Duo Security Python Client

5.6.1 · active · verified Mon Apr 13

The `duo-client` library provides a reference Python client for interacting with Duo Security's Auth, Admin, and Accounts APIs. It is actively maintained with frequent releases, offering programmatic access to manage users, policies, and authentication events. The current version is 5.6.1, and it supports Python 3.7 and higher.

Warnings

breaking Version 5.0.0 dropped support for Python versions below 3.7. Attempting to use `duo-client` 5.0.0 or later on older Python environments will result in errors.
Fix: Upgrade your Python environment to version 3.7 or higher. If unable to upgrade, you must use an older version of `duo-client` (e.g., <5.0.0), though this is not recommended due to lack of updates and potential security issues.
breaking As of version 5.2.0, the client enforces the documented API usage requiring the child account hostname when using Admin API in conjunction with the Accounts API in multi-account setups. While the client may attempt to look up the hostname if not provided, explicitly defining it is the correct and reliable approach.
Fix: Ensure that when interacting with the Admin API for child accounts, the correct child account hostname is explicitly provided during client initialization or API calls.
deprecated Version 5.6.0 removed deprecated mobile restore parameters from settings. Code attempting to use these parameters will fail.
Fix: Review your code for usage of mobile restore parameters in settings-related API calls and remove or replace them with current, supported alternatives.
breaking Duo Security will no longer trust the DigiCert G1 root certificate after April 15, 2026. This is an external CA bundle expiry that will affect *all* Duo integrations, potentially causing connection failures if the underlying client (duo-client) and operating system do not support and trust the replacement DigiCert G5 root and use modern TLS (1.2/1.3).
Fix: Ensure `duo-client` is updated to a recent version (e.g., 5.0.0+ as it supports Python 3.7+, which has TLS 1.2/1.3 support). Additionally, ensure the operating system and client environment's CA certificates are up-to-date to trust the DigiCert G5 root.
gotcha Duo API Integration Keys (IKEYs), Secret Keys (SKEYs), and API Hostnames (HOSTs) are highly sensitive credentials. Hardcoding them directly into source code is a major security risk.
Fix: Always load API credentials from secure sources such as environment variables, a dedicated secret management service (e.g., AWS Secrets Manager, HashiCorp Vault), or a configuration file that is explicitly excluded from version control.

Install

pip install duo-client Install latest version

Imports

AdminApi
```
from duo_client.admin import AdminApi
```
AuthApi
```
from duo_client.auth import AuthApi
```

AccountsApi

from duo_client.accounts import AccountsApi

Quickstart

This quickstart demonstrates how to initialize the AuthApi client and perform a basic service check. It emphasizes the importance of loading sensitive API credentials from environment variables for security. Ensure DUO_IKEY, DUO_SKEY, and DUO_HOST are set in your environment or replaced with actual values.

import os
from duo_client.auth import AuthApi

# It's crucial to load credentials from environment variables or a secure secret store.
# DO NOT hardcode IKEY, SKEY, or HOST in your application code.
IKEY = os.environ.get('DUO_IKEY', 'DIXXXXXXXXXXXXXXXXXX') # Replace with your actual Integration Key
SKEY = os.environ.get('DUO_SKEY', 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX') # Replace with your actual Secret Key
HOST = os.environ.get('DUO_HOST', 'api-xxxxxxxx.duosecurity.com') # Replace with your actual API Hostname

if IKEY == 'DIXXXXXXXXXXXXXXXXXX' or SKEY == 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' or HOST == 'api-xxxxxxxx.duosecurity.com':
    print("Warning: Please set DUO_IKEY, DUO_SKEY, and DUO_HOST environment variables or replace placeholder values.")
    print("Skipping quickstart execution due to placeholder credentials.")
else:
    try:
        # Initialize the Auth API client
        auth_api = AuthApi(
            ikey=IKEY,
            skey=SKEY,
            host=HOST,
        )

        # Make a simple API call to check service status
        response = auth_api.check()
        print("Duo Auth API Check successful:")
        print(response)
    except Exception as e:
        print(f"Error checking Duo Auth API: {e}")

view raw JSON →