's CA certificates are up-to-date to trust the DigiCert G5 root.","message":"Duo Security will no longer trust the DigiCert G1 root certificate after April 15, 2026. This is an external CA bundle expiry that will affect *all* Duo integrations, potentially causing connection failures if the underlying client (duo-client) and operating system do not support and trust the replacement DigiCert G5 root and use modern TLS (1.2/1.3).","severity":"breaking","affected_versions":"All versions, but more impactful for older Python/OS environments"},{"fix":"Always load API credentials from secure sources such as environment variables, a dedicated secret management service (e.g., AWS Secrets Manager, HashiCorp Vault), or a configuration file that is explicitly excluded from version control.","message":"Duo API Integration Keys (IKEYs), Secret Keys (SKEYs), and API Hostnames (HOSTs) are highly sensitive credentials. Hardcoding them directly into source code is a major security risk.","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-13T00:00:00.000Z","next_check":"2026-07-12T00:00:00.000Z"}